[arch-commits] Commit in lynx/trunk (CVE-2021-38165.diff PKGBUILD)
Jonas Witschel
diabonas at gemini.archlinux.org
Mon Aug 9 15:57:43 UTC 2021
Date: Monday, August 9, 2021 @ 15:57:42
Author: diabonas
Revision: 421274
upgpkg: lynx 2.8.9-4: add fix for CVE-2021-38165 (FS#71764)
There is no new stable upstream release yet, so the patch is extracted from the
diff between the development versions 2.9.0dev.8 and 2.9.0dev.9.
Added:
lynx/trunk/CVE-2021-38165.diff
Modified:
lynx/trunk/PKGBUILD
---------------------+
CVE-2021-38165.diff | 34 ++++++++++++++++++++++++++++++++++
PKGBUILD | 15 +++++++++++----
2 files changed, 45 insertions(+), 4 deletions(-)
Added: CVE-2021-38165.diff
===================================================================
--- CVE-2021-38165.diff (rev 0)
+++ CVE-2021-38165.diff 2021-08-09 15:57:42 UTC (rev 421274)
@@ -0,0 +1,34 @@
+--- a/WWW/Library/Implementation/HTTP.c
++++ b/WWW/Library/Implementation/HTTP.c
+@@ -764,6 +764,23 @@ static char *StripIpv6Brackets(char *host)
+ }
+ #endif
+
++/*
++ * Remove user/password, if any, from the given host-string.
++ */
++#ifdef USE_SSL
++static char *StripUserAuthents(char *host)
++{
++ char *p = strchr(host, '@');
++
++ if (p != NULL) {
++ char *q = host;
++
++ while ((*q++ = *++p) != '\0') ;
++ }
++ return host;
++}
++#endif
++
+ /* Load Document from HTTP Server HTLoadHTTP()
+ * ==============================
+ *
+@@ -959,6 +976,7 @@ static int HTLoadHTTP(const char *arg,
+ /* get host we're connecting to */
+ ssl_host = HTParse(url, "", PARSE_HOST);
+ ssl_host = StripIpv6Brackets(ssl_host);
++ ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+ ret = gnutls_server_name_set(handle->gnutls_state,
+ GNUTLS_NAME_DNS,
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-08-09 12:23:56 UTC (rev 421273)
+++ PKGBUILD 2021-08-09 15:57:42 UTC (rev 421274)
@@ -5,7 +5,7 @@
pkgname=lynx
pkgver=2.8.9
_relver=${pkgver}rel.1
-pkgrel=3
+pkgrel=4
pkgdesc="A text browser for the World Wide Web"
url="https://lynx.browser.org/"
arch=('x86_64')
@@ -12,11 +12,18 @@
license=('GPL')
depends=('openssl' 'libidn')
backup=('etc/lynx.cfg')
-source=("https://invisible-mirror.net/archives/lynx/tarballs/${pkgname}${_relver}.tar.bz2"{,.asc})
+source=("https://invisible-mirror.net/archives/lynx/tarballs/${pkgname}${_relver}.tar.bz2"{,.asc}
+ 'CVE-2021-38165.diff')
sha256sums=('387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595'
- 'SKIP')
+ 'SKIP'
+ '693f025a6886b555cc8d7b655de8e62bd8af870a74909e6a4b6cec6e3736dd0d')
validpgpkeys=('C52048C0C0748FEE227D47A2702353E0F7E48EDB')
-
+
+prepare() {
+ cd "${srcdir}/${pkgname}${_relver}"
+ patch --forward --strip=1 --input="${srcdir}/CVE-2021-38165.diff"
+}
+
build() {
cd "${srcdir}/${pkgname}${_relver}"
./configure --prefix=/usr \
More information about the arch-commits
mailing list