Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

READ-ONLY-MODE: PLEASE DO NOT POST NEW STUFF!
  New Forum: http://forum.puppylinux.com
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 12 Aug 2020, 22:55
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Critical vulnerability in pre-1.16 versions of wget fixed
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 2 of 3 [37 Posts]   Goto page: Previous 1, 2, 3 Next
Author Message
darry1966


Joined: 26 Feb 2012
Posts: 897

PostPosted: Sat 01 Nov 2014, 13:36    Post subject: Re: wget 1.16 for puppy 3.01
Subject description: wget 1.16 for puppy 3.01
 

Dingo wrote:
wget 1.16 for puppy 3.01
wget-1.16-i486.pet for puppy 3.01

- compressed with upx (273 KB)
- without nls
Code:
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 +iri +large-file -nls -ntlm +opie -psl +ssl/gnutls

Wgetrc:
    /root/.wgetrc (user)
    /usr/etc/wgetrc (system)
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2
Link:
    gcc -g -O2 /usr/lib/libgnutls.so /usr/lib/libgcrypt.so
    /usr/lib/libgpg-error.so /usr/lib/libz.a /usr/lib/libnsl.so -lz
    -lidn -luuid -lpcre -lrt ftp-opie.o gnutls.o ../lib/libgnu.a


Thanks mirrored here: http://sourceforge.net/projects/puppylinux301updates/?source=navbar
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 2022
Location: Italy

PostPosted: Sat 01 Nov 2014, 17:16    Post subject:  

wget-1.16-p4-i486.pet

Code:
./configure --prefix=/usr --sysconfdir=/etc --with-ssl=openssl


Download:

https://copy.com/7BTNjoEgKhZNL9rI

wget-1.16-w5-i486.pet

Code:
./configure --prefix=/usr --sysconfdir=/etc --without-ssl


Download:

https://copy.com/H3LOm2gOh4MAYP86

I could not compile with ssl in wary: errors. If someone can better do the job he is invited to share the pets. Is openssl needed as configure option compiling wget?
Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2817
Location: Montenegro

PostPosted: Sat 01 Nov 2014, 17:44    Post subject:  

Compiled in dpup 487:
wget-1.16-i486-dpup487.pet

_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
OscarTalks


Joined: 05 Feb 2012
Posts: 2202
Location: London, England

PostPosted: Sat 01 Nov 2014, 20:57    Post subject:  

watchdog wrote:
I could not compile with ssl in wary: errors

Confirmed that in Racy 5.5 I get an error if I try to configure it with openssl, but if I upgrade openssl to version 1.0.1j
Code:
./config --prefix=/usr --openssldir=/etc/ssl shared

then wget 1.16 compiles OK
Code:
./configure --prefix=/usr --sysconfdir=/etc --build=i486-t2-linux-gnu --disable-nls --disable-debug --with-ssl=openssl --with-openssl=auto

but I don't know if this wget then depends on the upgraded openssl or if you could install it and run it against the original openssl so I won't post it as a .pet yet until I do some more testing.

_________________
Oscar in England

Back to top
View user's profile Send private message 
darry1966


Joined: 26 Feb 2012
Posts: 897

PostPosted: Sat 01 Nov 2014, 21:37    Post subject:  

Cheers Watchdog for .pets
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 2022
Location: Italy

PostPosted: Sun 02 Nov 2014, 02:15    Post subject:  

OscarTalks wrote:
watchdog wrote:
I could not compile with ssl in wary: errors

Confirmed that in Racy 5.5 I get an error if I try to configure it with openssl, but if I upgrade openssl to version 1.0.1j
Code:
./config --prefix=/usr --openssldir=/etc/ssl shared

then wget 1.16 compiles OK


I think that the recommended openssl in wary should be openssl-1.0.0o-w5-i486.pet:

https://copy.com/9KMVEzScon4NRvhZ
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 2202
Location: London, England

PostPosted: Sun 02 Nov 2014, 06:23    Post subject:  

watchdog wrote:
I think that the recommended openssl in wary should be openssl-1.0.0o-w5-i486.pet


I made sure to remove all traces of openssl-1.0.1j and then installed openssl-1.0.0o but I find that when I try to compile wget-1.16 I still get the same error
Code:
openssl.o: In function `ssl_init':
/initrd/mnt/dev_save/wget-1.16/src/openssl.c:224: undefined reference to `TLSv1_2_client_method'
/initrd/mnt/dev_save/wget-1.16/src/openssl.c:221: undefined reference to `TLSv1_1_client_method'
collect2: ld returned 1 exit status
make[3]: *** [wget] Error 1
make[3]: Leaving directory `/initrd/mnt/dev_save/wget-1.16/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/initrd/mnt/dev_save/wget-1.16/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/initrd/mnt/dev_save/wget-1.16'
make: *** [all] Error 2
#

The shared libs in openssl-1.0.1 have the same number as those in 1.0.0 so maybe if you want to install this wget it is OK to upgrade to 1.0.1j unless there is a patch or some other solution?

_________________
Oscar in England

Back to top
View user's profile Send private message 
dejan555


Joined: 30 Nov 2008
Posts: 2817
Location: Montenegro

PostPosted: Sun 02 Nov 2014, 06:29    Post subject:  

Maybe it's because of development header files, not included in pet?
_________________
puppy.b0x.me stuff mirrored HERE or HERE
Back to top
View user's profile Send private message Visit poster's website MSN Messenger 
OscarTalks


Joined: 05 Feb 2012
Posts: 2202
Location: London, England

PostPosted: Sun 02 Nov 2014, 07:08    Post subject:  

Hi Dejan,
Well I am compiling everything from source so not installing any .pets and the headers are all installed in /usr/include/openssl but I do notice that 1.0.1j has 75 header files whereas 1.0.0o has only 72.

For my own use I am happy to try running with 1.0.1j and see what happens, but I don't want to post a .pet for others if it might not work properly without the openssl upgrade. I don't understand these things well enough to know if it is just a build-time dependency or if code may be missing from the shared libs which might also cause a problem at run-time.

_________________
Oscar in England

Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 2022
Location: Italy

PostPosted: Sun 02 Nov 2014, 08:30    Post subject:  

As someone pointed out in a private message sent to me the with-ssl configure option compiling wget is only optional. I'll stick on my wget-1.16-w5 and openssl-1.0.0o posted above.
Back to top
View user's profile Send private message 
watchdog

Joined: 28 Sep 2012
Posts: 2022
Location: Italy

PostPosted: Sun 02 Nov 2014, 14:28    Post subject:  

To be complete I add the package patching wget for the slackware 13.37 based puppies (slacko 5.3x):

http://mirrors.slackware.com/slackware/slackware-13.37/patches/packages/wget-1.12-i486-2_slack13.37.txz
Back to top
View user's profile Send private message 
tuxtoo


Joined: 14 Dec 2010
Posts: 175
Location: Knaresborough, North Yorkshire, UK

PostPosted: Sun 02 Nov 2014, 15:59    Post subject:  

watchdog wrote:
wget-1.16-p4-i486.pet

Code:
./configure --prefix=/usr --sysconfdir=/etc --with-ssl=openssl


Download:

https://copy.com/7BTNjoEgKhZNL9rI

wget-1.16-w5-i486.pet

Code:
./configure --prefix=/usr --sysconfdir=/etc --without-ssl


Download:

https://copy.com/H3LOm2gOh4MAYP86

I could not compile with ssl in wary: errors. If someone can better do the job he is invited to share the pets. Is openssl needed as configure option compiling wget?


I downloaded wget-1.16-p4-i486.pet and I get this error message -

Is there any chance of repackaging it and uploading again or should I repackage it myself if you think the download is okay.
error.jpg
 Description   
 Filesize   32.8 KB
 Viewed   687 Time(s)

error.jpg


_________________
Puppy Linux search engine.

http://wellminded.net63.net/ Suitable for older browsers.

Mirror https://puppysearch.neocities.org
Back to top
View user's profile Send private message Visit poster's website 
watchdog

Joined: 28 Sep 2012
Posts: 2022
Location: Italy

PostPosted: Mon 03 Nov 2014, 03:02    Post subject:  

tuxtoo wrote:

I downloaded wget-1.16-p4-i486.pet and I get this error message -

Is there any chance of repackaging it and uploading again or should I repackage it myself if you think the download is okay.


I have tested the download in a frugal of puppy 4.31: it works for me. It installs by clicking on it without errors.

Code:
# wget -V
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 -iri +large-file +nls +ntlm +opie -psl +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale:
    /usr/share/locale
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2
Link:
    gcc -g -O2 /usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lz -luuid
    -lpcre -lrt ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.


What puppy4 are you using? Try to rename the package as wget-1.16-i486.pet: it was so in original. I just renamed it wget-1.16-p4-i486.pet. In /root/.packages/user-installed-packages the entry is:

Code:
wget-1.16-i486|wget|1.16-i486||BuildingBlock|2256K|pet_packages-4|wget-1.16-i486.pet||wget|puppy|4|official|
Back to top
View user's profile Send private message 
Griot


Joined: 12 Sep 2014
Posts: 131
Location: Serbia

PostPosted: Mon 03 Nov 2014, 08:36    Post subject:  

Hi folks! I downloaded .deb for Precise 5.72
posted by Semme on the 1st page. Info looks like this:

Code:
# wget --version
GNU Wget 1.13.4 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
    -I../../lib -D_FORTIFY_SOURCE=2 -Iyes/include -g -O2
    -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Wformat-security -Werror=format-security -DNO_SSLv2
    -D_FILE_OFFSET_BITS=64 -g -Wall
Link: gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
    -Wformat-security -Werror=format-security -DNO_SSLv2
    -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
    -Wl,-z,relro -Lyes/lib -lssl -lcrypto -lz -ldl -lz -lidn -lrt
    ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a


Semme said it's a 'patched' version and obviously it's Wget 1.13.4 not 1.16. That's fine with me but I'd like to know how to 'read' this info.
Which line contents info about newer or 'patched' version of wget?
Thank you.
Back to top
View user's profile Send private message 
tuxtoo


Joined: 14 Dec 2010
Posts: 175
Location: Knaresborough, North Yorkshire, UK

PostPosted: Mon 03 Nov 2014, 16:08    Post subject:  

watchdog wrote:

I have tested the download in a frugal of puppy 4.31: it works for me. It installs by clicking on it without errors.

What puppy4 are you using? Try to rename the package as wget-1.16-i486.pet: it was so in original. I just renamed it wget-1.16-p4-i486.pet. In /root/.packages/user-installed-packages the entry is:


I am using Puppy-4.1.2 with darry1966's 412-update. I took a chance and repackaged your wget-1.16-p4-i486.pet giving it this name also and it installed with no problems and installing from the Package Manager also works with no problems.

I also done as you suggested in renaming the package as wget-1.16-i486.pet and installed it in another laptop and it also worked as you suggested.

I do seem recall that renaming a dotpet causes the problem of it failing to install in the above manner.

Entering wget -version in the terminal outputs -

Code:
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 -iri +large-file +nls +ntlm +opie -psl +ssl/openssl

Wgetrc:
    /etc/wgetrc (system)
Locale:
    /usr/share/locale
Compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2
Link:
    gcc -g -O2 /usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lz -luuid
    -lpcre -lrt ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.


So all seems well with wget-1.16-p4-i486.pet which can be downloaded from http://412collection.co.uk/system.html#wget

Thanks watchdog

_________________
Puppy Linux search engine.

http://wellminded.net63.net/ Suitable for older browsers.

Mirror https://puppysearch.neocities.org
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 2 of 3 [37 Posts]   Goto page: Previous 1, 2, 3 Next
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Security/Privacy
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0812s ][ Queries: 12 (0.0217s) ][ GZIP on ]