pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2016Q3]: pkgsrc/www/lynx Pullup ticket #5174 - requested by sevan
details: https://anonhg.NetBSD.org/pkgsrc/rev/2e107e5ff6b4
branches: pkgsrc-2016Q3
changeset: 408835:2e107e5ff6b4
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Wed Dec 28 16:37:56 2016 +0000
description:
Pullup ticket #5174 - requested by sevan
www/lynx: security fix
Revisions pulled up:
- www/lynx/Makefile 1.123-1.124
- www/lynx/distinfo 1.34-1.35
- www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c 1.1-1.2
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h 1.1
- www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h 1.1
- www/lynx/patches/patch-src_LYUtils.c 1.1
---
Module Name: pkgsrc
Committed By: sevan
Date: Wed Dec 21 11:25:25 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
Added Files:
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
patch-WWW_Library_Implementation_HTTP.c
patch-WWW_Library_Implementation_HTTP.h
patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c
Log Message:
Patch for POODLE & CVE-2016-9179.
Bump rev.
---
Module Name: pkgsrc
Committed By: sevan
Date: Thu Dec 22 17:30:52 UTC 2016
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
Log Message:
Fix broken patch committed previously which resulted in lynx crashing.
Bump rev again.
Apologies to anyone caught out by this mistake.
Heads up by alnsn@
diffstat:
www/lynx/Makefile | 4 +-
www/lynx/distinfo | 7 +-
www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c | 31 ++++++
www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c | 60 +++++++++++++
www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h | 16 +++
www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h | 16 +++
www/lynx/patches/patch-src_LYUtils.c | 15 +++
7 files changed, 146 insertions(+), 3 deletions(-)
diffs (191 lines):
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/Makefile
--- a/www/lynx/Makefile Mon Dec 12 06:57:29 2016 +0000
+++ b/www/lynx/Makefile Wed Dec 28 16:37:56 2016 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.122 2016/07/22 18:51:41 shattered Exp $
+# $NetBSD: Makefile,v 1.122.2.1 2016/12/28 16:37:56 bsiegert Exp $
DISTNAME= lynx2.8.8rel.2
PKGNAME= ${DISTNAME:S/lynx/lynx-/:S/rel//}
-PKGREVISION= 4
+PKGREVISION= 6
CATEGORIES= www
MASTER_SITES= http://lynx.isc.org/${SUBDIR:Q}/ \
ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/distinfo
--- a/www/lynx/distinfo Mon Dec 12 06:57:29 2016 +0000
+++ b/www/lynx/distinfo Wed Dec 28 16:37:56 2016 +0000
@@ -1,9 +1,14 @@
-$NetBSD: distinfo,v 1.33 2015/11/04 02:46:57 agc Exp $
+$NetBSD: distinfo,v 1.33.8.1 2016/12/28 16:37:56 bsiegert Exp $
SHA1 (lynx2.8.8rel.2.tar.bz2) = 65bbf95627c88723bbb5880155e5fe01c2753d0c
RMD160 (lynx2.8.8rel.2.tar.bz2) = a683f9c163a6c343bde53ffde99dbecce4e41b02
SHA512 (lynx2.8.8rel.2.tar.bz2) = a475fb7b79641ddd7c20861e16d3d71ccb1a5ae33247cce0b9e73690dd664ebf129964c026bc33b0f082a7585e5a6acae9afc9a65f308e19b49fa0a8bebc0362
Size (lynx2.8.8rel.2.tar.bz2) = 2587120 bytes
+SHA1 (patch-WWW_Library_Implementation_HTTCP.c) = 7449ad250c5971483aba8bd3c233080deafe7837
+SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 3249d46c1494f7913da71c8d1f689d9f3523d0f3
+SHA1 (patch-WWW_Library_Implementation_HTTP.h) = 4ad3a9cf309c7ef32d0a53df6f5840ed57c25a31
+SHA1 (patch-WWW_Library_Implementation_HTUTILS.h) = 654c4bd1be5e2d8c74efb44e2a5e996957bf7622
SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9
SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a
SHA1 (patch-af) = 31399c0c3394b90c0680708fff06f6f9e19674b3
+SHA1 (patch-src_LYUtils.c) = fadef16c363b3e4327dd822f57b99274bcc6c6e3
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c Wed Dec 28 16:37:56 2016 +0000
@@ -0,0 +1,31 @@
+$NetBSD$
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTTCP.c.orig 2016-12-21 10:03:58.000000000 +0000
++++ WWW/Library/Implementation/HTTCP.c
+@@ -1792,7 +1792,6 @@ int HTDoConnect(const char *url,
+ int status = 0;
+ char *line = NULL;
+ char *p1 = NULL;
+- char *at_sign = NULL;
+ char *host = NULL;
+
+ #ifdef INET6
+@@ -1814,14 +1813,8 @@ int HTDoConnect(const char *url,
+ * Get node name and optional port number.
+ */
+ p1 = HTParse(url, "", PARSE_HOST);
+- if ((at_sign = StrChr(p1, '@')) != NULL) {
+- /*
+- * If there's an @ then use the stuff after it as a hostname.
+- */
+- StrAllocCopy(host, (at_sign + 1));
+- } else {
+ StrAllocCopy(host, p1);
+- }
++ strip_userid(host, FALSE);
+ FREE(p1);
+
+ HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c Wed Dec 28 16:37:56 2016 +0000
@@ -0,0 +1,60 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $
+
+Mitigate POODLE vulnerability
+https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/02-init-openssl.patch
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTTP.c.orig 2014-01-11 19:06:15.000000000 +0000
++++ WWW/Library/Implementation/HTTP.c
+@@ -105,6 +105,8 @@ static int HTSSLCallback(int preverify_o
+
+ SSL *HTGetSSLHandle(void)
+ {
++ char *ciphers;
++
+ #ifdef USE_GNUTLS_INCL
+ static char *certfile = NULL;
+ #endif
+@@ -119,7 +121,12 @@ SSL *HTGetSSLHandle(void)
+ #else
+ SSLeay_add_ssl_algorithms();
+ ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
++ /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
++ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++ ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++ SSL_CTX_set_cipher_list(ssl_ctx, ciphers);
++
+ #ifdef SSL_OP_NO_COMPRESSION
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif
+@@ -419,7 +426,7 @@ int ws_netread(int fd, char *buf, int le
+ /*
+ * Strip any username from the given string so we retain only the host.
+ */
+-static void strip_userid(char *host)
++void strip_userid(char *host, int parse_only)
+ {
+ char *p1 = host;
+ char *p2 = StrChr(host, '@');
+@@ -432,7 +439,8 @@ static void strip_userid(char *host)
+
+ CTRACE((tfp, "parsed:%s\n", fake));
+ HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
+- HTAlert(msg);
++ if (msg !=0 && !parse_only)
++ HTAlert(msg);
+ FREE(msg);
+ }
+ while ((*p1++ = *p2++) != '\0') {
+@@ -1074,7 +1082,7 @@ static int HTLoadHTTP(const char *arg,
+ char *host = NULL;
+
+ if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
+- strip_userid(host);
++ strip_userid(host, TRUE);
+ HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
+ FREE(host);
+ }
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h Wed Dec 28 16:37:56 2016 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.h,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $
+
+Drop the use of weak ciphers
+https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/03-weak-ciphers-by-default.patch
+
+--- WWW/Library/Implementation/HTTP.h.orig 2016-12-21 03:04:50.000000000 +0000
++++ WWW/Library/Implementation/HTTP.h
+@@ -21,6 +21,8 @@ extern "C" {
+ GLOBALREF HTProtocol HTTPS;
+ #endif /* GLOBALREF_IS_MACRO */
+
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #define URL_GET_METHOD 1
+ #define URL_POST_METHOD 2
+ #define URL_MAIL_METHOD 3
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h Wed Dec 28 16:37:56 2016 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-WWW_Library_Implementation_HTUTILS.h,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTUtils.h.orig 2016-12-21 10:08:13.000000000 +0000
++++ WWW/Library/Implementation/HTUtils.h
+@@ -801,6 +801,8 @@ extern "C" {
+
+ extern FILE *TraceFP(void);
+
++ extern void strip_userid(char *host, int warn);
++
+ #ifdef USE_SSL
+ extern SSL *HTGetSSLHandle(void);
+ extern void HTSSLInitPRNG(void);
diff -r 47afa877430a -r 2e107e5ff6b4 www/lynx/patches/patch-src_LYUtils.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-src_LYUtils.c Wed Dec 28 16:37:56 2016 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-src_LYUtils.c,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- src/LYUtils.c.orig 2016-12-21 10:09:24.000000000 +0000
++++ src/LYUtils.c
+@@ -4693,6 +4693,7 @@ BOOLEAN LYExpandHostForURL(char **Alloca
+ * Do a DNS test on the potential host field as presently trimmed. - FM
+ */
+ StrAllocCopy(host, Str);
++ strip_userid(host, FALSE);
+ HTUnEscape(host);
+ if (LYCursesON) {
+ StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);
Home |
Main Index |
Thread Index |
Old Index