@@ -1,4 +1,4 @@
-From b86e57b68363d108fe77c6fd588a275d2696cabe Mon Sep 17 00:00:00 2001
+From 304f55a3e2689154d829938d29e43d808ca6298a Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Wed, 10 Jan 2018 14:43:20 +0800
Subject: [PATCH] src/Makefile.am: improve reproducibility
@@ -44,10 +44,10 @@ Signed-off-by: Joe Slater <jslater@windriver.com>
1 file changed, 4 insertions(+)
diff --git a/src/Makefile.am b/src/Makefile.am
-index 18ec622..38d252d 100644
+index 86be533..721a401 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
-@@ -108,9 +108,13 @@ version.c: $(wget_SOURCES) ../lib/libgnu.a
+@@ -126,9 +126,13 @@ version.c: $(wget_SOURCES) ../lib/libgnu.a
echo '#include "version.h"' >> $@
echo 'const char *version_string = "@VERSION@";' >> $@
echo 'const char *compilation_string = "'$(COMPILE)'";' \
deleted file mode 100644
@@ -1,79 +0,0 @@
-From ed0c7c7e0e8f7298352646b2fd6e06a11e242ace Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Sun, 2 Jun 2024 12:40:16 +0200
-Subject: Properly re-implement userinfo parsing (rfc2396)
-
-* src/url.c (url_skip_credentials): Properly re-implement userinfo parsing (rfc2396)
-
-The reason why the implementation is based on RFC 2396, an outdated standard,
-is that the whole file is based on that RFC, and mixing standard here might be
-dangerous.
-
-Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace]
-CVE: CVE-2024-38428
-Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
----
- src/url.c | 40 ++++++++++++++++++++++++++++++++++------
- 1 file changed, 34 insertions(+), 6 deletions(-)
-
-diff --git a/src/url.c b/src/url.c
-index 69e948b..07c3bc8 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -41,6 +41,7 @@ as that of the covered work. */
- #include "url.h"
- #include "host.h" /* for is_valid_ipv6_address */
- #include "c-strcase.h"
-+#include "c-ctype.h"
-
- #ifdef HAVE_ICONV
- # include <iconv.h>
-@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
- static const char *
- url_skip_credentials (const char *url)
- {
-- /* Look for '@' that comes before terminators, such as '/', '?',
-- '#', or ';'. */
-- const char *p = (const char *)strpbrk (url, "@/?#;");
-- if (!p || *p != '@')
-- return url;
-- return p + 1;
-+ /*
-+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
-+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
-+ *
-+ * The RFC says
-+ * server = [ [ userinfo "@" ] hostport ]
-+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
-+ * unreserved = alphanum | mark
-+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
-+ */
-+ static const char *allowed = "-_.!~*'();:&=+$,";
-+
-+ for (const char *p = url; *p; p++)
-+ {
-+ if (c_isalnum(*p))
-+ continue;
-+
-+ if (strchr(allowed, *p))
-+ continue;
-+
-+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
-+ {
-+ p += 2;
-+ continue;
-+ }
-+
-+ if (*p == '@')
-+ return p + 1;
-+
-+ break;
-+ }
-+
-+ return url;
- }
-
- /* Parse credentials contained in [BEG, END). The region is expected
-cgit v1.1
-
deleted file mode 100644
@@ -1,8 +0,0 @@
-SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
- file://0002-improve-reproducibility.patch \
- file://CVE-2024-38428.patch \
- "
-
-SRC_URI[sha256sum] = "fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de"
-
-require wget.inc
new file mode 100644
@@ -0,0 +1,7 @@
+SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
+ file://0002-improve-reproducibility.patch \
+ "
+
+SRC_URI[sha256sum] = "766e48423e79359ea31e41db9e5c289675947a7fcf2efdcedb726ac9d0da3784"
+
+require wget.inc