!9 [sync] PR-7: fix CVE-2021-38165

From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek
fix CVE-2021-38165
2021-08-18 03:06:59 +00:00 · 2021-08-18 10:01:13 +08:00 · 2020-01-13 23:36:13 +08:00 · 2020-01-13 22:12:56 +08:00 · 2019-12-25 10:17:47 +08:00 · 2019-12-25 10:16:00 +08:00
4 changed files with 238 additions and 0 deletions
--- a/CVE-2021-38165.patch
+++ b/CVE-2021-38165.patch
@ -0,0 +1,49 @@
+Description: Fix CVE-2021-38165
+ CVE-2021-38165: If Lynx is given an HTTPS URL which included username
+ and password, e.g. https://username:password@www.example.org/,
+ username and password were sent over the wire in clear text if the
+ TLS 1.2 Server Name Indication (SNI) extension was used.
+ .
+ This patch is extracted from upstream's patch from 2.9.0dev.8 to
+ 2.9.0dev.9 to fix this issue.
+Origin: https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz
+Author: Thomas E. Dickey <dickey@invisible-island.net>
+Reviewed-By: Axel Beckert <abe@debian.org>
+Bug-Debian: https://bugs.debian.org/991971
+Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
+Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
+
+--- a/WWW/Library/Implementation/HTTP.c
+++ b/WWW/Library/Implementation/HTTP.c
+@@ -762,6 +762,23 @@
+ }
+ #endif
+ 
+/*
+ * Remove user/password, if any, from the given host-string.
+ */
+#ifdef USE_SSL
+static char *StripUserAuthents(char *host)
+{
+    char *p = strchr(host, '@');
+
+    if (p != NULL) {
+	char *q = host;
+
+	while ((*q++ = *++p) != '\0') ;
+    }
+    return host;
+}
+#endif
+
+ /*		Load Document from HTTP Server			HTLoadHTTP()
+  *		==============================
+  *
+@@ -957,6 +974,7 @@
+ 	/* get host we're connecting to */
+ 	ssl_host = HTParse(url, "", PARSE_HOST);
+ 	ssl_host = StripIpv6Brackets(ssl_host);
+	ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+ 	ret = gnutls_server_name_set(handle->gnutls_state,
+ 				     GNUTLS_NAME_DNS,
--- a/lynx-CVE-2008-4690.patch
+++ b/lynx-CVE-2008-4690.patch
@ -0,0 +1,61 @@
+From c60c227ab9a36246730d7454e33d40d2c66c88b3 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 13 Feb 2013 15:26:22 +0100
+Subject: [PATCH] fix CVE-2008-4690
+
+prompt user before executing command via a lynxcgi link even in advanced mode,
+as the actual URL may not be shown but hidden behind an HTTP redirect and set
+TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+---
+ CHANGES     |    7 +++++++
+ lynx.cfg    |    2 +-
+ src/LYCgi.c |    2 +-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 360be68..8eca013 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1355,6 +1355,13 @@ Changes since Lynx 2.8 release
+ * update win32 makefiles/build scripts to add LYmktime, parsdate modules -TD
+ * update config.guess (2008-04-14), config.sub (2008-06-16)
+ 
+2008-10-26
+* modify patch for CVE-2005-2929 to prompt user before executing command via
+  a lynxcgi link even in advanced mode, as the actual URL may not be shown but
+  hidden behind an HTTP redirect
+* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
+  [CVE-2008-4690]
+
+ 2008-09-21 (2.8.7dev.10)
+ * remove rw.po, since the translation project no longer supplies it -TD
+ * implement "readonly" attribute for TEXTAREA and TEXT fields -TD
+diff --git a/lynx.cfg b/lynx.cfg
+index ee2aad3..144050d 100644
+--- a/lynx.cfg
+++ b/lynx.cfg
+@@ -1087,7 +1087,7 @@ LOCALE_CHARSET:TRUE
+ #
+ # The default TRUSTED_LYNXCGI rule is "none".
+ #
+-#TRUSTED_LYNXCGI:none
+TRUSTED_LYNXCGI:none
+ 
+ .h2 LYNXCGI_ENVIRONMENT
+ # Unix:
+diff --git a/src/LYCgi.c b/src/LYCgi.c
+index 832bb89..0ae8a7e 100644
+--- a/src/LYCgi.c
+++ b/src/LYCgi.c
+@@ -167,7 +167,7 @@ static BOOL can_exec_cgi(const char *linktext, const char *linkargs)
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else {
+    } else if (user_mode < ADVANCED_MODE) {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
+-- 
+1.7.1
+
--- a/lynx.spec
+++ b/lynx.spec
@ -0,0 +1,128 @@
+Summary: A text browser for the World Wide Web
+Name:    lynx
+Version: 2.8.9
+Release: 6
+License: GPLv2
+URL:     http://lynx.browser.org/
+Source:  https://invisible-mirror.net/archives/%{name}/tarballs/%{name}%{version}rel.1.tar.bz2
+
+Patch0:  %{name}-CVE-2008-4690.patch
+Patch1:  CVE-2021-38165.patch
+
+Provides: webclient text-www-browser
+BuildRequires: dos2unix gcc gettext telnet unzip zip
+BuildRequires: openssl-devel ncurses-devel slang-devel zlib-devel
+Requires: %{_vendor}-indexhtml
+
+%description
+Lynx is a fully-featured World Wide Web (WWW) client for users running
+cursor-addressable, character-cell display devices such as vt100 terminals,
+vt100 emulators running on Windows 95/NT or Macintoshes, or any other
+character-cell display.  It will display Hypertext Markup Language (HTML)
+documents containing links to files on the local system, as well as files on
+remote systems running http, gopher, ftp, wais, nntp, finger, or cso/ph/qi
+servers, and services accessible via logins to telnet, tn3270 or rlogin
+accounts.  Current versions of Lynx run on Unix, VMS, Windows95
+through Windows 8, 386DOS and OS/2 EMX.
+
+Lynx can be used to access information on the WWW, or to establish
+information systems intended primarily for local access.  Lynx has been
+used to build several Campus Wide Information Systems (CWIS).  Lynx can
+also be used to build systems isolated within a single LAN.
+
+%package_help
+
+
+%prep
+%autosetup -p1 -n %{name}%{version}rel.1
+
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
+sed -e "s,^HELPFILE:.*,HELPFILE:file://localhost%{_pkgdocdir}/lynx_help/lynx_help_main.html,g" -i %{name}.cfg
+sed -e 's,^STARTFILE:.*,STARTFILE:file:%{_docdir}/HTML/en-US/index.html,' -i %{name}.cfg
+
+%build
+%configure --libdir=/etc            \
+    --enable-prettysrc              \
+    --enable-charset-choice         \
+    --enable-cjk                    \
+    --enable-warnings               \
+    --enable-debug                  \
+    --enable-justify-elts           \
+    --enable-externs                \
+    --enable-file-upload            \
+    --enable-ipv6                   \
+    --enable-addrlist-page          \
+    --enable-locale-charset         \
+    --enable-kbd-layout             \
+    --enable-libjs                  \
+    --enable-nls                    \
+    --disable-rpath-hack            \
+    --enable-nsl-fork               \
+    --enable-persistent-cookies     \
+    --enable-default-colors         \
+    --enable-read-eta               \
+    --disable-font-switch           \
+    --enable-internal-links         \
+    --enable-scrollbar              \
+    --enable-cgi-links              \
+    --enable-japanese-utf8          \
+    --enable-source-cache           \
+    --with-ssl=%{_libdir}           \
+    --with-screen=ncursesw          \
+    --with-zlib                     \
+    ac_cv_path_RLOGIN=/usr/bin/rlogin
+
+make -C po
+%make_build
+
+%install
+chmod -x samples/mailto-form.pl
+%make_install
+
+rm -f test/X test/nobody samples/*.bat
+rm -f docs/OS-390.announce docs/README.jp
+
+dos2unix samples/%{name}-demo.cfg
+dos2unix samples/midnight.lss
+
+install -d %{buildroot}%{_datadir}/locale/ja/LC_MESSAGES/
+
+cat >%{buildroot}%{_sysconfdir}/%{name}-site.cfg <<EOF
+# Place any local lynx configuration options (proxies etc.) here.
+EOF
+
+%find_lang %{name}
+
+%files -f %{name}.lang
+%{_bindir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}.cfg
+%config(noreplace) %{_sysconfdir}/%{name}.lss
+%config(noreplace,missingok) %{_sysconfdir}/%{name}-site.cfg
+
+%files help
+%doc docs README INSTALLATION samples
+%doc test %{name}.hlp %{name}_help
+%{_mandir}/*/*
+
+%changelog
+* Tue Aug 17 2021 houyingchao <houyingchao@huawei.com> - 2.8.9-6
+- Fix CVE-2021-38165
+
+* Mon Jan 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.8.9-5
+- Type:enhancement
+- Id:NA
+- SUG:NA
+- DESC:optimization the spec
+
+* Tue Dec 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.8.9-4
+- Require openEuler-indexhtml
+
+* Tue Dec 3 2019 mengxian <mengxian@huawei.com> - 2.8.9-3
+- Package init
+
+* Sat Mar 30 2019 wuyou<wuyou88@huawei.com> - 2.8.9-2.h1
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: modify requires to  euleros-indexhtml
+
--- a/lynx2.8.9rel.1.tar.bz2
+++ b/lynx2.8.9rel.1.tar.bz2
Author	SHA1	Message	Date
openeuler-ci-bot	b716401dde	!9 [sync] PR-7: fix CVE-2021-38165 From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-08-18 03:06:59 +00:00
houyingchao	c067439a3d	fix CVE-2021-38165 (cherry picked from commit f8ec9daf6d8996607cf978c9ffbdcbae9d13323d)	2021-08-18 10:01:13 +08:00
openeuler-ci-bot	de69478393	!5 optimization the spec Merge pull request !5 from orange-snn/master	2020-01-13 23:36:13 +08:00
songnannan	a36bf3ff6e	optimization the spec	2020-01-13 22:12:56 +08:00
openeuler-ci-bot	d19f8f46b2	!4 require openEuler-indexhtml Merge pull request !4 from openeuler-compute/sync	2019-12-25 10:17:47 +08:00
caomeng5@huawei.com	9e9ce366a0	require openEuler-indexhtml	2019-12-25 10:16:00 +08:00
openeuler-ci-bot	f4c9132e64	!3 Package init Merge pull request !3 from openeuler-compute/init	2019-12-17 17:37:32 +08:00
caomeng5@huawei.com	8051ebb9a3	update patch files	2019-12-17 17:31:46 +08:00
openeuler-ci-bot	ebaebd595c	!1 Package init Merge pull request !1 from openeuler-compute/init	2019-12-17 14:47:40 +08:00
caomeng5@huawei.com	dcac4b1a0e	init	2019-12-17 14:44:32 +08:00