Pullup ticket #5162 - requested by wiz

www/w3m: security fix
www/w3m-img: security fix

Revisions pulled up:
- www/w3m-img/Makefile                                          1.29
- www/w3m-img/PLIST                                             1.1
- www/w3m/Makefile                                              1.78
- www/w3m/Makefile.common                                       1.62-1.63
- www/w3m/PLIST                                                 1.17
- www/w3m/distinfo                                              1.27-1.29
- www/w3m/options.mk                                            1.15
- www/w3m/patches/patch-aa                                      deleted
- www/w3m/patches/patch-ab                                      deleted
- www/w3m/patches/patch-ac                                      deleted
- www/w3m/patches/patch-ak                                      deleted
- www/w3m/patches/patch-al                                      deleted
- www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in       deleted

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Nov  6 19:26:35 UTC 2016

   Modified Files:
   	pkgsrc/www/w3m: Makefile Makefile.common PLIST distinfo options.mk
   	pkgsrc/www/w3m/patches: patch-ab

   Log Message:
   Updated w3m to 0.5.3.0.20161031.

   Switch from dead sourceforge original to debian-maintained github version.

   * new features
   - support OSC 5379 remote imaging and sixel graphics
   - support SGR style mouse handler
   - support 32-bit color images
   - support FreeBSD framebuffer
   - support button element
   - support meta charset
   - add extbrowser4..9
   - add display_borders to display 0 pixel table borders
   - add siteconf feature
   - add German translation for options setting panel
   - add translations for de, zh_CN and zh_TW
   * bug fixes
   - fix segfaults with malformed text
   - disable SSLv2 and SSLv3 by default [CVE-2014-3566]
   - set ssl_verify_server to 1 by default
   - disable RC4, export ciphers, and keys < 128 bits
   - use SSL_OP_NO_COMPRESSION due to "CRIME attack" [CVE-2012-4929]
   - use SSL_MODE_RELEASE_BUFFERS
   - disable USE_EGD for LibreSSL
   - appease gcc -Werror=format-security
   - option -s is now "squeeze multiple blank lines" to work as pager, and
     -j and -e are obsolete, so use -O{s|j|e} to specify display charset
   - accept single quoted meta refresh URL
   - assume "text" if a form input type is unknown
   - accept cookies by default
   - set use_dictcommand to 1 by default
   - set default_url to 1 by default
   - set argv_is_url to 1 by default
   - set alt_entity to 0 by default
   - fix build problems with Boehm GC 7.2, imlib2 1.4.6 and glibc 2.14
   - fix parallel make failure
   - fix incorrect ucs_ambwidth_map
   - and many fixes

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Nov  6 19:27:16 UTC 2016

   Modified Files:
   	pkgsrc/www/w3m-img: Makefile
   Added Files:
   	pkgsrc/www/w3m-img: PLIST

   Log Message:
   Updated w3m-img to 0.5.3.0.20161031.

   Changes same as for www/w3m.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Nov  6 19:27:25 UTC 2016

   Removed Files:
   	pkgsrc/www/w3m/patches: patch-aa patch-ac patch-ak patch-al
   	    patch-scripts_w3mman_w3mman2html.cgi.in

   Log Message:
   Remove obsolete patches.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Nov  6 19:30:42 UTC 2016

   Modified Files:
   	pkgsrc/www/w3m: distinfo
   	pkgsrc/www/w3m/patches: patch-ab

   Log Message:
   Add upstream bug report URL.

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Nov 22 14:36:38 UTC 2016

   Modified Files:
   	pkgsrc/www/w3m: Makefile.common distinfo

   Log Message:
   Updated w3m to 0.5.3.0.20161120.

   Debian's w3m 0.5.3+git20161120

   * bug fixes
   - fix multiple flaws with malformed text
     (stack overflow, buffer overflow, null deref, out of memory)
   - fix stack overflow with nested table and textarea [CVE-2016-9439]
   - fix suspend (^Z) behavior

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Nov 22 15:24:43 UTC 2016

   Removed Files:
   	pkgsrc/www/w3m/patches: patch-ab

   Log Message:
   Remove integrated patch.

13 files changed, 33 insertions, 169 deletions

diff --git a/www/w3m-img/Makefile b/www/w3m-img/Makefile
index b79f95a45d0..8ccf3ec1b74 100644
--- a/www/w3m-img/Makefile
+++ b/www/w3m-img/Makefile
@@ -1,14 +1,13 @@
-# $NetBSD: Makefile,v 1.28 2016/03/05 11:29:40 jperkin Exp $
+# $NetBSD: Makefile,v 1.28.6.1 2016/11/28 20:22:06 bsiegert Exp $
 
-PKGNAME=	w3m-img-${W3M_VERS}
-PKGREVISION=	6
+PKGNAME=	w3m-img-${W3M_PKGVERS}
 COMMENT=	Multilingualized version of w3m with inline image support
 
 CONFLICTS+=	w3m-[0-9]*
 
 DISTINFO_FILE=	${.CURDIR}/../../www/w3m/distinfo
 PATCHDIR=	${.CURDIR}/../../www/w3m/patches
-PLIST_SRC=	${.CURDIR}/../../www/w3m/PLIST
+PLIST_SRC=	${.CURDIR}/../../www/w3m/PLIST ${.CURDIR}/PLIST
 
 USE_TOOLS+=	msgfmt
 
diff --git a/www/w3m-img/PLIST b/www/w3m-img/PLIST
new file mode 100644
index 00000000000..4f0ee80ceab
--- /dev/null
+++ b/www/w3m-img/PLIST
@@ -0,0 +1,2 @@
+@comment $NetBSD: PLIST,v 1.1.2.2 2016/11/28 20:22:06 bsiegert Exp $
+libexec/w3m/w3mimgdisplay
diff --git a/www/w3m/Makefile b/www/w3m/Makefile
index 4debcae7088..ba566bcdaa7 100644
--- a/www/w3m/Makefile
+++ b/www/w3m/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.77 2016/08/03 10:23:32 adam Exp $
+# $NetBSD: Makefile,v 1.77.2.1 2016/11/28 20:22:06 bsiegert Exp $
 
-PKGNAME=	w3m-${W3M_VERS}
-PKGREVISION=	18
+PKGNAME=	w3m-${W3M_PKGVERS}
 COMMENT=	Multilingualized version of a pager/text-based browser w3m
 
 CONFLICTS+=	w3m-img-[0-9]*
diff --git a/www/w3m/Makefile.common b/www/w3m/Makefile.common
index eac925d56ef..2a86e58800e 100644
--- a/www/w3m/Makefile.common
+++ b/www/w3m/Makefile.common
@@ -1,16 +1,19 @@
-# $NetBSD: Makefile.common,v 1.61 2014/10/09 14:07:12 wiz Exp $
+# $NetBSD: Makefile.common,v 1.61.16.1 2016/11/28 20:22:06 bsiegert Exp $
 #
 # used by www/w3m/Makefile
 # used by www/w3m-img/Makefile
 
 DISTNAME=	w3m-${W3M_VERS}
 CATEGORIES=	www
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=w3m/}
+MASTER_SITES=	${MASTER_SITE_GITHUB:=tats/}
+GITHUB_TAG=	v${W3M_VERS}
 
 MAINTAINER=	uebayasi@NetBSD.org
 HOMEPAGE=	http://w3m.sourceforge.net/
+# or https://github.com/tats/w3m
+# or https://packages.qa.debian.org/w/w3m.html
 
-MAKE_JOBS_SAFE=		no
+WRKSRC=		${WRKDIR}/w3m-${W3M_VERS:S/+/-/}
 
 GNU_CONFIGURE=	yes
 USE_LANGUAGES=	c c++
@@ -18,7 +21,8 @@ USE_TOOLS+=	gmake	# Needed for some combinations of options...
 USE_TOOLS+=	msgfmt
 USE_PKGLOCALEDIR=	yes
 
-W3M_VERS=	0.5.3
+W3M_VERS=	0.5.3+git20161120
+W3M_PKGVERS=	${W3M_VERS:S/+git/.0./}
 
 # For w3mman, xface2xpm, cgi scripts.
 USE_TOOLS+=	perl:run pax
@@ -63,11 +67,6 @@ SUBST_STAGE.fh=		post-patch
 SUBST_FILES.fh=		istream.*
 SUBST_SED.fh=		-e 's/file_handle/file_handle_rofl/g'
 
-post-extract:
-	cd ${WRKSRC}/doc && ${RM} -fr CVS
-	cd ${WRKSRC}/doc-jp && ${RM} -fr CVS
-	cd ${WRKSRC} && ${RM} -fr gc
-
 INSTALLATION_DIRS+=	${DOCDIR}
 
 INSTALL_TARGET=		install install-helpfile
diff --git a/www/w3m/PLIST b/www/w3m/PLIST
index c456352852e..5c136f896b8 100644
--- a/www/w3m/PLIST
+++ b/www/w3m/PLIST
@@ -1,16 +1,18 @@
-@comment $NetBSD: PLIST,v 1.16 2011/01/21 23:34:13 wiz Exp $
+@comment $NetBSD: PLIST,v 1.16.46.1 2016/11/28 20:22:06 bsiegert Exp $
 bin/w3m
 bin/w3mman
 libexec/w3m/cgi-bin/dirlist.cgi
 libexec/w3m/cgi-bin/multipart.cgi
 libexec/w3m/cgi-bin/w3mbookmark
+libexec/w3m/cgi-bin/w3mdict.cgi
 libexec/w3m/cgi-bin/w3mhelp.cgi
 libexec/w3m/cgi-bin/w3mhelperpanel
-${PLIST.image}libexec/w3m/w3mimgdisplay
 libexec/w3m/cgi-bin/w3mmail.cgi
 libexec/w3m/cgi-bin/w3mman2html.cgi
 libexec/w3m/inflate
 libexec/w3m/xface2xpm
+man/de/man1/w3m.1
+man/de/man1/w3mman.1
 man/ja_JP.eucJP/man1/w3m.1
 man/man1/w3m.1
 man/man1/w3mman.1
@@ -32,6 +34,7 @@ share/doc/w3m/doc-jp/README.migemo
 share/doc/w3m/doc-jp/README.mouse
 share/doc/w3m/doc-jp/README.passwd
 share/doc/w3m/doc-jp/README.pre_form
+share/doc/w3m/doc-jp/README.siteconf
 share/doc/w3m/doc-jp/README.tab
 share/doc/w3m/doc-jp/STORY.html
 share/doc/w3m/doc-jp/keymap.default
@@ -51,13 +54,19 @@ share/doc/w3m/doc/README.m17n
 share/doc/w3m/doc/README.mouse
 share/doc/w3m/doc/README.passwd
 share/doc/w3m/doc/README.pre_form
+share/doc/w3m/doc/README.siteconf
+share/doc/w3m/doc/README.sixel
 share/doc/w3m/doc/README.tab
 share/doc/w3m/doc/STORY.html
 share/doc/w3m/doc/keymap.default
 share/doc/w3m/doc/keymap.lynx
 share/doc/w3m/doc/menu.default
 share/doc/w3m/doc/menu.submenu
+share/locale/de/LC_MESSAGES/w3m.mo
 share/locale/ja/LC_MESSAGES/w3m.mo
+share/locale/zh_CN/LC_MESSAGES/w3m.mo
+share/locale/zh_TW/LC_MESSAGES/w3m.mo
+share/w3m/w3mhelp-funcdesc.de.pl
 share/w3m/w3mhelp-funcdesc.en.pl
 share/w3m/w3mhelp-funcdesc.ja.pl
 share/w3m/w3mhelp-funcname.pl
diff --git a/www/w3m/distinfo b/www/w3m/distinfo
index 0e79f15b72e..605a87440da 100644
--- a/www/w3m/distinfo
+++ b/www/w3m/distinfo
@@ -1,12 +1,6 @@
-$NetBSD: distinfo,v 1.26 2015/11/04 02:47:41 agc Exp $
+$NetBSD: distinfo,v 1.26.8.1 2016/11/28 20:22:06 bsiegert Exp $
 
-SHA1 (w3m-0.5.3.tar.gz) = 444b6c8cf7094ee95f8e9de96b37f814b9d83237
-RMD160 (w3m-0.5.3.tar.gz) = 6a0153bc53f7c107c700404262ce1b4d02e6dd91
-SHA512 (w3m-0.5.3.tar.gz) = 43508c76d07b4d8f19c19f975c0b870aeb94abf0744b6128ee01c759d4e409a8b57bc866baeaf990f309ff73e9a7b02ca455d272b1dd0a93fafb8c72b1fe6d14
-Size (w3m-0.5.3.tar.gz) = 2202328 bytes
-SHA1 (patch-aa) = 2de78a6db9bd483416895b393935ccadab879932
-SHA1 (patch-ab) = e1264e0b5e0dc2a1aaf7cc1e6067afd556792dd4
-SHA1 (patch-ac) = 37c6c78a208c50876641aa90164cc46106403260
-SHA1 (patch-ak) = ac0ee99d5ab49c431cfa496d0d2d509efd6b06fa
-SHA1 (patch-al) = 8b393004eed249449151d1f2b9252fcb1b55922d
-SHA1 (patch-scripts_w3mman_w3mman2html.cgi.in) = 344f21307a6a439cfe25d80a7b31da7051522f31
+SHA1 (w3m-0.5.3+git20161120.tar.gz) = 949ab2d125b7ad39db1cf6b4e6f851a28893efb2
+RMD160 (w3m-0.5.3+git20161120.tar.gz) = 3c017726743d06e22d79aa52057ef564f3b5158e
+SHA512 (w3m-0.5.3+git20161120.tar.gz) = 81ecf9e5d9067a82efa5464e5f9396327a6333f9e414458a972b2b7bff138bd17c490b5258e34cb1e338c7a6c0dd6105a1bfd1e0d02edfadead79caa39106a5c
+Size (w3m-0.5.3+git20161120.tar.gz) = 2177917 bytes
diff --git a/www/w3m/options.mk b/www/w3m/options.mk
index 7747ffb7300..21fc9ed9147 100644
--- a/www/w3m/options.mk
+++ b/www/w3m/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.14 2015/11/25 12:54:07 jperkin Exp $
+# $NetBSD: options.mk,v 1.14.8.1 2016/11/28 20:22:06 bsiegert Exp $
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.w3m
 PKG_SUPPORTED_OPTIONS=	inet6 migemo w3m-lynx-key
@@ -6,7 +6,7 @@ PKG_SUGGESTED_OPTIONS=	inet6
 
 .if ${_W3M_USE_IMAGE} == "YES"
 PKG_OPTIONS_REQUIRED_GROUPS+=	imagelib
-PKG_SUGGESTED_OPTIONS+=		w3m-image-gdk-pixbuf
+PKG_SUGGESTED_OPTIONS+=		w3m-image-gtk2
 .else
 PKG_OPTIONS_OPTIONAL_GROUPS+=	imagelib
 .endif
diff --git a/www/w3m/patches/patch-aa b/www/w3m/patches/patch-aa
deleted file mode 100644
index 7fb93802013..00000000000
--- a/www/w3m/patches/patch-aa
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-aa,v 1.13 2008/12/13 08:53:27 obache Exp $
-
-PKG_CONFIG points right location in pkgsrc.
-
---- configure.orig	2007-05-31 12:17:05.000000000 +0000
-+++ configure
-@@ -5602,8 +5602,6 @@ echo "${ECHO_T}$with_imagelib" >&6; }
-      with_gtk2="yes"
-      if test x"$PKG_CONFIG" = x; then
-        PKG_CONFIG=pkg-config
--     else
--       PKG_CONFIG=:
-      fi;;
-    esac
-   done
diff --git a/www/w3m/patches/patch-ab b/www/w3m/patches/patch-ab
deleted file mode 100644
index 63885677c27..00000000000
--- a/www/w3m/patches/patch-ab
+++ /dev/null
@@ -1,35 +0,0 @@
-$NetBSD: patch-ab,v 1.12 2012/05/30 06:42:34 wiz Exp $
-
-First chunk: adapt for gc-7.2 API change.
-Second chunk: suspend the job w3m belongs to, not w3m only.
-
---- main.c.orig	2011-01-04 09:42:19.000000000 +0000
-+++ main.c
-@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp)
-     mySignal(SIGPIPE, SigPipe);
- #endif
- 
--    orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc);
-+    orig_GC_warn_proc = GC_get_warn_proc();
-+    GC_set_warn_proc(wrap_GC_warn_proc);
-     err_msg = Strnew();
-     if (load_argc == 0) {
- 	/* no URL specified */
-@@ -2517,7 +2518,17 @@ DEFUN(susp, INTERRUPT SUSPEND, "Stop loa
- 	shell = "/bin/sh";
-     system(shell);
- #else				/* SIGSTOP */
-+#ifdef SIGTSTP
-+    signal(SIGTSTP, SIG_DFL);  /* just in case */
-+    /*
-+     * Note: If susp() was called from SIGTSTP handler,
-+     * unblocking SIGTSTP would be required here.
-+     * Currently not.
-+     */ 
-+    kill(0, SIGTSTP);  /* stop whole job, not a single process */
-+#else
-     kill((pid_t) 0, SIGSTOP);
-+#endif
- #endif				/* SIGSTOP */
-     fmInit();
-     displayBuffer(Currentbuf, B_FORCE_REDRAW);
diff --git a/www/w3m/patches/patch-ac b/www/w3m/patches/patch-ac
deleted file mode 100644
index d201243cc0c..00000000000
--- a/www/w3m/patches/patch-ac
+++ /dev/null
@@ -1,26 +0,0 @@
-$NetBSD: patch-ac,v 1.15 2011/01/21 23:34:14 wiz Exp $
-
-Fix for CVE-2010-2074 taken from here:
-
-http://www.openwall.com/lists/oss-security/2010/06/14/4
-
---- fm.h.orig	2011-01-04 09:22:21.000000000 +0000
-+++ fm.h
-@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
- #endif
- 
- #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
--global int ssl_verify_server init(FALSE);
-+global int ssl_verify_server init(TRUE);
- global char *ssl_cert_file init(NULL);
- global char *ssl_key_file init(NULL);
- global char *ssl_ca_path init(NULL);
-@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE)
- #endif				/* defined(USE_SSL) &&
- 				 * defined(USE_SSL_VERIFY) */
- #ifdef USE_SSL
--global char *ssl_forbid_method init(NULL);
-+global char *ssl_forbid_method init("2");
- #endif
- 
- global int is_redisplay init(FALSE);
diff --git a/www/w3m/patches/patch-ak b/www/w3m/patches/patch-ak
deleted file mode 100644
index 80a137e9c8c..00000000000
--- a/www/w3m/patches/patch-ak
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-ak,v 1.1 2008/12/13 08:52:13 obache Exp $
-
-PKG_CONFIG points right location in pkgsrc.
-
---- acinclude.m4.orig	2006-04-07 13:21:11.000000000 +0000
-+++ acinclude.m4
-@@ -652,8 +652,6 @@ AC_DEFUN([AC_W3M_IMAGE],
-      with_gtk2="yes"
-      if test x"$PKG_CONFIG" = x; then
-        PKG_CONFIG=pkg-config
--     else
--       PKG_CONFIG=:
-      fi;;
-    esac
-   done
diff --git a/www/w3m/patches/patch-al b/www/w3m/patches/patch-al
deleted file mode 100644
index 5a2aadc37a1..00000000000
--- a/www/w3m/patches/patch-al
+++ /dev/null
@@ -1,32 +0,0 @@
-$NetBSD: patch-al,v 1.1 2011/04/05 05:55:29 uebayasi Exp $
-
-http://gnats.netbsd.org/42400
-
-this patch adds support for single quoted meta refresh parameters, which is
-needed to access GMail with w3m.
-
-from: Paul Boekholt ( boekholt ) - 2008-09-06 06:54
-support single quoted meta refresh parameter - ID: 2096461
-http://sourceforge.net/tracker/?func=detail&aid=2096461&group_id=39518&atid=425441
-
---- file.c.orig	2011-01-04 09:22:21.000000000 +0000
-+++ file.c
-@@ -4284,15 +4284,15 @@ getMetaRefreshParam(char *q, Str *refres
-     while (*q) {
- 	if (!strncasecmp(q, "url=", 4)) {
- 	    q += 4;
--	    if (*q == '\"')	/* " */
-+	    if (*q == '\"' || *q == '\'')	/* " or ' */
- 		q++;
- 	    r = q;
- 	    while (*r && !IS_SPACE(*r) && *r != ';')
- 		r++;
- 	    s_tmp = Strnew_charp_n(q, r - q);
- 
--	    if (s_tmp->ptr[s_tmp->length - 1] == '\"') {	/* " 
--								 */
-+	    if (s_tmp->ptr[s_tmp->length - 1] == '\"' ||	/* " */
-+	        s_tmp->ptr[s_tmp->length - 1] == '\'') {	/* ' */
- 		s_tmp->length--;
- 		s_tmp->ptr[s_tmp->length] = '\0';
- 	    }
diff --git a/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in b/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in
deleted file mode 100644
index df152271b57..00000000000
--- a/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-scripts_w3mman_w3mman2html.cgi.in,v 1.1 2015/08/24 13:42:28 leot Exp $
-
-Use of defined() on aggregates (arrays and hashes) is deprecated from Perl 5.22.
-
---- scripts/w3mman/w3mman2html.cgi.in.orig	2011-01-04 09:22:28.000000000 +0000
-+++ scripts/w3mman/w3mman2html.cgi.in
-@@ -220,7 +220,7 @@ sub is_command {
-   local($p);
- 
-   (! -d && -x) || return 0;
--  if (! defined(%PATH)) {
-+  if (! %PATH) {
-     for $p (split(":", $ENV{'PATH'})) {
-       $p =~ s@/+$@@;
-       $PATH{$p} = 1;