diff --git a/SOURCES/lynx-2.8.9-CVE-2021-38165.patch b/SOURCES/lynx-2.8.9-CVE-2021-38165.patch new file mode 100644 index 0000000..8fd65ed --- /dev/null +++ b/SOURCES/lynx-2.8.9-CVE-2021-38165.patch @@ -0,0 +1,51 @@ +From e786483fb4b6fd2460c9a58ad7074e82ecf91747 Mon Sep 17 00:00:00 2001 +From: Tomas Hoger +Date: Thu, 19 Aug 2021 16:50:02 +0200 +Subject: [PATCH] Upstream patch for CVE-2021-38165 + +Extracted from lynx 2.9.0dev.9. + +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1994998#c2 +--- + WWW/Library/Implementation/HTTP.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/WWW/Library/Implementation/HTTP.c b/WWW/Library/Implementation/HTTP.c +index 41ab849..4a50b41 100644 +--- a/WWW/Library/Implementation/HTTP.c ++++ b/WWW/Library/Implementation/HTTP.c +@@ -762,6 +762,23 @@ static char *StripIpv6Brackets(char *host) + } + #endif + ++/* ++ * Remove user/password, if any, from the given host-string. ++ */ ++#ifdef USE_SSL ++static char *StripUserAuthents(char *host) ++{ ++ char *p = strchr(host, '@'); ++ ++ if (p != NULL) { ++ char *q = host; ++ ++ while ((*q++ = *++p) != '\0') ; ++ } ++ return host; ++} ++#endif ++ + /* Load Document from HTTP Server HTLoadHTTP() + * ============================== + * +@@ -957,6 +974,7 @@ static int HTLoadHTTP(const char *arg, + /* get host we're connecting to */ + ssl_host = HTParse(url, "", PARSE_HOST); + ssl_host = StripIpv6Brackets(ssl_host); ++ ssl_host = StripUserAuthents(ssl_host); + #if defined(USE_GNUTLS_FUNCS) + ret = gnutls_server_name_set(handle->gnutls_state, + GNUTLS_NAME_DNS, +-- +2.31.1 + diff --git a/SPECS/lynx.spec b/SPECS/lynx.spec index a5eb159..24ab6c0 100644 --- a/SPECS/lynx.spec +++ b/SPECS/lynx.spec @@ -3,7 +3,7 @@ Summary: A text-based Web browser Name: lynx Version: 2.8.9 -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2 Group: Applications/Internet Source: https://invisible-mirror.net/archives/lynx/tarballs/lynx%{version}rel.%{devrel}.tar.bz2 @@ -27,6 +27,9 @@ Patch3: lynx-2.8.8-locale.patch # fix bugs detected by static analysis (#1602612) Patch4: lynx-2.8.9-static-analysis.patch +# fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165) +Patch5: lynx-2.8.9-CVE-2021-38165.patch + Provides: webclient Provides: text-www-browser BuildRequires: dos2unix @@ -59,6 +62,7 @@ exits quickly and swiftly displays web pages. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}} sed -e "s,^HELPFILE:.*,HELPFILE:file://localhost%{_pkgdocdir}/lynx_help/lynx_help_main.html,g" -i lynx.cfg @@ -135,6 +139,9 @@ EOF %config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg %changelog +* Tue Aug 31 2021 Kamil Dudka - 2.8.9-4 +- fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165) + * Thu Nov 08 2018 Kamil Dudka - 2.8.9-2 - fix bugs detected by static analysis (#1602612)