wok-current annotate lynx/stuff/lynx-2.8.9rel.1-security_fix-1.patch @ rev 25368
libmpd: typo
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Fri Jul 29 10:44:25 2022 +0000 (2022-07-29) |
| parents | |
| children |
| rev | line source |
|---|---|
| pascal@24891 | 1 Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org> |
| pascal@24891 | 2 Date: 2021-12-18 |
| pascal@24891 | 3 Initial Package Version: 2.8.9rel.1 |
| pascal@24891 | 4 Upstream Status: Applied |
| pascal@24891 | 5 Origin: Arch Linux (https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff) |
| pascal@24891 | 6 Description: Fixes CVE-2021-38165 in Lynx, which allows for |
| pascal@24891 | 7 usernames and passwords to be transmitted in cleartext |
| pascal@24891 | 8 anytime an HTTPS connection is used. |
| pascal@24891 | 9 |
| pascal@24891 | 10 diff -Naurp lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c |
| pascal@24891 | 11 --- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c 2018-05-04 15:07:43.000000000 -0500 |
| pascal@24891 | 12 +++ lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c 2021-12-18 14:12:57.503796366 -0600 |
| pascal@24891 | 13 @@ -761,6 +761,22 @@ static char *StripIpv6Brackets(char *hos |
| pascal@24891 | 14 return host; |
| pascal@24891 | 15 } |
| pascal@24891 | 16 #endif |
| pascal@24891 | 17 +/* |
| pascal@24891 | 18 + * Remove user/password, if any, from the given host-string. |
| pascal@24891 | 19 + */ |
| pascal@24891 | 20 +#ifdef USE_SSL |
| pascal@24891 | 21 +static char *StripUserAuthents(char *host) |
| pascal@24891 | 22 +{ |
| pascal@24891 | 23 + char *p = strchr(host, '@'); |
| pascal@24891 | 24 + |
| pascal@24891 | 25 + if (p != NULL) { |
| pascal@24891 | 26 + char *q = host; |
| pascal@24891 | 27 + |
| pascal@24891 | 28 + while ((*q++ = *++p) != '\0') ; |
| pascal@24891 | 29 + } |
| pascal@24891 | 30 + return host; |
| pascal@24891 | 31 +} |
| pascal@24891 | 32 +#endif |
| pascal@24891 | 33 |
| pascal@24891 | 34 /* Load Document from HTTP Server HTLoadHTTP() |
| pascal@24891 | 35 * ============================== |
| pascal@24891 | 36 @@ -957,6 +973,7 @@ static int HTLoadHTTP(const char *arg, |
| pascal@24891 | 37 /* get host we're connecting to */ |
| pascal@24891 | 38 ssl_host = HTParse(url, "", PARSE_HOST); |
| pascal@24891 | 39 ssl_host = StripIpv6Brackets(ssl_host); |
| pascal@24891 | 40 + ssl_host = StripUserAuthents(ssl_host); |
| pascal@24891 | 41 #if defined(USE_GNUTLS_FUNCS) |
| pascal@24891 | 42 ret = gnutls_server_name_set(handle->gnutls_state, |
| pascal@24891 | 43 GNUTLS_NAME_DNS, |