From a4eefcc536aa9fdaca5d1b15c9f90fbd8e00a592 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Mon, 28 Nov 2016 20:22:06 +0000 Subject: Pullup ticket #5162 - requested by wiz www/w3m: security fix www/w3m-img: security fix Revisions pulled up: - www/w3m-img/Makefile 1.29 - www/w3m-img/PLIST 1.1 - www/w3m/Makefile 1.78 - www/w3m/Makefile.common 1.62-1.63 - www/w3m/PLIST 1.17 - www/w3m/distinfo 1.27-1.29 - www/w3m/options.mk 1.15 - www/w3m/patches/patch-aa deleted - www/w3m/patches/patch-ab deleted - www/w3m/patches/patch-ac deleted - www/w3m/patches/patch-ak deleted - www/w3m/patches/patch-al deleted - www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in deleted --- Module Name: pkgsrc Committed By: wiz Date: Sun Nov 6 19:26:35 UTC 2016 Modified Files: pkgsrc/www/w3m: Makefile Makefile.common PLIST distinfo options.mk pkgsrc/www/w3m/patches: patch-ab Log Message: Updated w3m to 0.5.3.0.20161031. Switch from dead sourceforge original to debian-maintained github version. * new features - support OSC 5379 remote imaging and sixel graphics - support SGR style mouse handler - support 32-bit color images - support FreeBSD framebuffer - support button element - support meta charset - add extbrowser4..9 - add display_borders to display 0 pixel table borders - add siteconf feature - add German translation for options setting panel - add translations for de, zh_CN and zh_TW * bug fixes - fix segfaults with malformed text - disable SSLv2 and SSLv3 by default [CVE-2014-3566] - set ssl_verify_server to 1 by default - disable RC4, export ciphers, and keys < 128 bits - use SSL_OP_NO_COMPRESSION due to "CRIME attack" [CVE-2012-4929] - use SSL_MODE_RELEASE_BUFFERS - disable USE_EGD for LibreSSL - appease gcc -Werror=format-security - option -s is now "squeeze multiple blank lines" to work as pager, and -j and -e are obsolete, so use -O{s|j|e} to specify display charset - accept single quoted meta refresh URL - assume "text" if a form input type is unknown - accept cookies by default - set use_dictcommand to 1 by default - set default_url to 1 by default - set argv_is_url to 1 by default - set alt_entity to 0 by default - fix build problems with Boehm GC 7.2, imlib2 1.4.6 and glibc 2.14 - fix parallel make failure - fix incorrect ucs_ambwidth_map - and many fixes --- Module Name: pkgsrc Committed By: wiz Date: Sun Nov 6 19:27:16 UTC 2016 Modified Files: pkgsrc/www/w3m-img: Makefile Added Files: pkgsrc/www/w3m-img: PLIST Log Message: Updated w3m-img to 0.5.3.0.20161031. Changes same as for www/w3m. --- Module Name: pkgsrc Committed By: wiz Date: Sun Nov 6 19:27:25 UTC 2016 Removed Files: pkgsrc/www/w3m/patches: patch-aa patch-ac patch-ak patch-al patch-scripts_w3mman_w3mman2html.cgi.in Log Message: Remove obsolete patches. --- Module Name: pkgsrc Committed By: wiz Date: Sun Nov 6 19:30:42 UTC 2016 Modified Files: pkgsrc/www/w3m: distinfo pkgsrc/www/w3m/patches: patch-ab Log Message: Add upstream bug report URL. --- Module Name: pkgsrc Committed By: wiz Date: Tue Nov 22 14:36:38 UTC 2016 Modified Files: pkgsrc/www/w3m: Makefile.common distinfo Log Message: Updated w3m to 0.5.3.0.20161120. Debian's w3m 0.5.3+git20161120 * bug fixes - fix multiple flaws with malformed text (stack overflow, buffer overflow, null deref, out of memory) - fix stack overflow with nested table and textarea [CVE-2016-9439] - fix suspend (^Z) behavior --- Module Name: pkgsrc Committed By: wiz Date: Tue Nov 22 15:24:43 UTC 2016 Removed Files: pkgsrc/www/w3m/patches: patch-ab Log Message: Remove integrated patch. --- www/w3m-img/Makefile | 7 ++--- www/w3m-img/PLIST | 2 ++ www/w3m/Makefile | 5 ++-- www/w3m/Makefile.common | 17 +++++------ www/w3m/PLIST | 13 ++++++-- www/w3m/distinfo | 16 ++++------ www/w3m/options.mk | 4 +-- www/w3m/patches/patch-aa | 15 ---------- www/w3m/patches/patch-ab | 35 ---------------------- www/w3m/patches/patch-ac | 26 ---------------- www/w3m/patches/patch-ak | 15 ---------- www/w3m/patches/patch-al | 32 -------------------- .../patch-scripts_w3mman_w3mman2html.cgi.in | 15 ---------- 13 files changed, 33 insertions(+), 169 deletions(-) create mode 100644 www/w3m-img/PLIST delete mode 100644 www/w3m/patches/patch-aa delete mode 100644 www/w3m/patches/patch-ab delete mode 100644 www/w3m/patches/patch-ac delete mode 100644 www/w3m/patches/patch-ak delete mode 100644 www/w3m/patches/patch-al delete mode 100644 www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in diff --git a/www/w3m-img/Makefile b/www/w3m-img/Makefile index b79f95a45d0..8ccf3ec1b74 100644 --- a/www/w3m-img/Makefile +++ b/www/w3m-img/Makefile @@ -1,14 +1,13 @@ -# $NetBSD: Makefile,v 1.28 2016/03/05 11:29:40 jperkin Exp $ +# $NetBSD: Makefile,v 1.28.6.1 2016/11/28 20:22:06 bsiegert Exp $ -PKGNAME= w3m-img-${W3M_VERS} -PKGREVISION= 6 +PKGNAME= w3m-img-${W3M_PKGVERS} COMMENT= Multilingualized version of w3m with inline image support CONFLICTS+= w3m-[0-9]* DISTINFO_FILE= ${.CURDIR}/../../www/w3m/distinfo PATCHDIR= ${.CURDIR}/../../www/w3m/patches -PLIST_SRC= ${.CURDIR}/../../www/w3m/PLIST +PLIST_SRC= ${.CURDIR}/../../www/w3m/PLIST ${.CURDIR}/PLIST USE_TOOLS+= msgfmt diff --git a/www/w3m-img/PLIST b/www/w3m-img/PLIST new file mode 100644 index 00000000000..4f0ee80ceab --- /dev/null +++ b/www/w3m-img/PLIST @@ -0,0 +1,2 @@ +@comment $NetBSD: PLIST,v 1.1.2.2 2016/11/28 20:22:06 bsiegert Exp $ +libexec/w3m/w3mimgdisplay diff --git a/www/w3m/Makefile b/www/w3m/Makefile index 4debcae7088..ba566bcdaa7 100644 --- a/www/w3m/Makefile +++ b/www/w3m/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.77 2016/08/03 10:23:32 adam Exp $ +# $NetBSD: Makefile,v 1.77.2.1 2016/11/28 20:22:06 bsiegert Exp $ -PKGNAME= w3m-${W3M_VERS} -PKGREVISION= 18 +PKGNAME= w3m-${W3M_PKGVERS} COMMENT= Multilingualized version of a pager/text-based browser w3m CONFLICTS+= w3m-img-[0-9]* diff --git a/www/w3m/Makefile.common b/www/w3m/Makefile.common index eac925d56ef..2a86e58800e 100644 --- a/www/w3m/Makefile.common +++ b/www/w3m/Makefile.common @@ -1,16 +1,19 @@ -# $NetBSD: Makefile.common,v 1.61 2014/10/09 14:07:12 wiz Exp $ +# $NetBSD: Makefile.common,v 1.61.16.1 2016/11/28 20:22:06 bsiegert Exp $ # # used by www/w3m/Makefile # used by www/w3m-img/Makefile DISTNAME= w3m-${W3M_VERS} CATEGORIES= www -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=w3m/} +MASTER_SITES= ${MASTER_SITE_GITHUB:=tats/} +GITHUB_TAG= v${W3M_VERS} MAINTAINER= uebayasi@NetBSD.org HOMEPAGE= http://w3m.sourceforge.net/ +# or https://github.com/tats/w3m +# or https://packages.qa.debian.org/w/w3m.html -MAKE_JOBS_SAFE= no +WRKSRC= ${WRKDIR}/w3m-${W3M_VERS:S/+/-/} GNU_CONFIGURE= yes USE_LANGUAGES= c c++ @@ -18,7 +21,8 @@ USE_TOOLS+= gmake # Needed for some combinations of options... USE_TOOLS+= msgfmt USE_PKGLOCALEDIR= yes -W3M_VERS= 0.5.3 +W3M_VERS= 0.5.3+git20161120 +W3M_PKGVERS= ${W3M_VERS:S/+git/.0./} # For w3mman, xface2xpm, cgi scripts. USE_TOOLS+= perl:run pax @@ -63,11 +67,6 @@ SUBST_STAGE.fh= post-patch SUBST_FILES.fh= istream.* SUBST_SED.fh= -e 's/file_handle/file_handle_rofl/g' -post-extract: - cd ${WRKSRC}/doc && ${RM} -fr CVS - cd ${WRKSRC}/doc-jp && ${RM} -fr CVS - cd ${WRKSRC} && ${RM} -fr gc - INSTALLATION_DIRS+= ${DOCDIR} INSTALL_TARGET= install install-helpfile diff --git a/www/w3m/PLIST b/www/w3m/PLIST index c456352852e..5c136f896b8 100644 --- a/www/w3m/PLIST +++ b/www/w3m/PLIST @@ -1,16 +1,18 @@ -@comment $NetBSD: PLIST,v 1.16 2011/01/21 23:34:13 wiz Exp $ +@comment $NetBSD: PLIST,v 1.16.46.1 2016/11/28 20:22:06 bsiegert Exp $ bin/w3m bin/w3mman libexec/w3m/cgi-bin/dirlist.cgi libexec/w3m/cgi-bin/multipart.cgi libexec/w3m/cgi-bin/w3mbookmark +libexec/w3m/cgi-bin/w3mdict.cgi libexec/w3m/cgi-bin/w3mhelp.cgi libexec/w3m/cgi-bin/w3mhelperpanel -${PLIST.image}libexec/w3m/w3mimgdisplay libexec/w3m/cgi-bin/w3mmail.cgi libexec/w3m/cgi-bin/w3mman2html.cgi libexec/w3m/inflate libexec/w3m/xface2xpm +man/de/man1/w3m.1 +man/de/man1/w3mman.1 man/ja_JP.eucJP/man1/w3m.1 man/man1/w3m.1 man/man1/w3mman.1 @@ -32,6 +34,7 @@ share/doc/w3m/doc-jp/README.migemo share/doc/w3m/doc-jp/README.mouse share/doc/w3m/doc-jp/README.passwd share/doc/w3m/doc-jp/README.pre_form +share/doc/w3m/doc-jp/README.siteconf share/doc/w3m/doc-jp/README.tab share/doc/w3m/doc-jp/STORY.html share/doc/w3m/doc-jp/keymap.default @@ -51,13 +54,19 @@ share/doc/w3m/doc/README.m17n share/doc/w3m/doc/README.mouse share/doc/w3m/doc/README.passwd share/doc/w3m/doc/README.pre_form +share/doc/w3m/doc/README.siteconf +share/doc/w3m/doc/README.sixel share/doc/w3m/doc/README.tab share/doc/w3m/doc/STORY.html share/doc/w3m/doc/keymap.default share/doc/w3m/doc/keymap.lynx share/doc/w3m/doc/menu.default share/doc/w3m/doc/menu.submenu +share/locale/de/LC_MESSAGES/w3m.mo share/locale/ja/LC_MESSAGES/w3m.mo +share/locale/zh_CN/LC_MESSAGES/w3m.mo +share/locale/zh_TW/LC_MESSAGES/w3m.mo +share/w3m/w3mhelp-funcdesc.de.pl share/w3m/w3mhelp-funcdesc.en.pl share/w3m/w3mhelp-funcdesc.ja.pl share/w3m/w3mhelp-funcname.pl diff --git a/www/w3m/distinfo b/www/w3m/distinfo index 0e79f15b72e..605a87440da 100644 --- a/www/w3m/distinfo +++ b/www/w3m/distinfo @@ -1,12 +1,6 @@ -$NetBSD: distinfo,v 1.26 2015/11/04 02:47:41 agc Exp $ +$NetBSD: distinfo,v 1.26.8.1 2016/11/28 20:22:06 bsiegert Exp $ -SHA1 (w3m-0.5.3.tar.gz) = 444b6c8cf7094ee95f8e9de96b37f814b9d83237 -RMD160 (w3m-0.5.3.tar.gz) = 6a0153bc53f7c107c700404262ce1b4d02e6dd91 -SHA512 (w3m-0.5.3.tar.gz) = 43508c76d07b4d8f19c19f975c0b870aeb94abf0744b6128ee01c759d4e409a8b57bc866baeaf990f309ff73e9a7b02ca455d272b1dd0a93fafb8c72b1fe6d14 -Size (w3m-0.5.3.tar.gz) = 2202328 bytes -SHA1 (patch-aa) = 2de78a6db9bd483416895b393935ccadab879932 -SHA1 (patch-ab) = e1264e0b5e0dc2a1aaf7cc1e6067afd556792dd4 -SHA1 (patch-ac) = 37c6c78a208c50876641aa90164cc46106403260 -SHA1 (patch-ak) = ac0ee99d5ab49c431cfa496d0d2d509efd6b06fa -SHA1 (patch-al) = 8b393004eed249449151d1f2b9252fcb1b55922d -SHA1 (patch-scripts_w3mman_w3mman2html.cgi.in) = 344f21307a6a439cfe25d80a7b31da7051522f31 +SHA1 (w3m-0.5.3+git20161120.tar.gz) = 949ab2d125b7ad39db1cf6b4e6f851a28893efb2 +RMD160 (w3m-0.5.3+git20161120.tar.gz) = 3c017726743d06e22d79aa52057ef564f3b5158e +SHA512 (w3m-0.5.3+git20161120.tar.gz) = 81ecf9e5d9067a82efa5464e5f9396327a6333f9e414458a972b2b7bff138bd17c490b5258e34cb1e338c7a6c0dd6105a1bfd1e0d02edfadead79caa39106a5c +Size (w3m-0.5.3+git20161120.tar.gz) = 2177917 bytes diff --git a/www/w3m/options.mk b/www/w3m/options.mk index 7747ffb7300..21fc9ed9147 100644 --- a/www/w3m/options.mk +++ b/www/w3m/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.14 2015/11/25 12:54:07 jperkin Exp $ +# $NetBSD: options.mk,v 1.14.8.1 2016/11/28 20:22:06 bsiegert Exp $ PKG_OPTIONS_VAR= PKG_OPTIONS.w3m PKG_SUPPORTED_OPTIONS= inet6 migemo w3m-lynx-key @@ -6,7 +6,7 @@ PKG_SUGGESTED_OPTIONS= inet6 .if ${_W3M_USE_IMAGE} == "YES" PKG_OPTIONS_REQUIRED_GROUPS+= imagelib -PKG_SUGGESTED_OPTIONS+= w3m-image-gdk-pixbuf +PKG_SUGGESTED_OPTIONS+= w3m-image-gtk2 .else PKG_OPTIONS_OPTIONAL_GROUPS+= imagelib .endif diff --git a/www/w3m/patches/patch-aa b/www/w3m/patches/patch-aa deleted file mode 100644 index 7fb93802013..00000000000 --- a/www/w3m/patches/patch-aa +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-aa,v 1.13 2008/12/13 08:53:27 obache Exp $ - -PKG_CONFIG points right location in pkgsrc. - ---- configure.orig 2007-05-31 12:17:05.000000000 +0000 -+++ configure -@@ -5602,8 +5602,6 @@ echo "${ECHO_T}$with_imagelib" >&6; } - with_gtk2="yes" - if test x"$PKG_CONFIG" = x; then - PKG_CONFIG=pkg-config -- else -- PKG_CONFIG=: - fi;; - esac - done diff --git a/www/w3m/patches/patch-ab b/www/w3m/patches/patch-ab deleted file mode 100644 index 63885677c27..00000000000 --- a/www/w3m/patches/patch-ab +++ /dev/null @@ -1,35 +0,0 @@ -$NetBSD: patch-ab,v 1.12 2012/05/30 06:42:34 wiz Exp $ - -First chunk: adapt for gc-7.2 API change. -Second chunk: suspend the job w3m belongs to, not w3m only. - ---- main.c.orig 2011-01-04 09:42:19.000000000 +0000 -+++ main.c -@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp) - mySignal(SIGPIPE, SigPipe); - #endif - -- orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc); -+ orig_GC_warn_proc = GC_get_warn_proc(); -+ GC_set_warn_proc(wrap_GC_warn_proc); - err_msg = Strnew(); - if (load_argc == 0) { - /* no URL specified */ -@@ -2517,7 +2518,17 @@ DEFUN(susp, INTERRUPT SUSPEND, "Stop loa - shell = "/bin/sh"; - system(shell); - #else /* SIGSTOP */ -+#ifdef SIGTSTP -+ signal(SIGTSTP, SIG_DFL); /* just in case */ -+ /* -+ * Note: If susp() was called from SIGTSTP handler, -+ * unblocking SIGTSTP would be required here. -+ * Currently not. -+ */ -+ kill(0, SIGTSTP); /* stop whole job, not a single process */ -+#else - kill((pid_t) 0, SIGSTOP); -+#endif - #endif /* SIGSTOP */ - fmInit(); - displayBuffer(Currentbuf, B_FORCE_REDRAW); diff --git a/www/w3m/patches/patch-ac b/www/w3m/patches/patch-ac deleted file mode 100644 index d201243cc0c..00000000000 --- a/www/w3m/patches/patch-ac +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-ac,v 1.15 2011/01/21 23:34:14 wiz Exp $ - -Fix for CVE-2010-2074 taken from here: - -http://www.openwall.com/lists/oss-security/2010/06/14/4 - ---- fm.h.orig 2011-01-04 09:22:21.000000000 +0000 -+++ fm.h -@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); - #endif - - #if defined(USE_SSL) && defined(USE_SSL_VERIFY) --global int ssl_verify_server init(FALSE); -+global int ssl_verify_server init(TRUE); - global char *ssl_cert_file init(NULL); - global char *ssl_key_file init(NULL); - global char *ssl_ca_path init(NULL); -@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE) - #endif /* defined(USE_SSL) && - * defined(USE_SSL_VERIFY) */ - #ifdef USE_SSL --global char *ssl_forbid_method init(NULL); -+global char *ssl_forbid_method init("2"); - #endif - - global int is_redisplay init(FALSE); diff --git a/www/w3m/patches/patch-ak b/www/w3m/patches/patch-ak deleted file mode 100644 index 80a137e9c8c..00000000000 --- a/www/w3m/patches/patch-ak +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-ak,v 1.1 2008/12/13 08:52:13 obache Exp $ - -PKG_CONFIG points right location in pkgsrc. - ---- acinclude.m4.orig 2006-04-07 13:21:11.000000000 +0000 -+++ acinclude.m4 -@@ -652,8 +652,6 @@ AC_DEFUN([AC_W3M_IMAGE], - with_gtk2="yes" - if test x"$PKG_CONFIG" = x; then - PKG_CONFIG=pkg-config -- else -- PKG_CONFIG=: - fi;; - esac - done diff --git a/www/w3m/patches/patch-al b/www/w3m/patches/patch-al deleted file mode 100644 index 5a2aadc37a1..00000000000 --- a/www/w3m/patches/patch-al +++ /dev/null @@ -1,32 +0,0 @@ -$NetBSD: patch-al,v 1.1 2011/04/05 05:55:29 uebayasi Exp $ - -http://gnats.netbsd.org/42400 - -this patch adds support for single quoted meta refresh parameters, which is -needed to access GMail with w3m. - -from: Paul Boekholt ( boekholt ) - 2008-09-06 06:54 -support single quoted meta refresh parameter - ID: 2096461 -http://sourceforge.net/tracker/?func=detail&aid=2096461&group_id=39518&atid=425441 - ---- file.c.orig 2011-01-04 09:22:21.000000000 +0000 -+++ file.c -@@ -4284,15 +4284,15 @@ getMetaRefreshParam(char *q, Str *refres - while (*q) { - if (!strncasecmp(q, "url=", 4)) { - q += 4; -- if (*q == '\"') /* " */ -+ if (*q == '\"' || *q == '\'') /* " or ' */ - q++; - r = q; - while (*r && !IS_SPACE(*r) && *r != ';') - r++; - s_tmp = Strnew_charp_n(q, r - q); - -- if (s_tmp->ptr[s_tmp->length - 1] == '\"') { /* " -- */ -+ if (s_tmp->ptr[s_tmp->length - 1] == '\"' || /* " */ -+ s_tmp->ptr[s_tmp->length - 1] == '\'') { /* ' */ - s_tmp->length--; - s_tmp->ptr[s_tmp->length] = '\0'; - } diff --git a/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in b/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in deleted file mode 100644 index df152271b57..00000000000 --- a/www/w3m/patches/patch-scripts_w3mman_w3mman2html.cgi.in +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-scripts_w3mman_w3mman2html.cgi.in,v 1.1 2015/08/24 13:42:28 leot Exp $ - -Use of defined() on aggregates (arrays and hashes) is deprecated from Perl 5.22. - ---- scripts/w3mman/w3mman2html.cgi.in.orig 2011-01-04 09:22:28.000000000 +0000 -+++ scripts/w3mman/w3mman2html.cgi.in -@@ -220,7 +220,7 @@ sub is_command { - local($p); - - (! -d && -x) || return 0; -- if (! defined(%PATH)) { -+ if (! %PATH) { - for $p (split(":", $ENV{'PATH'})) { - $p =~ s@/+$@@; - $PATH{$p} = 1; -- cgit v1.2.3