Attachment #179673 for bug #216785

Lines 15-20 Link Here

(-)Makefile (+2 lines)
15		15
16	LICENSE= GPLv2	16	LICENSE= GPLv2
17		17
		18	LIB_DEPENDS= libidn.so:dns/libidn
		19
18	CONFLICTS= lynx-2.8.[8-9]d*	20	CONFLICTS= lynx-2.8.[8-9]d*
19		21
20	USES= cpe ncurses shebangfix tar:bzip2	22	USES= cpe ncurses shebangfix tar:bzip2

Lines 1-2 Link Here

(-)distinfo (+1 lines)
		1	TIMESTAMP = 1486381514
1	SHA256 (lynx2.8.8rel.2.tar.bz2) = 6980e75cf0d677fd52c116e2e0dfd3884e360970c88c8356a114338500d5bee7	2	SHA256 (lynx2.8.8rel.2.tar.bz2) = 6980e75cf0d677fd52c116e2e0dfd3884e360970c88c8356a114338500d5bee7
2	SIZE (lynx2.8.8rel.2.tar.bz2) = 2587120	3	SIZE (lynx2.8.8rel.2.tar.bz2) = 2587120




Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".

This change has been passed upstream.

--- WWW/Library/Implementation/HTTP.c.orig	2015-02-16 12:48:34.014809453 -0800
+++ WWW/Library/Implementation/HTTP.c	2015-02-16 12:49:09.627395954 -0800
@@ -119,7 +119,8 @@
 #else
 	SSLeay_add_ssl_algorithms();
 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
+	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 #ifdef SSL_OP_NO_COMPRESSION
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif




Fix for CVE-2016-9179
See:
http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html

Re-engineered the upstream patch, which was only released
for the unstable lynx2.8.9. Removed the at_sign, and made sure that
the user id is correctly stripped of all non valid inputs.

--- WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
+++ WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
@@ -1792,7 +1792,6 @@
     int status = 0;
     char *line = NULL;
     char *p1 = NULL;
-    char *at_sign = NULL;
     char *host = NULL;
 
 #ifdef INET6
@@ -1814,14 +1813,8 @@
      * Get node name and optional port number.
      */
     p1 = HTParse(url, "", PARSE_HOST);
-    if ((at_sign = StrChr(p1, '@')) != NULL) {
-	/*
-	 * If there's an @ then use the stuff after it as a hostname.
-	 */
-	StrAllocCopy(host, (at_sign + 1));
-    } else {
 	StrAllocCopy(host, p1);
-    }
+    strip_userid(host, FALSE);
     FREE(p1);
 
     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
--- WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
+++ WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
@@ -426,7 +426,7 @@
 /*
  * Strip any username from the given string so we retain only the host.
  */
-static void strip_userid(char *host)
+void strip_userid(char *host, int parse_only)
 {
     char *p1 = host;
     char *p2 = StrChr(host, '@');
@@ -439,7 +439,8 @@
 
 	    CTRACE((tfp, "parsed:%s\n", fake));
 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
-	    HTAlert(msg);
+           if (msg !=0 && !parse_only)
+	        HTAlert(msg);
 	    FREE(msg);
 	}
 	while ((*p1++ = *p2++) != '\0') {
@@ -1081,7 +1082,7 @@
 	char *host = NULL;
 
 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
-	    strip_userid(host);
+	    strip_userid(host, TRUE);
 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
 	    FREE(host);
 	}
--- WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
+++ WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
@@ -801,6 +801,8 @@
 
     extern FILE *TraceFP(void);
 
+    extern void strip_userid(char *host, int warn);
+
 #ifdef USE_SSL
     extern SSL *HTGetSSLHandle(void);
     extern void HTSSLInitPRNG(void);
--- src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
+++ src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
@@ -4693,6 +4693,7 @@
      * Do a DNS test on the potential host field as presently trimmed.  - FM
      */
     StrAllocCopy(host, Str);
+    strip_userid(host, FALSE);
     HTUnEscape(host);
     if (LYCursesON) {
 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);




--- WWW/Library/Implementation/HTTCP.c.orig	2013-12-18 01:56:13 UTC
+++ WWW/Library/Implementation/HTTCP.c
@@ -1792,7 +1792,6 @@ int HTDoConnect(const char *url,
     int status = 0;
     char *line = NULL;
     char *p1 = NULL;
-    char *at_sign = NULL;
     char *host = NULL;
 
 #ifdef INET6
@@ -1814,14 +1813,8 @@ int HTDoConnect(const char *url,
      * Get node name and optional port number.
      */
     p1 = HTParse(url, "", PARSE_HOST);
-    if ((at_sign = StrChr(p1, '@')) != NULL) {
-	/*
-	 * If there's an @ then use the stuff after it as a hostname.
-	 */
-	StrAllocCopy(host, (at_sign + 1));
-    } else {
 	StrAllocCopy(host, p1);
-    }
+    strip_userid(host, FALSE);
     FREE(p1);
 
     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);




--- WWW/Library/Implementation/HTTP.c.orig	2017-02-06 11:42:42 UTC
+++ WWW/Library/Implementation/HTTP.c
@@ -420,7 +420,7 @@ int ws_netread(int fd, char *buf, int le
 /*
  * Strip any username from the given string so we retain only the host.
  */
-static void strip_userid(char *host)
+void strip_userid(char *host, int parse_only)
 {
     char *p1 = host;
     char *p2 = StrChr(host, '@');
@@ -433,7 +433,8 @@ static void strip_userid(char *host)
 
 	    CTRACE((tfp, "parsed:%s\n", fake));
 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
-	    HTAlert(msg);
+           if (msg !=0 && !parse_only)
+	        HTAlert(msg);
 	    FREE(msg);
 	}
 	while ((*p1++ = *p2++) != '\0') {
@@ -721,7 +722,7 @@ static int HTLoadHTTP(const char *arg,
 #elif SSLEAY_VERSION_NUMBER >= 0x0900
 #ifndef USE_NSS_COMPAT_INCL
 	if (!try_tls) {
-	    handle->options |= SSL_OP_NO_TLSv1;
+	    SSL_set_options(handle, SSL_OP_NO_TLSv1);
 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
 	} else {
 	    int ret = (int) SSL_set_tlsext_host_name(handle, ssl_host);
@@ -1075,7 +1076,7 @@ static int HTLoadHTTP(const char *arg,
 	char *host = NULL;
 
 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
-	    strip_userid(host);
+	    strip_userid(host, TRUE);
 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
 	    FREE(host);
 	}

Line 0 Link Here

(-)files/patch-WWW_Library_Implementation_HTUtils.h (+11 lines)
	1	--- WWW/Library/Implementation/HTUtils.h.orig 2014-02-05 00:50:18 UTC
	2	+++ WWW/Library/Implementation/HTUtils.h
	3	@@ -801,6 +801,8 @@ extern "C" {
	4
	5	extern FILE *TraceFP(void);
	6
	7	+ extern void strip_userid(char *host, int warn);
	8	+
	9	#ifdef USE_SSL
	10	extern SSL *HTGetSSLHandle(void);
	11	extern void HTSSLInitPRNG(void);




--- makefile.in.orig	2014-03-09 21:43:10 UTC
+++ makefile.in
@@ -413,7 +413,9 @@ install-help : $(CFG2HTML) help_files.se
 	else \
 		cp $(srcdir)/lynx.cfg $(SYSCONFDIR)/lynx.tmp ; \
 	fi'

 	@ECHO_CC@sed	-e '/^HELPFILE:http/s!^!#!' \
 		-e '/^#HELPFILE:file/s!#!!' \
 		$(SYSCONFDIR)/lynx.tmp | \
@@ -421,9 +423,11 @@ install-help : $(CFG2HTML) help_files.se
 	$(SHELL) $(scripts_dir)/cfg_path.sh lynx_doc  $(helpdir) | \
 	sed	-e '/^HELPFILE:file/s!$$!$(COMPRESS_EXT)!' \
 		-e '/^HELPFILE:file/s!$(COMPRESS_EXT)$(COMPRESS_EXT)$$!$(COMPRESS_EXT)!' \

 
 LYHelp.h : help_files.sed $(srcdir)/LYHelp.hin
 	@echo Creating $@
@@ -445,17 +449,17 @@ cfg_defs.h : $(scripts_dir)/cfg_defs.sh 
 	$(SHELL) -c 'SHELL=$(SHELL) $(SHELL) $(scripts_dir)/cfg_defs.sh $(srcdir)'
 
 install-cfg : $(SYSCONFDIR)

Line 0 Link Here

(-)files/patch-src_LYCharSets.c (+11 lines)
	1	--- src/LYCharSets.c.orig 2013-07-29 21:38:35 UTC
	2	+++ src/LYCharSets.c
	3	@@ -872,7 +872,7 @@ const char *HTMLGetEntityName(UCode_t co
	4	*/
	5	UCode_t HTMLGetEntityUCValue(const char *name)
	6	{
	7	-#include <entities.h>
	8	+#include "chrtrans/entities.h"
	9
	10	UCode_t value = 0;
	11	size_t i, high, low;

Line 0 Link Here

(-)files/patch-src_LYUtils.c (+10 lines)
	1	--- src/LYUtils.c.orig 2014-03-09 21:43:10 UTC
	2	+++ src/LYUtils.c
	3	@@ -4693,6 +4693,7 @@ BOOLEAN LYExpandHostForURL(char **Alloca
	4	* Do a DNS test on the potential host field as presently trimmed. - FM
	5	*/
	6	StrAllocCopy(host, Str);
	7	+ strip_userid(host, FALSE);
	8	HTUnEscape(host);
	9	if (LYCursesON) {
	10	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);

Return to bug 216785

Lines 1-16 Link Here

(-)files/patch-CVE-2014-3566 (-16 lines)
1	Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".
2
3	This change has been passed upstream.
4
5	--- WWW/Library/Implementation/HTTP.c.orig 2015-02-16 12:48:34.014809453 -0800
6	+++ WWW/Library/Implementation/HTTP.c 2015-02-16 12:49:09.627395954 -0800
7	@@ -119,7 +119,8 @@
8	#else
9	SSLeay_add_ssl_algorithms();
10	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
11	- SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL \| SSL_OP_NO_SSLv2);
12	+ /* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
13	+ SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL \| SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);
14	#ifdef SSL_OP_NO_COMPRESSION
15	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
16	#endif

Lines 1-85 Link Here

(-)files/patch-CVE-2016-9179 (-85 lines)
1	Fix for CVE-2016-9179
2	See:
3	http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html
4
5	Re-engineered the upstream patch, which was only released
6	for the unstable lynx2.8.9. Removed the at_sign, and made sure that
7	the user id is correctly stripped of all non valid inputs.
8
9	--- WWW/Library/Implementation/HTTCP.c_orig 2016-12-01 15:07:39.487753520 +0000
10	+++ WWW/Library/Implementation/HTTCP.c 2016-12-01 15:10:20.291328282 +0000
11	@@ -1792,7 +1792,6 @@
12	int status = 0;
13	char *line = NULL;
14	char *p1 = NULL;
15	- char *at_sign = NULL;
16	char *host = NULL;
17
18	#ifdef INET6
19	@@ -1814,14 +1813,8 @@
20	* Get node name and optional port number.
21	*/
22	p1 = HTParse(url, "", PARSE_HOST);
23	- if ((at_sign = StrChr(p1, '@')) != NULL) {
24	- /*
25	- * If there's an @ then use the stuff after it as a hostname.
26	- */
27	- StrAllocCopy(host, (at_sign + 1));
28	- } else {
29	StrAllocCopy(host, p1);
30	- }
31	+ strip_userid(host, FALSE);
32	FREE(p1);
33
34	HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
35	--- WWW/Library/Implementation/HTTP.c_orig 2016-12-01 15:13:24.171404704 +0000
36	+++ WWW/Library/Implementation/HTTP.c 2016-12-01 15:19:59.699276204 +0000
37	@@ -426,7 +426,7 @@
38	/*
39	* Strip any username from the given string so we retain only the host.
40	*/
41	-static void strip_userid(char *host)
42	+void strip_userid(char *host, int parse_only)
43	{
44	char *p1 = host;
45	char *p2 = StrChr(host, '@');
46	@@ -439,7 +439,8 @@
47
48	CTRACE((tfp, "parsed:%s\n", fake));
49	HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
50	- HTAlert(msg);
51	+ if (msg !=0 && !parse_only)
52	+ HTAlert(msg);
53	FREE(msg);
54	}
55	while ((p1++ = p2++) != '\0') {
56	@@ -1081,7 +1082,7 @@
57	char *host = NULL;
58
59	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
60	- strip_userid(host);
61	+ strip_userid(host, TRUE);
62	HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
63	FREE(host);
64	}
65	--- WWW/Library/Implementation/HTUtils.h_orig 2016-12-01 15:21:38.919699987 +0000
66	+++ WWW/Library/Implementation/HTUtils.h 2016-12-01 15:22:57.870511104 +0000
67	@@ -801,6 +801,8 @@
68
69	extern FILE *TraceFP(void);
70
71	+ extern void strip_userid(char *host, int warn);
72	+
73	#ifdef USE_SSL
74	extern SSL *HTGetSSLHandle(void);
75	extern void HTSSLInitPRNG(void);
76	--- src/LYUtils.c_orig 2016-12-01 15:25:21.769447171 +0000
77	+++ src/LYUtils.c 2016-12-01 15:28:31.901411555 +0000
78	@@ -4693,6 +4693,7 @@
79	* Do a DNS test on the potential host field as presently trimmed. - FM
80	*/
81	StrAllocCopy(host, Str);
82	+ strip_userid(host, FALSE);
83	HTUnEscape(host);
84	if (LYCursesON) {
85	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);

Line 0 Link Here

(-)files/patch-WWW_Library_Implementation_HTTCP.c (+26 lines)
	1	--- WWW/Library/Implementation/HTTCP.c.orig 2013-12-18 01:56:13 UTC
	2	+++ WWW/Library/Implementation/HTTCP.c
	3	@@ -1792,7 +1792,6 @@ int HTDoConnect(const char *url,
	4	int status = 0;
	5	char *line = NULL;
	6	char *p1 = NULL;
	7	- char *at_sign = NULL;
	8	char *host = NULL;
	9
	10	#ifdef INET6
	11	@@ -1814,14 +1813,8 @@ int HTDoConnect(const char *url,
	12	* Get node name and optional port number.
	13	*/
	14	p1 = HTParse(url, "", PARSE_HOST);
	15	- if ((at_sign = StrChr(p1, '@')) != NULL) {
	16	- /*
	17	- * If there's an @ then use the stuff after it as a hostname.
	18	- */
	19	- StrAllocCopy(host, (at_sign + 1));
	20	- } else {
	21	StrAllocCopy(host, p1);
	22	- }
	23	+ strip_userid(host, FALSE);
	24	FREE(p1);
	25
	26	HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);

Line 0 Link Here

(-)files/patch-WWW_Library_Implementation_HTTP.c (+39 lines)
	1	--- WWW/Library/Implementation/HTTP.c.orig 2017-02-06 11:42:42 UTC
	2	+++ WWW/Library/Implementation/HTTP.c
	3	@@ -420,7 +420,7 @@ int ws_netread(int fd, char *buf, int le
	4	/*
	5	* Strip any username from the given string so we retain only the host.
	6	*/
	7	-static void strip_userid(char *host)
	8	+void strip_userid(char *host, int parse_only)
	9	{
	10	char *p1 = host;
	11	char *p2 = StrChr(host, '@');
	12	@@ -433,7 +433,8 @@ static void strip_userid(char *host)
	13
	14	CTRACE((tfp, "parsed:%s\n", fake));
	15	HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
	16	- HTAlert(msg);
	17	+ if (msg !=0 && !parse_only)
	18	+ HTAlert(msg);
	19	FREE(msg);
	20	}
	21	while ((p1++ = p2++) != '\0') {
	22	@@ -721,7 +722,7 @@ static int HTLoadHTTP(const char *arg,
	23	#elif SSLEAY_VERSION_NUMBER >= 0x0900
	24	#ifndef USE_NSS_COMPAT_INCL
	25	if (!try_tls) {
	26	- handle->options \|= SSL_OP_NO_TLSv1;
	27	+ SSL_set_options(handle, SSL_OP_NO_TLSv1);
	28	#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
	29	} else {
	30	int ret = (int) SSL_set_tlsext_host_name(handle, ssl_host);
	31	@@ -1075,7 +1076,7 @@ static int HTLoadHTTP(const char *arg,
	32	char *host = NULL;
	33
	34	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
	35	- strip_userid(host);
	36	+ strip_userid(host, TRUE);
	37	HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
	38	FREE(host);
	39	}

Lines 1-5 Link Here

(-)files/patch-makefile.in (-4 / +5 lines)
1	Index: makefile.in	1	--- makefile.in.orig 2014-03-09 21:43:10 UTC
2	@@ -433,7 +433,9 @@	2	+++ makefile.in
		3	@@ -413,7 +413,9 @@ install-help : $(CFG2HTML) help_files.se
3	else \	4	else \
4	cp $(srcdir)/lynx.cfg $(SYSCONFDIR)/lynx.tmp ; \	5	cp $(srcdir)/lynx.cfg $(SYSCONFDIR)/lynx.tmp ; \
5	fi'	6	fi'
Lines 10-16 Link Here
10	@ECHO_CC@sed -e '/^HELPFILE:http/s!^!#!' \	11	@ECHO_CC@sed -e '/^HELPFILE:http/s!^!#!' \
11	-e '/^#HELPFILE:file/s!#!!' \	12	-e '/^#HELPFILE:file/s!#!!' \
12	$(SYSCONFDIR)/lynx.tmp \| \	13	$(SYSCONFDIR)/lynx.tmp \| \
13	@@ -441,9 +443,11 @@	14	@@ -421,9 +423,11 @@ install-help : $(CFG2HTML) help_files.se
14	$(SHELL) $(scripts_dir)/cfg_path.sh lynx_doc $(helpdir) \| \	15	$(SHELL) $(scripts_dir)/cfg_path.sh lynx_doc $(helpdir) \| \
15	sed -e '/^HELPFILE:file/s!$$!$(COMPRESS_EXT)!' \	16	sed -e '/^HELPFILE:file/s!$$!$(COMPRESS_EXT)!' \
16	-e '/^HELPFILE:file/s!$(COMPRESS_EXT)$(COMPRESS_EXT)$$!$(COMPRESS_EXT)!' \	17	-e '/^HELPFILE:file/s!$(COMPRESS_EXT)$(COMPRESS_EXT)$$!$(COMPRESS_EXT)!' \
Lines 24-30 Link Here
24		25
25	LYHelp.h : help_files.sed $(srcdir)/LYHelp.hin	26	LYHelp.h : help_files.sed $(srcdir)/LYHelp.hin
26	@echo Creating $@	27	@echo Creating $@
27	@@ -465,17 +469,17 @@	28	@@ -445,17 +449,17 @@ cfg_defs.h : $(scripts_dir)/cfg_defs.sh
28	$(SHELL) -c 'SHELL=$(SHELL) $(SHELL) $(scripts_dir)/cfg_defs.sh $(srcdir)'	29	$(SHELL) -c 'SHELL=$(SHELL) $(SHELL) $(scripts_dir)/cfg_defs.sh $(srcdir)'
29		30
30	install-cfg : $(SYSCONFDIR)	31	install-cfg : $(SYSCONFDIR)