Critical vulnerability in pre-1.16 versions of wget fixed

Antivirus, forensics, intrusion detection, cryptography, etc.
Message
Author
darry1966

Re: wget 1.16 for puppy 3.01

#16 Post by darry1966 »

Dingo wrote:wget 1.16 for puppy 3.01
wget-1.16-i486.pet for puppy 3.01

- compressed with upx (273 KB)
- without nls

Code: Select all

GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 +iri +large-file -nls -ntlm +opie -psl +ssl/gnutls 

Wgetrc: 
    /root/.wgetrc (user)
    /usr/etc/wgetrc (system)
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2 
Link: 
    gcc -g -O2 /usr/lib/libgnutls.so /usr/lib/libgcrypt.so 
    /usr/lib/libgpg-error.so /usr/lib/libz.a /usr/lib/libnsl.so -lz 
    -lidn -luuid -lpcre -lrt ftp-opie.o gnutls.o ../lib/libgnu.a
Thanks mirrored here: http://sourceforge.net/projects/puppyli ... rce=navbar

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#17 Post by watchdog »

wget-1.16-p4-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --with-ssl=openssl
Download:

https://copy.com/7BTNjoEgKhZNL9rI

wget-1.16-w5-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --without-ssl
Download:

https://copy.com/H3LOm2gOh4MAYP86

I could not compile with ssl in wary: errors. If someone can better do the job he is invited to share the pets. Is openssl needed as configure option compiling wget?

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#18 Post by dejan555 »

Compiled in dpup 487:
wget-1.16-i486-dpup487.pet
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

User avatar
OscarTalks
Posts: 2196
Joined: Mon 06 Feb 2012, 00:58
Location: London, England

#19 Post by OscarTalks »

watchdog wrote:I could not compile with ssl in wary: errors
Confirmed that in Racy 5.5 I get an error if I try to configure it with openssl, but if I upgrade openssl to version 1.0.1j

Code: Select all

./config --prefix=/usr --openssldir=/etc/ssl shared
then wget 1.16 compiles OK

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --build=i486-t2-linux-gnu --disable-nls --disable-debug --with-ssl=openssl --with-openssl=auto
but I don't know if this wget then depends on the upgraded openssl or if you could install it and run it against the original openssl so I won't post it as a .pet yet until I do some more testing.
Oscar in England
Image

darry1966

#20 Post by darry1966 »

Cheers Watchdog for .pets

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#21 Post by watchdog »

OscarTalks wrote:
watchdog wrote:I could not compile with ssl in wary: errors
Confirmed that in Racy 5.5 I get an error if I try to configure it with openssl, but if I upgrade openssl to version 1.0.1j

Code: Select all

./config --prefix=/usr --openssldir=/etc/ssl shared
then wget 1.16 compiles OK
I think that the recommended openssl in wary should be openssl-1.0.0o-w5-i486.pet:

https://copy.com/9KMVEzScon4NRvhZ

User avatar
OscarTalks
Posts: 2196
Joined: Mon 06 Feb 2012, 00:58
Location: London, England

#22 Post by OscarTalks »

watchdog wrote:I think that the recommended openssl in wary should be openssl-1.0.0o-w5-i486.pet
I made sure to remove all traces of openssl-1.0.1j and then installed openssl-1.0.0o but I find that when I try to compile wget-1.16 I still get the same error

Code: Select all

openssl.o: In function `ssl_init':
/initrd/mnt/dev_save/wget-1.16/src/openssl.c:224: undefined reference to `TLSv1_2_client_method'
/initrd/mnt/dev_save/wget-1.16/src/openssl.c:221: undefined reference to `TLSv1_1_client_method'
collect2: ld returned 1 exit status
make[3]: *** [wget] Error 1
make[3]: Leaving directory `/initrd/mnt/dev_save/wget-1.16/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/initrd/mnt/dev_save/wget-1.16/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/initrd/mnt/dev_save/wget-1.16'
make: *** [all] Error 2
#
The shared libs in openssl-1.0.1 have the same number as those in 1.0.0 so maybe if you want to install this wget it is OK to upgrade to 1.0.1j unless there is a patch or some other solution?
Oscar in England
Image

User avatar
dejan555
Posts: 2798
Joined: Sun 30 Nov 2008, 11:57
Location: Montenegro
Contact:

#23 Post by dejan555 »

Maybe it's because of development header files, not included in pet?
puppy.b0x.me stuff mirrored [url=https://drive.google.com/open?id=0B_Mb589v0iCXNnhSZWRwd3R2UWs]HERE[/url] or [url=http://archive.org/details/Puppy_Linux_puppy.b0x.me_mirror]HERE[/url]

User avatar
OscarTalks
Posts: 2196
Joined: Mon 06 Feb 2012, 00:58
Location: London, England

#24 Post by OscarTalks »

Hi Dejan,
Well I am compiling everything from source so not installing any .pets and the headers are all installed in /usr/include/openssl but I do notice that 1.0.1j has 75 header files whereas 1.0.0o has only 72.

For my own use I am happy to try running with 1.0.1j and see what happens, but I don't want to post a .pet for others if it might not work properly without the openssl upgrade. I don't understand these things well enough to know if it is just a build-time dependency or if code may be missing from the shared libs which might also cause a problem at run-time.
Oscar in England
Image

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#25 Post by watchdog »

As someone pointed out in a private message sent to me the with-ssl configure option compiling wget is only optional. I'll stick on my wget-1.16-w5 and openssl-1.0.0o posted above.

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#26 Post by watchdog »

To be complete I add the package patching wget for the slackware 13.37 based puppies (slacko 5.3x):

http://mirrors.slackware.com/slackware/ ... k13.37.txz

User avatar
tuxtoo
Posts: 173
Joined: Tue 14 Dec 2010, 19:45
Location: Knaresborough, North Yorkshire, UK
Contact:

#27 Post by tuxtoo »

watchdog wrote:wget-1.16-p4-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --with-ssl=openssl
Download:

https://copy.com/7BTNjoEgKhZNL9rI

wget-1.16-w5-i486.pet

Code: Select all

./configure --prefix=/usr --sysconfdir=/etc --without-ssl
Download:

https://copy.com/H3LOm2gOh4MAYP86

I could not compile with ssl in wary: errors. If someone can better do the job he is invited to share the pets. Is openssl needed as configure option compiling wget?
I downloaded wget-1.16-p4-i486.pet and I get this error message -

Is there any chance of repackaging it and uploading again or should I repackage it myself if you think the download is okay.
Attachments
error.jpg
(32.8 KiB) Downloaded 686 times
Puppy Linux search engine.

[b][url]http://wellminded.net63.net/[/url][/b] Suitable for older browsers.

Mirror [b][url]https://puppysearch.neocities.org[/url][/b]

watchdog
Posts: 2021
Joined: Fri 28 Sep 2012, 18:04
Location: Italy

#28 Post by watchdog »

tuxtoo wrote: I downloaded wget-1.16-p4-i486.pet and I get this error message -

Is there any chance of repackaging it and uploading again or should I repackage it myself if you think the download is okay.
I have tested the download in a frugal of puppy 4.31: it works for me. It installs by clicking on it without errors.

Code: Select all

# wget -V
GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 -iri +large-file +nls +ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /etc/wgetrc (system)
Locale: 
    /usr/share/locale 
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2 
Link: 
    gcc -g -O2 /usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lz -luuid 
    -lpcre -lrt ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a 

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
What puppy4 are you using? Try to rename the package as wget-1.16-i486.pet: it was so in original. I just renamed it wget-1.16-p4-i486.pet. In /root/.packages/user-installed-packages the entry is:

Code: Select all

wget-1.16-i486|wget|1.16-i486||BuildingBlock|2256K|pet_packages-4|wget-1.16-i486.pet||wget|puppy|4|official|

User avatar
Griot
Posts: 131
Joined: Fri 12 Sep 2014, 18:10
Location: Serbia

#29 Post by Griot »

Hi folks! I downloaded .deb for Precise 5.72
posted by Semme on the 1st page. Info looks like this:

Code: Select all

# wget --version
GNU Wget 1.13.4 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl 

Wgetrc: 
    /etc/wgetrc (system)
Locale: /usr/share/locale 
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib 
    -I../../lib -D_FORTIFY_SOURCE=2 -Iyes/include -g -O2 
    -fstack-protector --param=ssp-buffer-size=4 -Wformat 
    -Wformat-security -Werror=format-security -DNO_SSLv2 
    -D_FILE_OFFSET_BITS=64 -g -Wall 
Link: gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
    -Wformat-security -Werror=format-security -DNO_SSLv2 
    -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions 
    -Wl,-z,relro -Lyes/lib -lssl -lcrypto -lz -ldl -lz -lidn -lrt 
    ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
Semme said it's a 'patched' version and obviously it's Wget 1.13.4 not 1.16. That's fine with me but I'd like to know how to 'read' this info.
Which line contents info about newer or 'patched' version of wget?
Thank you.

User avatar
tuxtoo
Posts: 173
Joined: Tue 14 Dec 2010, 19:45
Location: Knaresborough, North Yorkshire, UK
Contact:

#30 Post by tuxtoo »

watchdog wrote: I have tested the download in a frugal of puppy 4.31: it works for me. It installs by clicking on it without errors.

What puppy4 are you using? Try to rename the package as wget-1.16-i486.pet: it was so in original. I just renamed it wget-1.16-p4-i486.pet. In /root/.packages/user-installed-packages the entry is:
I am using Puppy-4.1.2 with darry1966's 412-update. I took a chance and repackaged your wget-1.16-p4-i486.pet giving it this name also and it installed with no problems and installing from the Package Manager also works with no problems.

I also done as you suggested in renaming the package as wget-1.16-i486.pet and installed it in another laptop and it also worked as you suggested.

I do seem recall that renaming a dotpet causes the problem of it failing to install in the above manner.

Entering wget -version in the terminal outputs -

Code: Select all

GNU Wget 1.16 built on linux-gnu.

+digest +https +ipv6 -iri +large-file +nls +ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /etc/wgetrc (system)
Locale: 
    /usr/share/locale 
Compile: 
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" 
    -DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -g -O2 
Link: 
    gcc -g -O2 /usr/lib/libssl.so /usr/lib/libcrypto.so -ldl -lz -luuid 
    -lpcre -lrt ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a 

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.
So all seems well with wget-1.16-p4-i486.pet which can be downloaded from http://412collection.co.uk/system.html#wget

Thanks watchdog
Puppy Linux search engine.

[b][url]http://wellminded.net63.net/[/url][/b] Suitable for older browsers.

Mirror [b][url]https://puppysearch.neocities.org[/url][/b]

darry1966

#31 Post by darry1966 »

To anyone reading this it is a good idea to test puppy package manager after the upgrade, as it uses wget for part of the process of downloading packages from the net.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#32 Post by greengeek »

Has anybody successfully updated the wget in Slacko 5.6? I tried the pet in first post ("tested in slacko 5.7 only") and it breaks my PPM in Slacko5.6 (some issue with looking for a perl lib)

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#33 Post by Semme »

5.6 draws from Slack-14, correct? I'm guessing this *patched version* should be in your PPM..

Yes GG, addressed >> http://www.murga-linux.com/puppy/viewto ... 172#806172
>>> Living with the immediacy of death helps you sort out your priorities. It helps you live a life less trivial <<<

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#34 Post by 8Geee »

Sorry for being VERY late, but I recently noticed a small issue in slacko 5.7-nonpae puppy. I installed the pet, and before S/D checked that it did install, which did happen. Unfortunately, on reboot, there was one missing dependency

libpcre.so.1

Not to worry, a rename during the copy of the symlink seems to have solved.

NOTE if you have installed the pet run wget --version
If it still indicates 1.14 then do the proceedure below
disregarding "BEFORE...."

BEFORE applying the wget upgrade

1.) Open Rox and navigate to /usr/lib and find the symlink named libpcre.so

2.) Right-Click and select COPY

3.) EDIT the name to libpcre.so.1

4.) OK


Not sure if its a "me" problem or general. Posted JIC.
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#35 Post by greengeek »

Semme wrote:5.6 draws from Slack-14, correct? I'm guessing this *patched version* should be in your PPM..Yes GG, addressed >> http://www.murga-linux.com/puppy/viewto ... 172#806172
Hi Semme - I'm confused about those updates - they look like they are v 1.14 which I already had prior to updating to v1.16

Turns out 8Geee has put his finger on the perl issue that is stopping v1.16 wget running on my system:
8Geee wrote: libpcre.so.1

Not to worry, a rename during the copy of the symlink seems to have solved.
1.) Open Rox and navigate to /usr/lib and find the symlink named libpcre.so

2.) Right-Click and select COPY

3.) EDIT the name to libpcre.so.1
Thanks 8Geee - solved my problem too (on Slacko 5.6)

Post Reply