www/lynx: Patch vulnerabilities

PR: 215464 MFH: 2017Q1 Security: CVE-2014-3566 Security: CVE-2016-9179
author: Mark Felder <feld@FreeBSD.org> 2017-01-09 17:15:11 +0000
committer: Mark Felder <feld@FreeBSD.org> 2017-01-09 17:15:11 +0000
commit: de544f1716470f8b355fadc5153b90764cc42e72 (patch)
tree: b889808bc69cc91a98de0a5ae6174435287b3fd1 /www/lynx
parent: 4aa95d7ef888bce02cade74a2103bc25f6a7614c (diff)
download: ports-de544f1716470f8b355fadc5153b90764cc42e72.tar.gz
ports-de544f1716470f8b355fadc5153b90764cc42e72.zip
3 files changed, 102 insertions, 1 deletions
diff --git a/www/lynx/Makefile b/www/lynx/Makefile
index 11e13d3a3272..5f5047dec580 100644
--- a/www/lynx/Makefile
+++ b/www/lynx/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	lynx
 PORTVERSION=	2.8.8.2
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	http://invisible-mirror.net/archives/lynx/tarballs/ \
diff --git a/www/lynx/files/patch-CVE-2014-3566 b/www/lynx/files/patch-CVE-2014-3566
new file mode 100644
index 000000000000..f6956346cdbc
--- /dev/null
+++ b/www/lynx/files/patch-CVE-2014-3566
@@ -0,0 +1,16 @@
+Disable SSLv2 and SSLv3 in lynx to "mitigate POODLE vulnerability".
+
+This change has been passed upstream.
+
+--- WWW/Library/Implementation/HTTP.c.orig	2015-02-16 12:48:34.014809453 -0800
++++ WWW/Library/Implementation/HTTP.c	2015-02-16 12:49:09.627395954 -0800
+@@ -119,7 +119,8 @@
+ #else
+ 	SSLeay_add_ssl_algorithms();
+ 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
++	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif
diff --git a/www/lynx/files/patch-CVE-2016-9179 b/www/lynx/files/patch-CVE-2016-9179
new file mode 100644
index 000000000000..81ed8e9c0014
--- /dev/null
+++ b/www/lynx/files/patch-CVE-2016-9179
@@ -0,0 +1,85 @@
+Fix for CVE-2016-9179
+See:
+http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html
+
+Re-engineered the upstream patch, which was only released
+for the unstable lynx2.8.9. Removed the at_sign, and made sure that
+the user id is correctly stripped of all non valid inputs.
+
+--- WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
++++ WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
+@@ -1792,7 +1792,6 @@
+     int status = 0;
+     char *line = NULL;
+     char *p1 = NULL;
+-    char *at_sign = NULL;
+     char *host = NULL;
+ 
+ #ifdef INET6
+@@ -1814,14 +1813,8 @@
+      * Get node name and optional port number.
+      */
+     p1 = HTParse(url, "", PARSE_HOST);
+-    if ((at_sign = StrChr(p1, '@')) != NULL) {
+-	/*
+-	 * If there's an @ then use the stuff after it as a hostname.
+-	 */
+-	StrAllocCopy(host, (at_sign + 1));
+-    } else {
+ 	StrAllocCopy(host, p1);
+-    }
++    strip_userid(host, FALSE);
+     FREE(p1);
+ 
+     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
+--- WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
++++ WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
+@@ -426,7 +426,7 @@
+ /*
+  * Strip any username from the given string so we retain only the host.
+  */
+-static void strip_userid(char *host)
++void strip_userid(char *host, int parse_only)
+ {
+     char *p1 = host;
+     char *p2 = StrChr(host, '@');
+@@ -439,7 +439,8 @@
+ 
+ 	    CTRACE((tfp, "parsed:%s\n", fake));
+ 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
+-	    HTAlert(msg);
++           if (msg !=0 && !parse_only)
++	        HTAlert(msg);
+ 	    FREE(msg);
+ 	}
+ 	while ((*p1++ = *p2++) != '\0') {
+@@ -1081,7 +1082,7 @@
+ 	char *host = NULL;
+ 
+ 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
+-	    strip_userid(host);
++	    strip_userid(host, TRUE);
+ 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
+ 	    FREE(host);
+ 	}
+--- WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
++++ WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
+@@ -801,6 +801,8 @@
+ 
+     extern FILE *TraceFP(void);
+ 
++    extern void strip_userid(char *host, int warn);
++
+ #ifdef USE_SSL
+     extern SSL *HTGetSSLHandle(void);
+     extern void HTSSLInitPRNG(void);
+--- src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
++++ src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
+@@ -4693,6 +4693,7 @@
+      * Do a DNS test on the potential host field as presently trimmed.  - FM
+      */
+     StrAllocCopy(host, Str);
++    strip_userid(host, FALSE);
+     HTUnEscape(host);
+     if (LYCursesON) {
+ 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);
author	Mark Felder <feld@FreeBSD.org>	2017-01-09 17:15:11 +0000
committer	Mark Felder <feld@FreeBSD.org>	2017-01-09 17:15:11 +0000
commit	de544f1716470f8b355fadc5153b90764cc42e72 (patch)
tree	b889808bc69cc91a98de0a5ae6174435287b3fd1 /www/lynx
parent	4aa95d7ef888bce02cade74a2103bc25f6a7614c (diff)
download	ports-de544f1716470f8b355fadc5153b90764cc42e72.tar.gz ports-de544f1716470f8b355fadc5153b90764cc42e72.zip