Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id D681E7A2C7
	for <mhonarc+pkgsrc-changes@mail-index.netbsd.org>; Wed, 21 Dec 2016 11:25:29 +0000 (UTC)
Received: by mail.netbsd.org (Postfix, from userid 605)
	id 4ADC6855CC; Wed, 21 Dec 2016 11:25:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id CF6168556E
	for <pkgsrc-changes@NetBSD.org>; Wed, 21 Dec 2016 11:25:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id jZPsA85Dy_dX for <pkgsrc-changes@netbsd.org>;
	Wed, 21 Dec 2016 11:25:28 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id 0F24A84CE9
	for <pkgsrc-changes@NetBSD.org>; Wed, 21 Dec 2016 11:25:28 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id DBDBBFBA6; Wed, 21 Dec 2016 11:25:25 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_148231952541230"
MIME-Version: 1.0
Date: Wed, 21 Dec 2016 11:25:25 +0000
From: "Sevan Janiyan" <sevan@netbsd.org>
Subject: CVS commit: pkgsrc/www/lynx
To: pkgsrc-changes@NetBSD.org
Reply-To: sevan@netbsd.org
X-Mailer: log_accum
Message-Id: <20161221112525.DBDBBFBA6@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: pkgsrc-changes.NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_148231952541230
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	sevan
Date:		Wed Dec 21 11:25:25 UTC 2016

Modified Files:
	pkgsrc/www/lynx: Makefile distinfo
Added Files:
	pkgsrc/www/lynx/patches: patch-WWW_Library_Implementation_HTTCP.c
	    patch-WWW_Library_Implementation_HTTP.c
	    patch-WWW_Library_Implementation_HTTP.h
	    patch-WWW_Library_Implementation_HTUTILS.h patch-src_LYUtils.c

Log Message:
Patch for POODLE & CVE-2016-9179.
Bump rev.


To generate a diff of this commit:
cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/lynx/Makefile
cvs rdiff -u -r1.33 -r1.34 pkgsrc/www/lynx/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c \
    pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c \
    pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h \
    pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h \
    pkgsrc/www/lynx/patches/patch-src_LYUtils.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_148231952541230
Content-Disposition: inline
Content-Length: 8397
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/www/lynx/Makefile
diff -u pkgsrc/www/lynx/Makefile:1.122 pkgsrc/www/lynx/Makefile:1.123
--- pkgsrc/www/lynx/Makefile:1.122	Fri Jul 22 18:51:41 2016
+++ pkgsrc/www/lynx/Makefile	Wed Dec 21 11:25:25 2016
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.122 2016/07/22 18:51:41 shattered Exp $
+# $NetBSD: Makefile,v 1.123 2016/12/21 11:25:25 sevan Exp $
 
 DISTNAME=	lynx2.8.8rel.2
 PKGNAME=	${DISTNAME:S/lynx/lynx-/:S/rel//}
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	http://lynx.isc.org/${SUBDIR:Q}/ \
 		ftp://ftp.cyf-kr.edu.pl/pub/unix/lynx/${SUBDIR:Q}/

Index: pkgsrc/www/lynx/distinfo
diff -u pkgsrc/www/lynx/distinfo:1.33 pkgsrc/www/lynx/distinfo:1.34
--- pkgsrc/www/lynx/distinfo:1.33	Wed Nov  4 02:46:57 2015
+++ pkgsrc/www/lynx/distinfo	Wed Dec 21 11:25:25 2016
@@ -1,9 +1,14 @@
-$NetBSD: distinfo,v 1.33 2015/11/04 02:46:57 agc Exp $
+$NetBSD: distinfo,v 1.34 2016/12/21 11:25:25 sevan Exp $
 
 SHA1 (lynx2.8.8rel.2.tar.bz2) = 65bbf95627c88723bbb5880155e5fe01c2753d0c
 RMD160 (lynx2.8.8rel.2.tar.bz2) = a683f9c163a6c343bde53ffde99dbecce4e41b02
 SHA512 (lynx2.8.8rel.2.tar.bz2) = a475fb7b79641ddd7c20861e16d3d71ccb1a5ae33247cce0b9e73690dd664ebf129964c026bc33b0f082a7585e5a6acae9afc9a65f308e19b49fa0a8bebc0362
 Size (lynx2.8.8rel.2.tar.bz2) = 2587120 bytes
+SHA1 (patch-WWW_Library_Implementation_HTTCP.c) = 41bfcf7a2bee2d53cd811a710f782d108429c9f0
+SHA1 (patch-WWW_Library_Implementation_HTTP.c) = 3249d46c1494f7913da71c8d1f689d9f3523d0f3
+SHA1 (patch-WWW_Library_Implementation_HTTP.h) = 4ad3a9cf309c7ef32d0a53df6f5840ed57c25a31
+SHA1 (patch-WWW_Library_Implementation_HTUTILS.h) = 654c4bd1be5e2d8c74efb44e2a5e996957bf7622
 SHA1 (patch-aa) = 85e76c4b2708e01dd1abdc1af764a067bd83bcb9
 SHA1 (patch-ab) = 26fab3bd426a76df530e6780eefe36464059bc6a
 SHA1 (patch-af) = 31399c0c3394b90c0680708fff06f6f9e19674b3
+SHA1 (patch-src_LYUtils.c) = fadef16c363b3e4327dd822f57b99274bcc6c6e3

Added files:

Index: pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c
diff -u /dev/null pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c:1.1
--- /dev/null	Wed Dec 21 11:25:25 2016
+++ pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTCP.c	Wed Dec 21 11:25:25 2016
@@ -0,0 +1,31 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTCP.c,v 1.1 2016/12/21 11:25:25 sevan Exp $
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTTCP.c.orig	2016-12-21 10:03:58.000000000 +0000
++++ WWW/Library/Implementation/HTTCP.c
+@@ -1792,7 +1792,6 @@ int HTDoConnect(const char *url,
+     int status = 0;
+     char *line = NULL;
+     char *p1 = NULL;
+-    char *at_sign = NULL;
+     char *host = NULL;
+ 
+ #ifdef INET6
+@@ -1814,14 +1813,7 @@ int HTDoConnect(const char *url,
+      * Get node name and optional port number.
+      */
+     p1 = HTParse(url, "", PARSE_HOST);
+-    if ((at_sign = StrChr(p1, '@')) != NULL) {
+-	/*
+-	 * If there's an @ then use the stuff after it as a hostname.
+-	 */
+-	StrAllocCopy(host, (at_sign + 1));
+-    } else {
+-	StrAllocCopy(host, p1);
+-    }
++    strip_userid(host, FALSE);
+     FREE(p1);
+ 
+     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
Index: pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c
diff -u /dev/null pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c:1.1
--- /dev/null	Wed Dec 21 11:25:25 2016
+++ pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.c	Wed Dec 21 11:25:25 2016
@@ -0,0 +1,60 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.c,v 1.1 2016/12/21 11:25:25 sevan Exp $
+
+Mitigate POODLE vulnerability
+https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/02-init-openssl.patch
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTTP.c.orig	2014-01-11 19:06:15.000000000 +0000
++++ WWW/Library/Implementation/HTTP.c
+@@ -105,6 +105,8 @@ static int HTSSLCallback(int preverify_o
+ 
+ SSL *HTGetSSLHandle(void)
+ {
++    char *ciphers;
++
+ #ifdef USE_GNUTLS_INCL
+     static char *certfile = NULL;
+ #endif
+@@ -119,7 +121,12 @@ SSL *HTGetSSLHandle(void)
+ #else
+ 	SSLeay_add_ssl_algorithms();
+ 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
++	/* Always disable SSLv2 & SSLv3 to "mitigate POODLE vulnerability". */
++	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
++
++	ciphers = (char *)DEFAULT_CIPHER_SELECTION;
++	SSL_CTX_set_cipher_list(ssl_ctx, ciphers);
++
+ #ifdef SSL_OP_NO_COMPRESSION
+ 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_COMPRESSION);
+ #endif
+@@ -419,7 +426,7 @@ int ws_netread(int fd, char *buf, int le
+ /*
+  * Strip any username from the given string so we retain only the host.
+  */
+-static void strip_userid(char *host)
++void strip_userid(char *host, int parse_only)
+ {
+     char *p1 = host;
+     char *p2 = StrChr(host, '@');
+@@ -432,7 +439,8 @@ static void strip_userid(char *host)
+ 
+ 	    CTRACE((tfp, "parsed:%s\n", fake));
+ 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
+-	    HTAlert(msg);
++	    if (msg !=0 && !parse_only)
++		HTAlert(msg);
+ 	    FREE(msg);
+ 	}
+ 	while ((*p1++ = *p2++) != '\0') {
+@@ -1074,7 +1082,7 @@ static int HTLoadHTTP(const char *arg,
+ 	char *host = NULL;
+ 
+ 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
+-	    strip_userid(host);
++	    strip_userid(host, TRUE);
+ 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
+ 	    FREE(host);
+ 	}
Index: pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h
diff -u /dev/null pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h:1.1
--- /dev/null	Wed Dec 21 11:25:25 2016
+++ pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTTP.h	Wed Dec 21 11:25:25 2016
@@ -0,0 +1,16 @@
+$NetBSD: patch-WWW_Library_Implementation_HTTP.h,v 1.1 2016/12/21 11:25:25 sevan Exp $
+
+Drop the use of weak ciphers
+https://hg.java.net/hg/solaris-userland~gate/file/bc5351dcb9ac/components/lynx/patches/03-weak-ciphers-by-default.patch
+
+--- WWW/Library/Implementation/HTTP.h.orig	2016-12-21 03:04:50.000000000 +0000
++++ WWW/Library/Implementation/HTTP.h
+@@ -21,6 +21,8 @@ extern "C" {
+     GLOBALREF HTProtocol HTTPS;
+ #endif				/* GLOBALREF_IS_MACRO */
+ 
++#define DEFAULT_CIPHER_SELECTION "ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4"
++
+ #define URL_GET_METHOD  1
+ #define URL_POST_METHOD 2
+ #define URL_MAIL_METHOD 3
Index: pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h
diff -u /dev/null pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h:1.1
--- /dev/null	Wed Dec 21 11:25:25 2016
+++ pkgsrc/www/lynx/patches/patch-WWW_Library_Implementation_HTUTILS.h	Wed Dec 21 11:25:25 2016
@@ -0,0 +1,16 @@
+$NetBSD: patch-WWW_Library_Implementation_HTUTILS.h,v 1.1 2016/12/21 11:25:25 sevan Exp $
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- WWW/Library/Implementation/HTUtils.h.orig	2016-12-21 10:08:13.000000000 +0000
++++ WWW/Library/Implementation/HTUtils.h
+@@ -801,6 +801,8 @@ extern "C" {
+ 
+     extern FILE *TraceFP(void);
+ 
++    extern void strip_userid(char *host, int warn);
++
+ #ifdef USE_SSL
+     extern SSL *HTGetSSLHandle(void);
+     extern void HTSSLInitPRNG(void);
Index: pkgsrc/www/lynx/patches/patch-src_LYUtils.c
diff -u /dev/null pkgsrc/www/lynx/patches/patch-src_LYUtils.c:1.1
--- /dev/null	Wed Dec 21 11:25:25 2016
+++ pkgsrc/www/lynx/patches/patch-src_LYUtils.c	Wed Dec 21 11:25:25 2016
@@ -0,0 +1,15 @@
+$NetBSD: patch-src_LYUtils.c,v 1.1 2016/12/21 11:25:25 sevan Exp $
+
+Fix CVE-2016-9179
+https://hg.java.net/hg/solaris-userland~gate/file/0a979060f73b/components/lynx/patches/05-fix-CVE-2016-9179.patch
+
+--- src/LYUtils.c.orig	2016-12-21 10:09:24.000000000 +0000
++++ src/LYUtils.c
+@@ -4693,6 +4693,7 @@ BOOLEAN LYExpandHostForURL(char **Alloca
+      * Do a DNS test on the potential host field as presently trimmed.  - FM
+      */
+     StrAllocCopy(host, Str);
++    strip_userid(host, FALSE);
+     HTUnEscape(host);
+     if (LYCursesON) {
+ 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);


--_----------=_148231952541230--