From 9606a53ef5334d52a848b4b1e8feeb5cf0550b1c Mon Sep 17 00:00:00 2001 From: bsiegert Date: Wed, 28 Dec 2016 16:37:56 +0000 Subject: Pullup ticket #5174 - requested by sevan www/lynx: security fix Revisions pulled up: - www/lynx/Makefile 1.123-1.124 - www/lynx/distinfo 1.34-1.35 - www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c 1.1-1.2 - www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c 1.1 - www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h 1.1 - www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h 1.1 - www/lynx/patches/patch-src_LYUtils.c 1.1 --- Module Name: pkgsrc Committed By: sevan Date: Wed Dec 21 11:25:25 UTC 2016 Modified Files: pkgsrc/www/lynx: Makefile distinfo Added Files: pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c patch-WWW_Library_Implementation_HTTP.c patch-WWW_Library_Implementation_HTTP.h patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c Log Message: Patch for POODLE & CVE-2016-9179. Bump rev. --- Module Name: pkgsrc Committed By: sevan Date: Thu Dec 22 17:30:52 UTC 2016 Modified Files: pkgsrc/www/lynx: Makefile distinfo pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c Log Message: Fix broken patch committed previously which resulted in lynx crashing. Bump rev again. Apologies to anyone caught out by this mistake. Heads up by alnsn@ --- www/lynx/Makefile | 4 +- www/lynx/distinfo | 7 ++- .../patch-WWW_Library_Implementation_HTTCP.c | 31 +++++++++++ .../patch-WWW_Library_Implementation_HTTP.c | 60 ++++++++++++++++++++++ .../patch-WWW_Library_Implementation_HTTP.h | 16 ++++++ .../patch-WWW_Library_Implementation_HTUTILS.h | 16 ++++++ www/lynx/patches/patch-src_LYUtils.c | 15 ++++++ 7 files changed, 146 insertions(+), 3 deletions(-) create mode 100644 www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c create mode 100644 www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c create mode 100644 www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h create mode 100644 www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h create mode 100644 www/lynx/patches/patch-src_LYUtils.c diff --git a/www/lynx/Makefile b/www/lynx/Makefile index 1172381e838..05ab863b5ad 100644 --- a/www/lynx/Makefile +++ b/www/lynx/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.122 2016/07/22 18:51:41 shattered Exp $ +# $NetBSD: Makefile,v 1.122.2.1 2016/12/28 16:37:56 bsiegert Exp $ DISTNAME= lynx2.8.8rel.2 PKGNAME= ${DISTNAME:S/lynx/lynx-/:S/rel//} -PKGREVISION= 4 +PKGREVISION= 6 CATEGORIES= www MASTER_SITES= http://lynx.isc.org/${SUBDIR:Q}/ \ ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/ diff --git a/www/lynx/distinfo b/www/lynx/distinfo index 52b84e44c27..1345ea63b99 100644 --- a/www/lynx/distinfo +++ b/www/lynx/distinfo @@ -1,9 +1,14 @@ -$NetBSD: distinfo,v 1.33 2015/11/04 02:46:57 agc Exp $ +$NetBSD: distinfo,v 1.33.8.1 2016/12/28 16:37:56 bsiegert Exp $ SHA1 (lynx2.8.8rel.2.tar.bz2) = 65bbf95627c88723bbb5880155e5fe01c2753d0c RMD160 (lynx2.8.8rel.2.tar.bz2) = a683f9c163a6c343bde53ffde99dbecce4e41b02 SHA512 (lynx2.8.8rel.2.tar.bz2) = a475fb7b79641ddd7c20861e16d3d71ccb1a5ae33247cce0b9e73690dd664ebf129964c026bc33b0f082a7585e5a6acae9afc9a65f308e19b49fa0a8bebc0362 Size (lynx2.8.8rel.2.tar.bz2) = 2587120 bytes +SHA1 (patch-WWW_Library_Implementation_HTTCP.c) = 7449ad250c5971483aba8bd3c233080deafe7837 +SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 3249d46c1494f7913da71c8d1f689d9f3523d0f3 +SHA1 (patch-WWW_Library_Implementation_HTTP.h) = 4ad3a9cf309c7ef32d0a53df6f5840ed57c25a31 +SHA1 (patch-WWW_Library_Implementation_HTUTILS.h) = 654c4bd1be5e2d8c74efb44e2a5e996957bf7622 SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9 SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a SHA1 (patch-af) = 31399c0c3394b90c0680708fff06f6f9e19674b3 +SHA1 (patch-src_LYUtils.c) = fadef16c363b3e4327dd822f57b99274bcc6c6e3 diff --git a/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c b/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c new file mode 100644 index 00000000000..0dcc255c049 --- /dev/null +++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c @@ -0,0 +1,31 @@ +$NetBSD$ + +Fix CVE-2016-9179 +https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch + +--- WWW/Library/Implementation/HTTCP.c.orig 2016-12-21 10:03:58.000000000 +0000 ++++ WWW/Library/Implementation/HTTCP.c +@@ -1792,7 +1792,6 @@ int HTDoConnect(const char *url, + int status = 0; + char *line = NULL; + char *p1 = NULL; +- char *at_sign = NULL; + char *host = NULL; + + #ifdef INET6 +@@ -1814,14 +1813,8 @@ int HTDoConnect(const char *url, + * Get node name and optional port number. + */ + p1 = HTParse(url, "", PARSE_HOST); +- if ((at_sign = StrChr(p1, '@')) != NULL) { +- /* +- * If there's an @ then use the stuff after it as a hostname. +- */ +- StrAllocCopy(host, (at_sign + 1)); +- } else { + StrAllocCopy(host, p1); +- } ++ strip_userid(host, FALSE); + FREE(p1); + + HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host); diff --git a/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c new file mode 100644 index 00000000000..3898c03e550 --- /dev/null +++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c @@ -0,0 +1,60 @@ +$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $ + +Mitigate POODLE vulnerability +https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/02-init-openssl.patch +Fix CVE-2016-9179 +https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch + +--- WWW/Library/Implementation/HTTP.c.orig 2014-01-11 19:06:15.000000000 +0000 ++++ WWW/Library/Implementation/HTTP.c +@@ -105,6 +105,8 @@ static int HTSSLCallback(int preverify_o + + SSL *HTGetSSLHandle(void) + { ++ char *ciphers; ++ + #ifdef USE_GNUTLS_INCL + static char *certfile = NULL; + #endif +@@ -119,7 +121,12 @@ SSL *HTGetSSLHandle(void) + #else + SSLeay_add_ssl_algorithms(); + ssl_ctx = SSL_CTX_new(SSLv23_client_method()); +- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); ++ /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */ ++ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); ++ ++ ciphers = (char *)DEFAULT_CIPHER_SELECTION; ++ SSL_CTX_set_cipher_list(ssl_ctx, ciphers); ++ + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); + #endif +@@ -419,7 +426,7 @@ int ws_netread(int fd, char *buf, int le + /* + * Strip any username from the given string so we retain only the host. + */ +-static void strip_userid(char *host) ++void strip_userid(char *host, int parse_only) + { + char *p1 = host; + char *p2 = StrChr(host, '@'); +@@ -432,7 +439,8 @@ static void strip_userid(char *host) + + CTRACE((tfp, "parsed:%s\n", fake)); + HTSprintf0(&msg, gettext("Address contains a username: %s"), host); +- HTAlert(msg); ++ if (msg !=0 && !parse_only) ++ HTAlert(msg); + FREE(msg); + } + while ((*p1++ = *p2++) != '\0') { +@@ -1074,7 +1082,7 @@ static int HTLoadHTTP(const char *arg, + char *host = NULL; + + if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) { +- strip_userid(host); ++ strip_userid(host, TRUE); + HTBprintf(&command, "Host: %s%c%c", host, CR, LF); + FREE(host); + } diff --git a/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h new file mode 100644 index 00000000000..cff5f571065 --- /dev/null +++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h @@ -0,0 +1,16 @@ +$NetBSD: patch-WWW_Library_Implementation_HTTP.h,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $ + +Drop the use of weak ciphers +https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/03-weak-ciphers-by-default.patch + +--- WWW/Library/Implementation/HTTP.h.orig 2016-12-21 03:04:50.000000000 +0000 ++++ WWW/Library/Implementation/HTTP.h +@@ -21,6 +21,8 @@ extern "C" { + GLOBALREF HTProtocol HTTPS; + #endif /* GLOBALREF_IS_MACRO */ + ++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4" ++ + #define URL_GET_METHOD 1 + #define URL_POST_METHOD 2 + #define URL_MAIL_METHOD 3 diff --git a/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h b/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h new file mode 100644 index 00000000000..46d0d5836e1 --- /dev/null +++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h @@ -0,0 +1,16 @@ +$NetBSD: patch-WWW_Library_Implementation_HTUTILS.h,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $ + +Fix CVE-2016-9179 +https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch + +--- WWW/Library/Implementation/HTUtils.h.orig 2016-12-21 10:08:13.000000000 +0000 ++++ WWW/Library/Implementation/HTUtils.h +@@ -801,6 +801,8 @@ extern "C" { + + extern FILE *TraceFP(void); + ++ extern void strip_userid(char *host, int warn); ++ + #ifdef USE_SSL + extern SSL *HTGetSSLHandle(void); + extern void HTSSLInitPRNG(void); diff --git a/www/lynx/patches/patch-src_LYUtils.c b/www/lynx/patches/patch-src_LYUtils.c new file mode 100644 index 00000000000..f0172fac9d5 --- /dev/null +++ b/www/lynx/patches/patch-src_LYUtils.c @@ -0,0 +1,15 @@ +$NetBSD: patch-src_LYUtils.c,v 1.1.2.2 2016/12/28 16:37:56 bsiegert Exp $ + +Fix CVE-2016-9179 +https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch + +--- src/LYUtils.c.orig 2016-12-21 10:09:24.000000000 +0000 ++++ src/LYUtils.c +@@ -4693,6 +4693,7 @@ BOOLEAN LYExpandHostForURL(char **Alloca + * Do a DNS test on the potential host field as presently trimmed. - FM + */ + StrAllocCopy(host, Str); ++ strip_userid(host, FALSE); + HTUnEscape(host); + if (LYCursesON) { + StrAllocCopy(MsgStr, WWW_FIND_MESSAGE); -- cgit v1.2.3