diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-03-04 12:42:25 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2014-03-04 12:42:25 +0000 |
commit | 4fba92816c0e71757a88cc344de763867564d734 (patch) | |
tree | 1565498dbba7b6ccd82ed4058efc363b6226804a | |
parent | 8928dd366d7e9f0474451cd6a98473fac42a3c45 (diff) | |
download | aports-4fba92816c0e71757a88cc344de763867564d734.tar.bz2 aports-4fba92816c0e71757a88cc344de763867564d734.tar.xz |
main/elinks: secuirty fix. Fixes #2664
-rw-r--r-- | main/elinks/APKBUILD | 17 | ||||
-rw-r--r-- | main/elinks/elinks-0.12pre6-ssl-hostname.patch | 87 |
2 files changed, 101 insertions, 3 deletions
diff --git a/main/elinks/APKBUILD b/main/elinks/APKBUILD index e32388b1a4..e1832ebea2 100644 --- a/main/elinks/APKBUILD +++ b/main/elinks/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=elinks pkgver=0.11.7 -pkgrel=3 +pkgrel=4 pkgdesc="a text mode web browser" url="http://elinks.or.cz/" arch="all" @@ -11,12 +11,22 @@ depends= makedepends="bzip2-dev zlib-dev openssl-dev expat-dev libiconv-dev gettext-dev" install= subpackages="$pkgname-doc" -source="http://elinks.or.cz/download/elinks-$pkgver.tar.bz2" +source="http://elinks.or.cz/download/elinks-$pkgver.tar.bz2 + elinks-0.12pre6-ssl-hostname.patch + " _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" # we should not link lua with -llualib + for i in $source; do + case $i in + *.patch) + msg "Applying $i" + patch -p1 -i "$srcdir"/$i || return 1 + ;; + esac + done } build() { @@ -37,4 +47,5 @@ package() { rm "$pkgdir"/usr/share/locale/locale.alias } -md5sums="fcd087a6d2415cd4c6fd1db53dceb646 elinks-0.11.7.tar.bz2" +md5sums="fcd087a6d2415cd4c6fd1db53dceb646 elinks-0.11.7.tar.bz2 +2558da494a828c2fd3854f7ba9fce0b2 elinks-0.12pre6-ssl-hostname.patch" diff --git a/main/elinks/elinks-0.12pre6-ssl-hostname.patch b/main/elinks/elinks-0.12pre6-ssl-hostname.patch new file mode 100644 index 0000000000..3ead38f721 --- /dev/null +++ b/main/elinks/elinks-0.12pre6-ssl-hostname.patch @@ -0,0 +1,87 @@ +From 135272d2c8528e70d9c201ce661ef44ddbe6fa75 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Thu, 19 Sep 2013 16:02:58 +0000 +Subject: rename to elinks-0.12pre6-ssl-hostname.patch + +... so that it reflects the actual version of elinks +--- +(limited to 'elinks-0.12pre6-ssl-hostname.patch') + +diff --git a/elinks-0.12pre6-ssl-hostname.patch b/elinks-0.12pre6-ssl-hostname.patch +new file mode 100644 +index 0000000..5a3820f +--- /dev/null ++++ b/elinks-0.12pre6-ssl-hostname.patch +@@ -0,0 +1,70 @@ ++From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001 ++From: Kamil Dudka <kdudka@redhat.com> ++Date: Wed, 18 Sep 2013 13:42:40 +0200 ++Subject: [PATCH] verify server certificate hostname with nss_compat_ossl ++ ++Bug: https://bugzilla.redhat.com/881411 ++--- ++ src/network/ssl/socket.c | 32 ++++++++++++++++++++++++++++++++ ++ 1 files changed, 32 insertions(+), 0 deletions(-) ++ ++diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c ++index 3265107..0aeb037 100644 ++--- a/src/network/ssl/socket.c +++++ b/src/network/ssl/socket.c ++@@ -9,6 +9,9 @@ ++ #define USE_OPENSSL ++ #elif defined(CONFIG_NSS_COMPAT_OSSL) ++ #include <nss_compat_ossl/nss_compat_ossl.h> +++#include <nspr.h> /* for PR_GetError() */ +++#include <ssl.h> /* for SSL_SetURL() */ +++#include "protocol/uri.h" /* for get_uri_string() */ ++ #define USE_OPENSSL ++ #elif defined(CONFIG_GNUTLS) ++ #include <gnutls/gnutls.h> ++@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket) ++ } ++ } ++ +++#ifdef CONFIG_NSS_COMPAT_OSSL +++/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */ +++SECStatus BadCertHandler(void *arg, PRFileDesc *ssl); +++static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl) +++{ +++ if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError()) +++ return SECFailure; +++ +++ /* fallback to the default hook of nss_compat_ossl */ +++ return BadCertHandler(arg, ssl); +++} +++#endif +++ ++ /* Return -1 on error, 0 or success. */ ++ int ++ ssl_connect(struct socket *socket) ++@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket) ++ return -1; ++ } ++ +++#ifdef CONFIG_NSS_COMPAT_OSSL +++ /* fix for https://bugzilla.redhat.com/881411 */ +++ { +++ struct connection *conn = socket->conn; +++ unsigned char *host = get_uri_string(conn->uri, URI_HOST); +++ if (!host +++ || SECSuccess != SSL_SetURL(socket->ssl, host) +++ || SECSuccess != SSL_BadCertHook(socket->ssl, +++ nss_bad_cert_hook, /* XXX */ NULL)) +++ { +++ socket->ops->done(socket, connection_state(S_SSL_ERROR)); +++ return -1; +++ } +++ } +++#endif +++ ++ if (socket->no_tls) ++ ssl_set_no_tls(socket); ++ ++-- ++1.7.1 ++ +-- +cgit v0.9.2 |