[pkgsrc/trunk]: pkgsrc/www/lynx lynx: Address CVE-2021-38165

[kim <kim%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/1a27c549985e
branches:  trunk
changeset: 456945:1a27c549985e
user:      kim <kim%pkgsrc.org@localhost>
date:      Thu Aug 12 04:20:11 2021 +0000

description:
lynx: Address CVE-2021-38165

Cherry picked from 2021-08-07 (2.9.0dev.9):
* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
  part of the server name indicator (Debian #991971) -TD

diffstat:

 www/lynx/Makefile                                        |   4 +-
 www/lynx/distinfo                                        |   3 +-
 www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c |  42 ++++++++++++++++
 3 files changed, 46 insertions(+), 3 deletions(-)

diffs (74 lines):

diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/Makefile
--- a/www/lynx/Makefile Wed Aug 11 20:52:28 2021 +0000
+++ b/www/lynx/Makefile Thu Aug 12 04:20:11 2021 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.138 2021/04/21 13:25:30 adam Exp $
+# $NetBSD: Makefile,v 1.139 2021/08/12 04:20:11 kim Exp $
 
 DISTNAME=      lynx2.8.9rel.1
 PKGNAME=       ${DISTNAME:S/lynx/lynx-/:S/rel//}
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    www
 MASTER_SITES=  https://invisible-mirror.net/archives/lynx/tarballs/
 MASTER_SITES+= ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/
diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/distinfo
--- a/www/lynx/distinfo Wed Aug 11 20:52:28 2021 +0000
+++ b/www/lynx/distinfo Thu Aug 12 04:20:11 2021 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.39 2018/11/14 16:09:03 nia Exp $
+$NetBSD: distinfo,v 1.40 2021/08/12 04:20:11 kim Exp $
 
 SHA1 (lynx2.8.9rel.1.tar.bz2) = 3e00ac30d008e0aa879bfd037abcfd9c0dd2faec
 RMD160 (lynx2.8.9rel.1.tar.bz2) = 0923d229a32c6fc2586798a2b80630fca34e7493
 SHA512 (lynx2.8.9rel.1.tar.bz2) = 61edbe082684fcbd91bdbf4f4d27c3baf92358811aaffc2f8af46adf23ca7b48aede1520fc5f2a8fc974a2f4bbf4e57e7e6027a187bfc6101e56878c98178e6d
 Size (lynx2.8.9rel.1.tar.bz2) = 2689171 bytes
+SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 402301685b2cd0a3faa7efab8a9ec69294bef409
 SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9
 SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a
diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c  Thu Aug 12 04:20:11 2021 +0000
@@ -0,0 +1,42 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.4 2021/08/12 04:20:11 kim Exp $
+
+Address CVE-2021-38165 [From 2021-08-07 (2.9.0dev.9)]:
+
+* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
+  part of the server name indicator (Debian #991971) -TD
+
+Index: WWW/Library/Implementation/HTTP.c
+--- WWW/Library/Implementation/HTTP.c  2021-06-08 23:28:23.000000000 +0000
++++ WWW/Library/Implementation/HTTP.c  2021-08-07 14:33:59.000000000 +0000
+@@ -764,6 +764,23 @@
+ }
+ #endif
+ 
++/*
++ * Remove user/password, if any, from the given host-string.
++ */
++#ifdef USE_SSL
++static char *StripUserAuthents(char *host)
++{
++    char *p = strchr(host, '@');
++
++    if (p != NULL) {
++      char *q = host;
++
++      while ((*q++ = *++p) != '\0') ;
++    }
++    return host;
++}
++#endif
++
+ /*            Load Document from HTTP Server                  HTLoadHTTP()
+  *            ==============================
+  *
+@@ -959,6 +976,7 @@
+       /* get host we're connecting to */
+       ssl_host = HTParse(url, "", PARSE_HOST);
+       ssl_host = StripIpv6Brackets(ssl_host);
++      ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+       ret = gnutls_server_name_set(handle->gnutls_state,
+                                    GNUTLS_NAME_DNS,