Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Jan 2017 17:15:11 +0000 (UTC)
From:      Mark Felder <feld@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r430984 - in head/www/lynx: . files
Message-ID:  <201701091715.v09HFBAQ087796@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: feld
Date: Mon Jan  9 17:15:11 2017
New Revision: 430984
URL: https://svnweb.freebsd.org/changeset/ports/430984

Log:
  www/lynx: Patch vulnerabilities
  
  PR:		215464
  MFH:		2017Q1
  Security:	CVE-2014-3566
  Security:	CVE-2016-9179

Added:
  head/www/lynx/files/patch-CVE-2014-3566   (contents, props changed)
  head/www/lynx/files/patch-CVE-2016-9179   (contents, props changed)
Modified:
  head/www/lynx/Makefile

Modified: head/www/lynx/Makefile
==============================================================================
--- head/www/lynx/Makefile	Mon Jan  9 17:14:14 2017	(r430983)
+++ head/www/lynx/Makefile	Mon Jan  9 17:15:11 2017	(r430984)
@@ -3,7 +3,7 @@
 
 PORTNAME=	lynx
 PORTVERSION=	2.8.8.2
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	http://invisible-mirror.net/archives/lynx/tarballs/ \

Added: head/www/lynx/files/patch-CVE-2014-3566
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/lynx/files/patch-CVE-2014-3566	Mon Jan  9 17:15:11 2017	(r430984)
@@ -0,0 +1,16 @@
+Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".
+
+This change has been passed upstream.
+
+--- WWW/Library/Implementation/HTTP.c.orig	2015-02-16 12:48:34.014809453 -0800
++++ WWW/Library/Implementation/HTTP.c	2015-02-16 12:49:09.627395954 -0800
+@@ -119,7 +119,8 @@
+ #else
+ 	SSLeay_add_ssl_algorithms();
+ 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
++	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif

Added: head/www/lynx/files/patch-CVE-2016-9179
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/lynx/files/patch-CVE-2016-9179	Mon Jan  9 17:15:11 2017	(r430984)
@@ -0,0 +1,85 @@
+Fix for CVE-2016-9179
+See:
+http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html
+
+Re-engineered the upstream patch, which was only released
+for the unstable lynx2.8.9. Removed the at_sign, and made sure that
+the user id is correctly stripped of all non valid inputs.
+
+--- WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
++++ WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
+@@ -1792,7 +1792,6 @@
+     int status = 0;
+     char *line = NULL;
+     char *p1 = NULL;
+-    char *at_sign = NULL;
+     char *host = NULL;
+ 
+ #ifdef INET6
+@@ -1814,14 +1813,8 @@
+      * Get node name and optional port number.
+      */
+     p1 = HTParse(url, "", PARSE_HOST);
+-    if ((at_sign = StrChr(p1, '@')) != NULL) {
+-	/*
+-	 * If there's an @ then use the stuff after it as a hostname.
+-	 */
+-	StrAllocCopy(host, (at_sign + 1));
+-    } else {
+ 	StrAllocCopy(host, p1);
+-    }
++    strip_userid(host, FALSE);
+     FREE(p1);
+ 
+     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
+--- WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
++++ WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
+@@ -426,7 +426,7 @@
+ /*
+  * Strip any username from the given string so we retain only the host.
+  */
+-static void strip_userid(char *host)
++void strip_userid(char *host, int parse_only)
+ {
+     char *p1 = host;
+     char *p2 = StrChr(host, '@');
+@@ -439,7 +439,8 @@
+ 
+ 	    CTRACE((tfp, "parsed:%s\n", fake));
+ 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
+-	    HTAlert(msg);
++           if (msg !=0 && !parse_only)
++	        HTAlert(msg);
+ 	    FREE(msg);
+ 	}
+ 	while ((*p1++ = *p2++) != '\0') {
+@@ -1081,7 +1082,7 @@
+ 	char *host = NULL;
+ 
+ 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
+-	    strip_userid(host);
++	    strip_userid(host, TRUE);
+ 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
+ 	    FREE(host);
+ 	}
+--- WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
++++ WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
+@@ -801,6 +801,8 @@
+ 
+     extern FILE *TraceFP(void);
+ 
++    extern void strip_userid(char *host, int warn);
++
+ #ifdef USE_SSL
+     extern SSL *HTGetSSLHandle(void);
+     extern void HTSSLInitPRNG(void);
+--- src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
++++ src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
+@@ -4693,6 +4693,7 @@
+      * Do a DNS test on the potential host field as presently trimmed.  - FM
+      */
+     StrAllocCopy(host, Str);
++    strip_userid(host, FALSE);
+     HTUnEscape(host);
+     if (LYCursesON) {
+ 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701091715.v09HFBAQ087796>