Date: Mon, 9 Jan 2017 17:15:11 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r430984 - in head/www/lynx: . files Message-ID: <201701091715.v09HFBAQ087796@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Mon Jan 9 17:15:11 2017 New Revision: 430984 URL: https://svnweb.freebsd.org/changeset/ports/430984 Log: www/lynx: Patch vulnerabilities PR: 215464 MFH: 2017Q1 Security: CVE-2014-3566 Security: CVE-2016-9179 Added: head/www/lynx/files/patch-CVE-2014-3566 (contents, props changed) head/www/lynx/files/patch-CVE-2016-9179 (contents, props changed) Modified: head/www/lynx/Makefile Modified: head/www/lynx/Makefile ============================================================================== --- head/www/lynx/Makefile Mon Jan 9 17:14:14 2017 (r430983) +++ head/www/lynx/Makefile Mon Jan 9 17:15:11 2017 (r430984) @@ -3,7 +3,7 @@ PORTNAME= lynx PORTVERSION= 2.8.8.2 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= www ipv6 MASTER_SITES= http://invisible-mirror.net/archives/lynx/tarballs/ \ Added: head/www/lynx/files/patch-CVE-2014-3566 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/lynx/files/patch-CVE-2014-3566 Mon Jan 9 17:15:11 2017 (r430984) @@ -0,0 +1,16 @@ +Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability". + +This change has been passed upstream. + +--- WWW/Library/Implementation/HTTP.c.orig 2015-02-16 12:48:34.014809453 -0800 ++++ WWW/Library/Implementation/HTTP.c 2015-02-16 12:49:09.627395954 -0800 +@@ -119,7 +119,8 @@ + #else + SSLeay_add_ssl_algorithms(); + ssl_ctx = SSL_CTX_new(SSLv23_client_method()); +- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); ++ /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */ ++ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION); + #endif Added: head/www/lynx/files/patch-CVE-2016-9179 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/lynx/files/patch-CVE-2016-9179 Mon Jan 9 17:15:11 2017 (r430984) @@ -0,0 +1,85 @@ +Fix for CVE-2016-9179 +See: +http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html + +Re-engineered the upstream patch, which was only released +for the unstable lynx2.8.9. Removed the at_sign, and made sure that +the user id is correctly stripped of all non valid inputs. + +--- WWW/Library/Implementation/HTTCP.c_orig 2016-12-01 15:07:39.487753520 +0000 ++++ WWW/Library/Implementation/HTTCP.c 2016-12-01 15:10:20.291328282 +0000 +@@ -1792,7 +1792,6 @@ + int status = 0; + char *line = NULL; + char *p1 = NULL; +- char *at_sign = NULL; + char *host = NULL; + + #ifdef INET6 +@@ -1814,14 +1813,8 @@ + * Get node name and optional port number. + */ + p1 = HTParse(url, "", PARSE_HOST); +- if ((at_sign = StrChr(p1, '@')) != NULL) { +- /* +- * If there's an @ then use the stuff after it as a hostname. +- */ +- StrAllocCopy(host, (at_sign + 1)); +- } else { + StrAllocCopy(host, p1); +- } ++ strip_userid(host, FALSE); + FREE(p1); + + HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host); +--- WWW/Library/Implementation/HTTP.c_orig 2016-12-01 15:13:24.171404704 +0000 ++++ WWW/Library/Implementation/HTTP.c 2016-12-01 15:19:59.699276204 +0000 +@@ -426,7 +426,7 @@ + /* + * Strip any username from the given string so we retain only the host. + */ +-static void strip_userid(char *host) ++void strip_userid(char *host, int parse_only) + { + char *p1 = host; + char *p2 = StrChr(host, '@'); +@@ -439,7 +439,8 @@ + + CTRACE((tfp, "parsed:%s\n", fake)); + HTSprintf0(&msg, gettext("Address contains a username: %s"), host); +- HTAlert(msg); ++ if (msg !=0 && !parse_only) ++ HTAlert(msg); + FREE(msg); + } + while ((*p1++ = *p2++) != '\0') { +@@ -1081,7 +1082,7 @@ + char *host = NULL; + + if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) { +- strip_userid(host); ++ strip_userid(host, TRUE); + HTBprintf(&command, "Host: %s%c%c", host, CR, LF); + FREE(host); + } +--- WWW/Library/Implementation/HTUtils.h_orig 2016-12-01 15:21:38.919699987 +0000 ++++ WWW/Library/Implementation/HTUtils.h 2016-12-01 15:22:57.870511104 +0000 +@@ -801,6 +801,8 @@ + + extern FILE *TraceFP(void); + ++ extern void strip_userid(char *host, int warn); ++ + #ifdef USE_SSL + extern SSL *HTGetSSLHandle(void); + extern void HTSSLInitPRNG(void); +--- src/LYUtils.c_orig 2016-12-01 15:25:21.769447171 +0000 ++++ src/LYUtils.c 2016-12-01 15:28:31.901411555 +0000 +@@ -4693,6 +4693,7 @@ + * Do a DNS test on the potential host field as presently trimmed. - FM + */ + StrAllocCopy(host, Str); ++ strip_userid(host, FALSE); + HTUnEscape(host); + if (LYCursesON) { + StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701091715.v09HFBAQ087796>