[arch-commits] Commit in lynx/trunk (CVE-2021-38165.diff PKGBUILD)

Mon, 09 Aug 2021 08:57:53 -0700 

    Date: Monday, August 9, 2021 @ 15:57:42
  Author: diabonas
Revision: 421274

upgpkg: lynx 2.8.9-4: add fix for CVE-2021-38165 (FS#71764)

There is no new stable upstream release yet, so the patch is extracted from the
diff between the development versions 2.9.0dev.8 and 2.9.0dev.9.

Added:
  lynx/trunk/CVE-2021-38165.diff
Modified:
  lynx/trunk/PKGBUILD

---------------------+
 CVE-2021-38165.diff |   34 ++++++++++++++++++++++++++++++++++
 PKGBUILD            |   15 +++++++++++----
 2 files changed, 45 insertions(+), 4 deletions(-)

Added: CVE-2021-38165.diff
===================================================================
--- CVE-2021-38165.diff                         (rev 0)
+++ CVE-2021-38165.diff 2021-08-09 15:57:42 UTC (rev 421274)
@@ -0,0 +1,34 @@
+--- a/WWW/Library/Implementation/HTTP.c
++++ b/WWW/Library/Implementation/HTTP.c
+@@ -764,6 +764,23 @@ static char *StripIpv6Brackets(char *host)
+ }
+ #endif
+ 
++/*
++ * Remove user/password, if any, from the given host-string.
++ */
++#ifdef USE_SSL
++static char *StripUserAuthents(char *host)
++{
++    char *p = strchr(host, '@');
++
++    if (p != NULL) {
++      char *q = host;
++
++      while ((*q++ = *++p) != '\0') ;
++    }
++    return host;
++}
++#endif
++
+ /*            Load Document from HTTP Server                  HTLoadHTTP()
+  *            ==============================
+  *
+@@ -959,6 +976,7 @@ static int HTLoadHTTP(const char *arg,
+       /* get host we're connecting to */
+       ssl_host = HTParse(url, "", PARSE_HOST);
+       ssl_host = StripIpv6Brackets(ssl_host);
++      ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+       ret = gnutls_server_name_set(handle->gnutls_state,
+                                    GNUTLS_NAME_DNS,

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2021-08-09 12:23:56 UTC (rev 421273)
+++ PKGBUILD    2021-08-09 15:57:42 UTC (rev 421274)
@@ -5,7 +5,7 @@
 pkgname=lynx
 pkgver=2.8.9
 _relver=${pkgver}rel.1
-pkgrel=3
+pkgrel=4
 pkgdesc="A text browser for the World Wide Web"
 url="https://lynx.browser.org/";
 arch=('x86_64')
@@ -12,11 +12,18 @@
 license=('GPL')
 depends=('openssl' 'libidn')
 backup=('etc/lynx.cfg')
-source=("https://invisible-mirror.net/archives/lynx/tarballs/${pkgname}${_relver}.tar.bz2"{,.asc})
+source=("https://invisible-mirror.net/archives/lynx/tarballs/${pkgname}${_relver}.tar.bz2"{,.asc}
+        'CVE-2021-38165.diff')
 sha256sums=('387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595'
-            'SKIP')
+            'SKIP'
+            '693f025a6886b555cc8d7b655de8e62bd8af870a74909e6a4b6cec6e3736dd0d')
 validpgpkeys=('C52048C0C0748FEE227D47A2702353E0F7E48EDB')
-  
+
+prepare() {
+  cd "${srcdir}/${pkgname}${_relver}"
+  patch --forward --strip=1 --input="${srcdir}/CVE-2021-38165.diff"
+}
+
 build() {
   cd "${srcdir}/${pkgname}${_relver}"
   ./configure --prefix=/usr \

Reply via email to