pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/lynx
Module Name: pkgsrc
Committed By: kim
Date: Thu Aug 12 04:20:11 UTC 2021
Modified Files:
pkgsrc/www/lynx: Makefile distinfo
Added Files:
pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTP.c
Log Message:
lynx: Address CVE-2021-38165
Cherry picked from 2021-08-07 (2.9.0dev.9):
* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
part of the server name indicator (Debian #991971) -TD
To generate a diff of this commit:
cvs rdiff -u -r1.138 -r1.139 pkgsrc/www/lynx/Makefile
cvs rdiff -u -r1.39 -r1.40 pkgsrc/www/lynx/distinfo
cvs rdiff -u -r0 -r1.4 \
pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/lynx/Makefile
diff -u pkgsrc/www/lynx/Makefile:1.138 pkgsrc/www/lynx/Makefile:1.139
--- pkgsrc/www/lynx/Makefile:1.138 Wed Apr 21 13:25:30 2021
+++ pkgsrc/www/lynx/Makefile Thu Aug 12 04:20:11 2021
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.138 2021/04/21 13:25:30 adam Exp $
+# $NetBSD: Makefile,v 1.139 2021/08/12 04:20:11 kim Exp $
DISTNAME= lynx2.8.9rel.1
PKGNAME= ${DISTNAME:S/lynx/lynx-/:S/rel//}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= www
MASTER_SITES= https://invisible-mirror.net/archives/lynx/tarballs/
MASTER_SITES+= ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/
Index: pkgsrc/www/lynx/distinfo
diff -u pkgsrc/www/lynx/distinfo:1.39 pkgsrc/www/lynx/distinfo:1.40
--- pkgsrc/www/lynx/distinfo:1.39 Wed Nov 14 16:09:03 2018
+++ pkgsrc/www/lynx/distinfo Thu Aug 12 04:20:11 2021
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.39 2018/11/14 16:09:03 nia Exp $
+$NetBSD: distinfo,v 1.40 2021/08/12 04:20:11 kim Exp $
SHA1 (lynx2.8.9rel.1.tar.bz2) = 3e00ac30d008e0aa879bfd037abcfd9c0dd2faec
RMD160 (lynx2.8.9rel.1.tar.bz2) = 0923d229a32c6fc2586798a2b80630fca34e7493
SHA512 (lynx2.8.9rel.1.tar.bz2) = 61edbe082684fcbd91bdbf4f4d27c3baf92358811aaffc2f8af46adf23ca7b48aede1520fc5f2a8fc974a2f4bbf4e57e7e6027a187bfc6101e56878c98178e6d
Size (lynx2.8.9rel.1.tar.bz2) = 2689171 bytes
+SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 402301685b2cd0a3faa7efab8a9ec69294bef409
SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9
SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a
Added files:
Index: pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
diff -u /dev/null pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c:1.4
--- /dev/null Thu Aug 12 04:20:11 2021
+++ pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c Thu Aug 12 04:20:11 2021
@@ -0,0 +1,42 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.4 2021/08/12 04:20:11 kim Exp $
+
+Address CVE-2021-38165 [From 2021-08-07 (2.9.0dev.9)]:
+
+* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
+ part of the server name indicator (Debian #991971) -TD
+
+Index: WWW/Library/Implementation/HTTP.c
+--- WWW/Library/Implementation/HTTP.c 2021-06-08 23:28:23.000000000 +0000
++++ WWW/Library/Implementation/HTTP.c 2021-08-07 14:33:59.000000000 +0000
+@@ -764,6 +764,23 @@
+ }
+ #endif
+
++/*
++ * Remove user/password, if any, from the given host-string.
++ */
++#ifdef USE_SSL
++static char *StripUserAuthents(char *host)
++{
++ char *p = strchr(host, '@');
++
++ if (p != NULL) {
++ char *q = host;
++
++ while ((*q++ = *++p) != '\0') ;
++ }
++ return host;
++}
++#endif
++
+ /* Load Document from HTTP Server HTLoadHTTP()
+ * ==============================
+ *
+@@ -959,6 +976,7 @@
+ /* get host we're connecting to */
+ ssl_host = HTParse(url, "", PARSE_HOST);
+ ssl_host = StripIpv6Brackets(ssl_host);
++ ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+ ret = gnutls_server_name_set(handle->gnutls_state,
+ GNUTLS_NAME_DNS,
Home |
Main Index |
Thread Index |
Old Index