aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2014-03-04 12:42:25 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2014-03-04 12:42:25 +0000
commit4fba92816c0e71757a88cc344de763867564d734 (patch)
tree1565498dbba7b6ccd82ed4058efc363b6226804a
parent8928dd366d7e9f0474451cd6a98473fac42a3c45 (diff)
downloadaports-4fba92816c0e71757a88cc344de763867564d734.tar.bz2
aports-4fba92816c0e71757a88cc344de763867564d734.tar.xz
main/elinks: secuirty fix. Fixes #2664
-rw-r--r--main/elinks/APKBUILD17
-rw-r--r--main/elinks/elinks-0.12pre6-ssl-hostname.patch87
2 files changed, 101 insertions, 3 deletions
diff --git a/main/elinks/APKBUILD b/main/elinks/APKBUILD
index e32388b1a4..e1832ebea2 100644
--- a/main/elinks/APKBUILD
+++ b/main/elinks/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=elinks
pkgver=0.11.7
-pkgrel=3
+pkgrel=4
pkgdesc="a text mode web browser"
url="http://elinks.or.cz/"
arch="all"
@@ -11,12 +11,22 @@ depends=
makedepends="bzip2-dev zlib-dev openssl-dev expat-dev libiconv-dev gettext-dev"
install=
subpackages="$pkgname-doc"
-source="http://elinks.or.cz/download/elinks-$pkgver.tar.bz2"
+source="http://elinks.or.cz/download/elinks-$pkgver.tar.bz2
+ elinks-0.12pre6-ssl-hostname.patch
+ "
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
# we should not link lua with -llualib
+ for i in $source; do
+ case $i in
+ *.patch)
+ msg "Applying $i"
+ patch -p1 -i "$srcdir"/$i || return 1
+ ;;
+ esac
+ done
}
build() {
@@ -37,4 +47,5 @@ package() {
rm "$pkgdir"/usr/share/locale/locale.alias
}
-md5sums="fcd087a6d2415cd4c6fd1db53dceb646 elinks-0.11.7.tar.bz2"
+md5sums="fcd087a6d2415cd4c6fd1db53dceb646 elinks-0.11.7.tar.bz2
+2558da494a828c2fd3854f7ba9fce0b2 elinks-0.12pre6-ssl-hostname.patch"
diff --git a/main/elinks/elinks-0.12pre6-ssl-hostname.patch b/main/elinks/elinks-0.12pre6-ssl-hostname.patch
new file mode 100644
index 0000000000..3ead38f721
--- /dev/null
+++ b/main/elinks/elinks-0.12pre6-ssl-hostname.patch
@@ -0,0 +1,87 @@
+From 135272d2c8528e70d9c201ce661ef44ddbe6fa75 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 19 Sep 2013 16:02:58 +0000
+Subject: rename to elinks-0.12pre6-ssl-hostname.patch
+
+... so that it reflects the actual version of elinks
+---
+(limited to 'elinks-0.12pre6-ssl-hostname.patch')
+
+diff --git a/elinks-0.12pre6-ssl-hostname.patch b/elinks-0.12pre6-ssl-hostname.patch
+new file mode 100644
+index 0000000..5a3820f
+--- /dev/null
++++ b/elinks-0.12pre6-ssl-hostname.patch
+@@ -0,0 +1,70 @@
++From cc428d37023b3f73458cf2054f19395035307045 Mon Sep 17 00:00:00 2001
++From: Kamil Dudka <kdudka@redhat.com>
++Date: Wed, 18 Sep 2013 13:42:40 +0200
++Subject: [PATCH] verify server certificate hostname with nss_compat_ossl
++
++Bug: https://bugzilla.redhat.com/881411
++---
++ src/network/ssl/socket.c | 32 ++++++++++++++++++++++++++++++++
++ 1 files changed, 32 insertions(+), 0 deletions(-)
++
++diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
++index 3265107..0aeb037 100644
++--- a/src/network/ssl/socket.c
+++++ b/src/network/ssl/socket.c
++@@ -9,6 +9,9 @@
++ #define USE_OPENSSL
++ #elif defined(CONFIG_NSS_COMPAT_OSSL)
++ #include <nss_compat_ossl/nss_compat_ossl.h>
+++#include <nspr.h> /* for PR_GetError() */
+++#include <ssl.h> /* for SSL_SetURL() */
+++#include "protocol/uri.h" /* for get_uri_string() */
++ #define USE_OPENSSL
++ #elif defined(CONFIG_GNUTLS)
++ #include <gnutls/gnutls.h>
++@@ -116,6 +119,19 @@ ssl_want_read(struct socket *socket)
++ }
++ }
++
+++#ifdef CONFIG_NSS_COMPAT_OSSL
+++/* wrap nss_compat_ossl to honour SSL_ERROR_BAD_CERT_DOMAIN */
+++SECStatus BadCertHandler(void *arg, PRFileDesc *ssl);
+++static SECStatus nss_bad_cert_hook(void *arg, PRFileDesc *ssl)
+++{
+++ if (SSL_ERROR_BAD_CERT_DOMAIN == PR_GetError())
+++ return SECFailure;
+++
+++ /* fallback to the default hook of nss_compat_ossl */
+++ return BadCertHandler(arg, ssl);
+++}
+++#endif
+++
++ /* Return -1 on error, 0 or success. */
++ int
++ ssl_connect(struct socket *socket)
++@@ -127,6 +143,22 @@ ssl_connect(struct socket *socket)
++ return -1;
++ }
++
+++#ifdef CONFIG_NSS_COMPAT_OSSL
+++ /* fix for https://bugzilla.redhat.com/881411 */
+++ {
+++ struct connection *conn = socket->conn;
+++ unsigned char *host = get_uri_string(conn->uri, URI_HOST);
+++ if (!host
+++ || SECSuccess != SSL_SetURL(socket->ssl, host)
+++ || SECSuccess != SSL_BadCertHook(socket->ssl,
+++ nss_bad_cert_hook, /* XXX */ NULL))
+++ {
+++ socket->ops->done(socket, connection_state(S_SSL_ERROR));
+++ return -1;
+++ }
+++ }
+++#endif
+++
++ if (socket->no_tls)
++ ssl_set_no_tls(socket);
++
++--
++1.7.1
++
+--
+cgit v0.9.2