wok-current diff lynx/stuff/lynx-2.8.9rel.1-security_fix-1.patch @ rev 24948
updated nagios-nrpe again (4.0.2 -> 4.0.3)
| author | Hans-G?nter Theisgen |
|---|---|
| date | Fri Apr 22 17:47:12 2022 +0100 (2022-04-22) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/lynx/stuff/lynx-2.8.9rel.1-security_fix-1.patch Fri Apr 22 17:47:12 2022 +0100 1.3 @@ -0,0 +1,43 @@ 1.4 +Submitted By: Douglas R. Reno <renodr at linuxfromscratch dot org> 1.5 +Date: 2021-12-18 1.6 +Initial Package Version: 2.8.9rel.1 1.7 +Upstream Status: Applied 1.8 +Origin: Arch Linux (https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff) 1.9 +Description: Fixes CVE-2021-38165 in Lynx, which allows for 1.10 + usernames and passwords to be transmitted in cleartext 1.11 + anytime an HTTPS connection is used. 1.12 + 1.13 +diff -Naurp lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c 1.14 +--- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c 2018-05-04 15:07:43.000000000 -0500 1.15 ++++ lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c 2021-12-18 14:12:57.503796366 -0600 1.16 +@@ -761,6 +761,22 @@ static char *StripIpv6Brackets(char *hos 1.17 + return host; 1.18 + } 1.19 + #endif 1.20 ++/* 1.21 ++ * Remove user/password, if any, from the given host-string. 1.22 ++ */ 1.23 ++#ifdef USE_SSL 1.24 ++static char *StripUserAuthents(char *host) 1.25 ++{ 1.26 ++ char *p = strchr(host, '@'); 1.27 ++ 1.28 ++ if (p != NULL) { 1.29 ++ char *q = host; 1.30 ++ 1.31 ++ while ((*q++ = *++p) != '\0') ; 1.32 ++ } 1.33 ++ return host; 1.34 ++} 1.35 ++#endif 1.36 + 1.37 + /* Load Document from HTTP Server HTLoadHTTP() 1.38 + * ============================== 1.39 +@@ -957,6 +973,7 @@ static int HTLoadHTTP(const char *arg, 1.40 + /* get host we're connecting to */ 1.41 + ssl_host = HTParse(url, "", PARSE_HOST); 1.42 + ssl_host = StripIpv6Brackets(ssl_host); 1.43 ++ ssl_host = StripUserAuthents(ssl_host); 1.44 + #if defined(USE_GNUTLS_FUNCS) 1.45 + ret = gnutls_server_name_set(handle->gnutls_state, 1.46 + GNUTLS_NAME_DNS,