commit: b986809e95f5466c28c66132dac475c5b04884ba Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> AuthorDate: Wed Aug 24 00:29:01 2016 +0000 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> CommitDate: Wed Aug 24 00:32:55 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b986809e
net-misc/tn5250: new revision sans SSLv2/SSLv3 support. This new revision adds two custom patches. The first drops SSLv2/SSLv3 support by disabling the user's ability to specify "ssl2" or "ssl3" as his "ssl_method". The fallback "auto" should still work and choose something secure. The second patch fixes the build with -Werror=format-security and consists of trivial format string additions. Gentoo-Bug: 591940 Package-Manager: portage-2.2.28 .../tn5250/files/disable-sslv2-and-sslv3.patch | 61 +++++++++++++++++++++ .../files/fix-Wformat-security-warnings.patch | 62 ++++++++++++++++++++++ net-misc/tn5250/tn5250-0.17.4-r2.ebuild | 62 ++++++++++++++++++++++ 3 files changed, 185 insertions(+) diff --git a/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch new file mode 100644 index 00000000..9c8d04f --- /dev/null +++ b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch @@ -0,0 +1,61 @@ +From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <[email protected]> +Date: Tue, 23 Aug 2016 18:13:47 -0400 +Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method. + +The SSLv2 and SSLv3 protocols are insecure, and people have begun to +operate without them. LibreSSL, for example, does not have them +enabled, and it is possible to build OpenSSL in the same manner. + +If SSLv[23] are disabled, the user would not be able to choose "ssl2" +or "ssl3" as his "ssl_method", an option that was undocumented +anywhere. Therefore there is not much lost, and some security to gain, +by removing the option completely. This commit does that, and uses the +automatic protocol choice that is capable of negotiating TLSv1, +TLSv1.1 and TLSv1.2. + +Gentoo-Bug: 591940 +--- + lib5250/sslstream.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index 7181566..2f91d1a 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This) + + /* which SSL method do we use? */ + +- strcpy(methstr,"auto"); +- if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) { +- strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4); +- methstr[4] = '\0'; +- } +- +- if (!strcmp(methstr, "ssl2")) { +- meth = SSLv2_client_method(); +- TN5250_LOG(("SSL Method = SSLv2_client_method()\n")); +- } else if (!strcmp(methstr, "ssl3")) { +- meth = SSLv3_client_method(); +- TN5250_LOG(("SSL Method = SSLv3_client_method()\n")); +- } else { +- meth = SSLv23_client_method(); +- TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); +- } ++ /* Ignore the user's choice of ssl_method (which isn't documented ++ * anyway...) if it was either "ssl2" or "ssl3". Both are insecure, ++ * and this is only safe supported method left. ++ * ++ * This is a Gentoo-specific modification that lets us build ++ * against LibreSSL and newer OpenSSL with its insecure protocols ++ * disabled. ++ */ ++ meth = SSLv23_client_method(); ++ TN5250_LOG(("SSL Method = SSLv23_client_method()\n")); + + /* create a new SSL context */ + +-- +2.7.3 + diff --git a/net-misc/tn5250/files/fix-Wformat-security-warnings.patch b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch new file mode 100644 index 00000000..4927bce --- /dev/null +++ b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch @@ -0,0 +1,62 @@ +From 1bc9cac45be4bac46f58e325779bdb8c7b7bf502 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <[email protected]> +Date: Tue, 23 Aug 2016 20:20:15 -0400 +Subject: [PATCH 1/1] Fix format-security warnings. + +Newer versions of GCC have the ability to warn you (or throw errors) +about insecure format strings. Generally this is due to an omitted +format string in the printf family of functions, and a few of those +issues existed in the code base. They were all fixed by adding a +trivial "%s" format string. The project now builds with +-Werror=format-security. +--- + curses/cursesterm.c | 4 ++-- + lib5250/sslstream.c | 2 +- + lib5250/telnetstr.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/curses/cursesterm.c b/curses/cursesterm.c +index bf20f05..3032966 100644 +--- a/curses/cursesterm.c ++++ b/curses/cursesterm.c +@@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display + if(This->data->is_xterm) { + if (This->data->font_132!=NULL) { + if (tn5250_display_width (display)>100) +- printf(This->data->font_132); ++ printf("%s", This->data->font_132); + else +- printf(This->data->font_80); ++ printf("%s", This->data->font_80); + } + printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1, + tn5250_display_width (display)); +diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c +index 2f91d1a..7f3009e 100644 +--- a/lib5250/sslstream.c ++++ b/lib5250/sslstream.c +@@ -307,7 +307,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len) + + if (!tn5250_logfile) + return; +- fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++)); ++ fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++)); + switch (c=*buf++) { + case IS: + fputs("<IS>",tn5250_logfile); +diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c +index 9ad2624..cf1576f 100644 +--- a/lib5250/telnetstr.c ++++ b/lib5250/telnetstr.c +@@ -282,7 +282,7 @@ static void log_SB_buf(unsigned char *buf, int len) + + if (!tn5250_logfile) + return; +- fprintf(tn5250_logfile,getTelOpt(type=*buf++)); ++ fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++)); + switch (c=*buf++) { + case IS: + fputs("<IS>",tn5250_logfile); +-- +2.7.3 + diff --git a/net-misc/tn5250/tn5250-0.17.4-r2.ebuild b/net-misc/tn5250/tn5250-0.17.4-r2.ebuild new file mode 100644 index 00000000..7d7db50 --- /dev/null +++ b/net-misc/tn5250/tn5250-0.17.4-r2.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 +inherit eutils + +DESCRIPTION="IBM AS/400 telnet client which emulates 5250 terminals/printers" +HOMEPAGE="http://tn5250.sourceforge.net/"; +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" +IUSE="X libressl ssl" + +RDEPEND=" + sys-libs/ncurses:= + ssl? ( + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + ) +" + +DEPEND="${RDEPEND} + X? ( x11-libs/libXt ) +" + +PATCHES=( + "${FILESDIR}/disable-sslv2-and-sslv3.patch" + "${FILESDIR}/fix-Wformat-security-warnings.patch" +) + +src_prepare() { + default + + # Next, the Makefile for the terminfo settings tries to remove + # some files it doesn't have access to. We can just remove those + # lines. + sed -i \ + -e "/rm -f \/usr\/.*\/terminfo.*5250/d" linux/Makefile.in \ + || die "sed Makefile.in failed" +} + +src_configure() { + econf \ + --disable-static \ + --without-python \ + $(use_with X x) \ + $(use_with ssl) +} + +src_install() { + # The TERMINFO variable needs to be defined for the install + # to work, because the install calls "tic." man tic for + # details. + dodir /usr/share/terminfo + emake DESTDIR="${D}" TERMINFO="${D}/usr/share/terminfo" install + + einstalldocs + prune_libtool_files +}
