Attachment 196134 Details for Bug 230568 – patch file

[patch] patch file

lynx-2.8.9.1,1.patch (text/plain), 7.05 KB, created by Dmitri Goutnik on 2018-08-12 18:28:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dmitri Goutnik

Created: 2018-08-12 18:28:47 UTC

Size: 7.05 KB

patch

obsolete

>Index: www/lynx/Makefile
>===================================================================
>--- www/lynx/Makefile	(revision 477004)
>+++ www/lynx/Makefile	(working copy)
>@@ -2,8 +2,7 @@
> # $FreeBSD$
> 
> PORTNAME=	lynx
>-PORTVERSION=	2.8.8.2
>-PORTREVISION=	6
>+PORTVERSION=	2.8.9.1
> PORTEPOCH=	1
> CATEGORIES=	www ipv6
> MASTER_SITES=	http://invisible-mirror.net/archives/lynx/tarballs/ \
>@@ -21,7 +20,6 @@
> 
> USES=		cpe ncurses shebangfix tar:bzip2
> SHEBANG_FILES=	samples/mailto-form.pl
>-WRKSRC=		${WRKDIR}/${PORTNAME}2-8-8
> GNU_CONFIGURE=	yes
> CONFIGURE_ARGS+=--with-zlib --libdir="${PREFIX}/etc" \
> 		--enable-nsl-fork --enable-persistent-cookies \
>Index: www/lynx/distinfo
>===================================================================
>--- www/lynx/distinfo	(revision 477004)
>+++ www/lynx/distinfo	(working copy)
>@@ -1,2 +1,3 @@
>-SHA256 (lynx2.8.8rel.2.tar.bz2) = 6980e75cf0d677fd52c116e2e0dfd3884e360970c88c8356a114338500d5bee7
>-SIZE (lynx2.8.8rel.2.tar.bz2) = 2587120
>+TIMESTAMP = 1534076790
>+SHA256 (lynx2.8.9rel.1.tar.bz2) = 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595
>+SIZE (lynx2.8.9rel.1.tar.bz2) = 2689171
>Index: www/lynx/files/patch-CVE-2014-3566
>===================================================================
>--- www/lynx/files/patch-CVE-2014-3566	(revision 477004)
>+++ www/lynx/files/patch-CVE-2014-3566	(working copy)
>@@ -1,16 +1,16 @@
>-Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".
>-
>-This change has been passed upstream.
>-
>---- WWW/Library/Implementation/HTTP.c.orig	2015-02-16 12:48:34.014809453 -0800
>-+++ WWW/Library/Implementation/HTTP.c	2015-02-16 12:49:09.627395954 -0800
>-@@ -119,7 +119,8 @@
>+--- WWW/Library/Implementation/HTTP.c.orig	2018-08-12 12:33:30 UTC
>++++ WWW/Library/Implementation/HTTP.c
>+@@ -206,11 +206,8 @@ SSL *HTGetSSLHandle(void)
>  #else
>  	SSLeay_add_ssl_algorithms();
>- 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
>--	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>-+	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
>-+	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>+ 	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) != NULL) {
>+-#ifdef SSL_OP_NO_SSLv2
>+-	    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>+-#else
>+-	    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
>+-#endif
>++		/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
>++	    SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
>  #ifdef SSL_OP_NO_COMPRESSION
>- 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
>+ 	    SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
>  #endif
>Index: www/lynx/files/patch-CVE-2016-9179
>===================================================================
>--- www/lynx/files/patch-CVE-2016-9179	(revision 477004)
>+++ www/lynx/files/patch-CVE-2016-9179	(nonexistent)
>@@ -1,85 +0,0 @@
>-Fix for CVE-2016-9179
>-See:
>-http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html
>-
>-Re-engineered the upstream patch, which was only released
>-for the unstable lynx2.8.9. Removed the at_sign, and made sure that
>-the user id is correctly stripped of all non valid inputs.
>-
>---- WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
>-+++ WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
>-@@ -1792,7 +1792,6 @@
>-     int status = 0;
>-     char *line = NULL;
>-     char *p1 = NULL;
>--    char *at_sign = NULL;
>-     char *host = NULL;
>- 
>- #ifdef INET6
>-@@ -1814,14 +1813,8 @@
>-      * Get node name and optional port number.
>-      */
>-     p1 = HTParse(url, "", PARSE_HOST);
>--    if ((at_sign = StrChr(p1, '@')) != NULL) {
>--	/*
>--	 * If there's an @ then use the stuff after it as a hostname.
>--	 */
>--	StrAllocCopy(host, (at_sign + 1));
>--    } else {
>- 	StrAllocCopy(host, p1);
>--    }
>-+    strip_userid(host, FALSE);
>-     FREE(p1);
>- 
>-     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
>---- WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
>-+++ WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
>-@@ -426,7 +426,7 @@
>- /*
>-  * Strip any username from the given string so we retain only the host.
>-  */
>--static void strip_userid(char *host)
>-+void strip_userid(char *host, int parse_only)
>- {
>-     char *p1 = host;
>-     char *p2 = StrChr(host, '@');
>-@@ -439,7 +439,8 @@
>- 
>- 	    CTRACE((tfp, "parsed:%s\n", fake));
>- 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
>--	    HTAlert(msg);
>-+           if (msg !=0 && !parse_only)
>-+	        HTAlert(msg);
>- 	    FREE(msg);
>- 	}
>- 	while ((*p1++ = *p2++) != '\0') {
>-@@ -1081,7 +1082,7 @@
>- 	char *host = NULL;
>- 
>- 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
>--	    strip_userid(host);
>-+	    strip_userid(host, TRUE);
>- 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
>- 	    FREE(host);
>- 	}
>---- WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
>-+++ WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
>-@@ -801,6 +801,8 @@
>- 
>-     extern FILE *TraceFP(void);
>- 
>-+    extern void strip_userid(char *host, int warn);
>-+
>- #ifdef USE_SSL
>-     extern SSL *HTGetSSLHandle(void);
>-     extern void HTSSLInitPRNG(void);
>---- src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
>-+++ src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
>-@@ -4693,6 +4693,7 @@
>-      * Do a DNS test on the potential host field as presently trimmed.  - FM
>-      */
>-     StrAllocCopy(host, Str);
>-+    strip_userid(host, FALSE);
>-     HTUnEscape(host);
>-     if (LYCursesON) {
>- 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);
>
>Property changes on: www/lynx/files/patch-CVE-2016-9179
>___________________________________________________________________
>Deleted: fbsd:nokeywords
>## -1 +0,0 ##
>-yes
>\ No newline at end of property
>Deleted: svn:eol-style
>## -1 +0,0 ##
>-native
>\ No newline at end of property
>Deleted: svn:mime-type
>## -1 +0,0 ##
>-text/plain
>\ No newline at end of property
>Index: www/lynx/files/patch-WWW_Library_Implementation_HTTP.c
>===================================================================
>--- www/lynx/files/patch-WWW_Library_Implementation_HTTP.c	(revision 477004)
>+++ www/lynx/files/patch-WWW_Library_Implementation_HTTP.c	(nonexistent)
>@@ -1,11 +0,0 @@
>---- WWW/Library/Implementation/HTTP.c.orig	2017-02-09 21:20:27 UTC
>-+++ WWW/Library/Implementation/HTTP.c
>-@@ -721,7 +722,7 @@ static int HTLoadHTTP(const char *arg,
>- #elif SSLEAY_VERSION_NUMBER >= 0x0900
>- #ifndef USE_NSS_COMPAT_INCL
>- 	if (!try_tls) {
>--	    handle->options |= SSL_OP_NO_TLSv1;
>-+	    SSL_set_options(handle, SSL_OP_NO_TLSv1);
>- #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
>- 	} else {
>- 	    int ret = (int) SSL_set_tlsext_host_name(handle, ssl_host);
>
>Property changes on: www/lynx/files/patch-WWW_Library_Implementation_HTTP.c
>___________________________________________________________________
>Deleted: fbsd:nokeywords
>## -1 +0,0 ##
>-yes
>\ No newline at end of property
>Deleted: svn:eol-style
>## -1 +0,0 ##
>-native
>\ No newline at end of property
>Deleted: svn:mime-type
>## -1 +0,0 ##
>-text/plain
>\ No newline at end of property

Flags:

dmgk: maintainer-approval?

Actions: View | Diff

Attachments on bug 230568: 196134