[Midnightbsd-cvs] mports [22432] trunk/www/lynx: security patch

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Fri May 12 16:51:02 EDT 2017 

Revision: 22432
          http://svnweb.midnightbsd.org/mports/?rev=22432
Author:   laffer1
Date:     2017-05-12 16:51:02 -0400 (Fri, 12 May 2017)
Log Message:
-----------
security patch

Modified Paths:
--------------
    trunk/www/lynx/Makefile

Added Paths:
-----------
    trunk/www/lynx/files/patch-CVE-2014-3566
    trunk/www/lynx/files/patch-CVE-2016-9179
    trunk/www/lynx/files/patch-WWW_Library_Implementation_HTTP.c

Modified: trunk/www/lynx/Makefile
===================================================================
--- trunk/www/lynx/Makefile	2017-05-12 20:39:52 UTC (rev 22431)
+++ trunk/www/lynx/Makefile	2017-05-12 20:51:02 UTC (rev 22432)
@@ -2,7 +2,7 @@
 
 PORTNAME=	lynx
 PORTVERSION=	2.8.8.2
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www ipv6
 MASTER_SITES=	http://invisible-mirror.net/archives/lynx/tarballs/ \
 		http://bitrote.org/distfiles/

Added: trunk/www/lynx/files/patch-CVE-2014-3566
===================================================================
--- trunk/www/lynx/files/patch-CVE-2014-3566	                        (rev 0)
+++ trunk/www/lynx/files/patch-CVE-2014-3566	2017-05-12 20:51:02 UTC (rev 22432)
@@ -0,0 +1,16 @@
+Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".
+
+This change has been passed upstream.
+
+--- WWW/Library/Implementation/HTTP.c.orig	2015-02-16 12:48:34.014809453 -0800
++++ WWW/Library/Implementation/HTTP.c	2015-02-16 12:49:09.627395954 -0800
+@@ -119,7 +119,8 @@
+ #else
+ 	SSLeay_add_ssl_algorithms();
+ 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
++	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif


Property changes on: trunk/www/lynx/files/patch-CVE-2014-3566
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/www/lynx/files/patch-CVE-2016-9179
===================================================================
--- trunk/www/lynx/files/patch-CVE-2016-9179	                        (rev 0)
+++ trunk/www/lynx/files/patch-CVE-2016-9179	2017-05-12 20:51:02 UTC (rev 22432)
@@ -0,0 +1,85 @@
+Fix for CVE-2016-9179
+See:
+http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html
+
+Re-engineered the upstream patch, which was only released
+for the unstable lynx2.8.9. Removed the at_sign, and made sure that
+the user id is correctly stripped of all non valid inputs.
+
+--- WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
++++ WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
+@@ -1792,7 +1792,6 @@
+     int status = 0;
+     char *line = NULL;
+     char *p1 = NULL;
+-    char *at_sign = NULL;
+     char *host = NULL;
+ 
+ #ifdef INET6
+@@ -1814,14 +1813,8 @@
+      * Get node name and optional port number.
+      */
+     p1 = HTParse(url, "", PARSE_HOST);
+-    if ((at_sign = StrChr(p1, '@')) != NULL) {
+-	/*
+-	 * If there's an @ then use the stuff after it as a hostname.
+-	 */
+-	StrAllocCopy(host, (at_sign + 1));
+-    } else {
+ 	StrAllocCopy(host, p1);
+-    }
++    strip_userid(host, FALSE);
+     FREE(p1);
+ 
+     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
+--- WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
++++ WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
+@@ -426,7 +426,7 @@
+ /*
+  * Strip any username from the given string so we retain only the host.
+  */
+-static void strip_userid(char *host)
++void strip_userid(char *host, int parse_only)
+ {
+     char *p1 = host;
+     char *p2 = StrChr(host, '@');
+@@ -439,7 +439,8 @@
+ 
+ 	    CTRACE((tfp, "parsed:%s\n", fake));
+ 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
+-	    HTAlert(msg);
++           if (msg !=0 && !parse_only)
++	        HTAlert(msg);
+ 	    FREE(msg);
+ 	}
+ 	while ((*p1++ = *p2++) != '\0') {
+@@ -1081,7 +1082,7 @@
+ 	char *host = NULL;
+ 
+ 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
+-	    strip_userid(host);
++	    strip_userid(host, TRUE);
+ 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
+ 	    FREE(host);
+ 	}
+--- WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
++++ WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
+@@ -801,6 +801,8 @@
+ 
+     extern FILE *TraceFP(void);
+ 
++    extern void strip_userid(char *host, int warn);
++
+ #ifdef USE_SSL
+     extern SSL *HTGetSSLHandle(void);
+     extern void HTSSLInitPRNG(void);
+--- src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
++++ src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
+@@ -4693,6 +4693,7 @@
+      * Do a DNS test on the potential host field as presently trimmed.  - FM
+      */
+     StrAllocCopy(host, Str);
++    strip_userid(host, FALSE);
+     HTUnEscape(host);
+     if (LYCursesON) {
+ 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);


Property changes on: trunk/www/lynx/files/patch-CVE-2016-9179
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/www/lynx/files/patch-WWW_Library_Implementation_HTTP.c
===================================================================
--- trunk/www/lynx/files/patch-WWW_Library_Implementation_HTTP.c	                        (rev 0)
+++ trunk/www/lynx/files/patch-WWW_Library_Implementation_HTTP.c	2017-05-12 20:51:02 UTC (rev 22432)
@@ -0,0 +1,11 @@
+--- WWW/Library/Implementation/HTTP.c.orig	2017-02-09 21:20:27 UTC
++++ WWW/Library/Implementation/HTTP.c
+@@ -721,7 +722,7 @@ static int HTLoadHTTP(const char *arg,
+ #elif SSLEAY_VERSION_NUMBER >= 0x0900
+ #ifndef USE_NSS_COMPAT_INCL
+ 	if (!try_tls) {
+-	    handle->options |= SSL_OP_NO_TLSv1;
++	    SSL_set_options(handle, SSL_OP_NO_TLSv1);
+ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
+ 	} else {
+ 	    int ret = (int) SSL_set_tlsext_host_name(handle, ssl_host);


Property changes on: trunk/www/lynx/files/patch-WWW_Library_Implementation_HTTP.c
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property

More information about the Midnightbsd-cvs mailing list