new file mode 100644

@@ -0,0 +1,22 @@

+diff --git a/src/url.c b/src/url.c

+index 8f8ff0b..7d36b27 100644

+--- a/src/url.c

+@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)

+       url_unescape (u->host);

+       host_modified = true;

+ 

++      /* check for invalid control characters in host name */

++      for (p = u->host; *p; p++)

++        {

++          if (c_iscntrl(*p))

++            {

++              url_free(u);

++              error_code = PE_INVALID_HOST_NAME;

++              goto error;

++            }

++        }

++

+       /* Apply IDNA regardless of iri->utf8_encode status */

+       if (opt.enable_iri && iri)

+         {

@@ -1,7 +1,7 @@

 Summary:        A network utility to retrieve files from the Web

 Name:           wget

 Version:        1.19.1

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        GPLv3+

 URL:            http://www.gnu.org/software/wget/wget.html

 Group:          System Environment/NetworkingPrograms

@@ -11,6 +11,7 @@ Source0:        ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz

 %define sha1    wget=cde25e99c144191644406793cbd1c69c102c6970

 Patch0:         wget-CVE-2017-13089.patch

 Patch1:         wget-CVE-2017-13090.patch

+Patch2:         wget-CVE-2017-6508.patch

 Requires:       openssl

 BuildRequires:  openssl-devel

 %if %{with_check}

@@ -24,6 +25,7 @@ downloading of files from the Web.

 %setup -q

 %patch0 -p1

 %patch1 -p1

+%patch2 -p1

 %build

 ./configure \

@@ -60,6 +62,8 @@ rm -rf %{buildroot}/*

 %{_bindir}/*

 %{_mandir}/man1/*

 %changelog

+*   Tue Dec 19 2017 Xiaolin Li <xiaolinl@vmware.com> 1.19.1-4

+-   Fix CVE-2017-6508

 *   Mon Nov 20 2017 Xiaolin Li <xiaolinl@vmware.com> 1.19.1-3

 -   Fix CVE-2017-13089 and CVE-2017-13090

 *   Wed Aug 09 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.19.1-2