pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/lynx lynx: Address CVE-2021-38165
details: https://anonhg.NetBSD.org/pkgsrc/rev/1a27c549985e
branches: trunk
changeset: 456945:1a27c549985e
user: kim <kim%pkgsrc.org@localhost>
date: Thu Aug 12 04:20:11 2021 +0000
description:
lynx: Address CVE-2021-38165
Cherry picked from 2021-08-07 (2.9.0dev.9):
* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
part of the server name indicator (Debian #991971) -TD
diffstat:
www/lynx/Makefile | 4 +-
www/lynx/distinfo | 3 +-
www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c | 42 ++++++++++++++++
3 files changed, 46 insertions(+), 3 deletions(-)
diffs (74 lines):
diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/Makefile
--- a/www/lynx/Makefile Wed Aug 11 20:52:28 2021 +0000
+++ b/www/lynx/Makefile Thu Aug 12 04:20:11 2021 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.138 2021/04/21 13:25:30 adam Exp $
+# $NetBSD: Makefile,v 1.139 2021/08/12 04:20:11 kim Exp $
DISTNAME= lynx2.8.9rel.1
PKGNAME= ${DISTNAME:S/lynx/lynx-/:S/rel//}
-PKGREVISION= 4
+PKGREVISION= 5
CATEGORIES= www
MASTER_SITES= https://invisible-mirror.net/archives/lynx/tarballs/
MASTER_SITES+= ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/
diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/distinfo
--- a/www/lynx/distinfo Wed Aug 11 20:52:28 2021 +0000
+++ b/www/lynx/distinfo Thu Aug 12 04:20:11 2021 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.39 2018/11/14 16:09:03 nia Exp $
+$NetBSD: distinfo,v 1.40 2021/08/12 04:20:11 kim Exp $
SHA1 (lynx2.8.9rel.1.tar.bz2) = 3e00ac30d008e0aa879bfd037abcfd9c0dd2faec
RMD160 (lynx2.8.9rel.1.tar.bz2) = 0923d229a32c6fc2586798a2b80630fca34e7493
SHA512 (lynx2.8.9rel.1.tar.bz2) = 61edbe082684fcbd91bdbf4f4d27c3baf92358811aaffc2f8af46adf23ca7b48aede1520fc5f2a8fc974a2f4bbf4e57e7e6027a187bfc6101e56878c98178e6d
Size (lynx2.8.9rel.1.tar.bz2) = 2689171 bytes
+SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 402301685b2cd0a3faa7efab8a9ec69294bef409
SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9
SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a
diff -r 1d78347a4f95 -r 1a27c549985e www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c Thu Aug 12 04:20:11 2021 +0000
@@ -0,0 +1,42 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.4 2021/08/12 04:20:11 kim Exp $
+
+Address CVE-2021-38165 [From 2021-08-07 (2.9.0dev.9)]:
+
+* strip user/password from ssl_host in HTLoadHTTP, incorrectly passed as
+ part of the server name indicator (Debian #991971) -TD
+
+Index: WWW/Library/Implementation/HTTP.c
+--- WWW/Library/Implementation/HTTP.c 2021-06-08 23:28:23.000000000 +0000
++++ WWW/Library/Implementation/HTTP.c 2021-08-07 14:33:59.000000000 +0000
+@@ -764,6 +764,23 @@
+ }
+ #endif
+
++/*
++ * Remove user/password, if any, from the given host-string.
++ */
++#ifdef USE_SSL
++static char *StripUserAuthents(char *host)
++{
++ char *p = strchr(host, '@');
++
++ if (p != NULL) {
++ char *q = host;
++
++ while ((*q++ = *++p) != '\0') ;
++ }
++ return host;
++}
++#endif
++
+ /* Load Document from HTTP Server HTLoadHTTP()
+ * ==============================
+ *
+@@ -959,6 +976,7 @@
+ /* get host we're connecting to */
+ ssl_host = HTParse(url, "", PARSE_HOST);
+ ssl_host = StripIpv6Brackets(ssl_host);
++ ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+ ret = gnutls_server_name_set(handle->gnutls_state,
+ GNUTLS_NAME_DNS,
Home |
Main Index |
Thread Index |
Old Index