diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:12:15 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-06 01:12:15 +0000 |
commit | 602181b0f32e6960e5552302e5dd32e2cffe4611 (patch) | |
tree | 1035b319846d91f8ae39bdc64b91ec170e584a9f /debian/patches | |
parent | Adding upstream version 2.8.9rel.1. (diff) | |
download | lynx-debian.tar.xz lynx-debian.zip |
Adding debian version 2.8.9rel.1-3+deb10u1.debian/2.8.9rel.1-3+deb10u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/21_do_not_strip_-g.diff | 17 | ||||
-rw-r--r-- | debian/patches/90_CVE-2021-38165.patch | 49 | ||||
-rw-r--r-- | debian/patches/aboutlynx.patch | 19 | ||||
-rw-r--r-- | debian/patches/fix-tls-1.3.patch | 48 | ||||
-rw-r--r-- | debian/patches/lynxcfg.patch | 219 | ||||
-rw-r--r-- | debian/patches/nested_tables.patch | 15 | ||||
-rw-r--r-- | debian/patches/series | 6 |
7 files changed, 373 insertions, 0 deletions
diff --git a/debian/patches/21_do_not_strip_-g.diff b/debian/patches/21_do_not_strip_-g.diff new file mode 100644 index 0000000..048bf99 --- /dev/null +++ b/debian/patches/21_do_not_strip_-g.diff @@ -0,0 +1,17 @@ +Description: Stop ./configure from stripping out -g from CFLAGS +Author: Andreas Metzler <ametzler@debian.org>, + Simon Ruderich <simon@ruderich.org> +Origin: vendor +Last-Update: 2015-05-08 + +--- a/configure ++++ b/configure +@@ -3475,7 +3475,7 @@ + test -z "$ORIGINAL_CFLAGS" && CFLAGS=`echo ${CFLAGS} | sed -e 's%-g %%' -e 's%-g$%%'` + ;; + (*) +- test -z "$ORIGINAL_CFLAGS" && CFLAGS=`echo ${CFLAGS} | sed -e 's%-g %%' -e 's%-g$%%'` ++ : + ;; + esac + fi diff --git a/debian/patches/90_CVE-2021-38165.patch b/debian/patches/90_CVE-2021-38165.patch new file mode 100644 index 0000000..b9f9a54 --- /dev/null +++ b/debian/patches/90_CVE-2021-38165.patch @@ -0,0 +1,49 @@ +Description: Fix CVE-2021-38165 + CVE-2021-38165: If Lynx is given an HTTPS URL which included username + and password, e.g. https://username:password@www.example.org/, + username and password were sent over the wire in clear text if the + TLS 1.2 Server Name Indication (SNI) extension was used. + . + This patch is extracted from upstream's patch from 2.9.0dev.8 to + 2.9.0dev.9 to fix this issue. +Origin: https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz +Author: Thomas E. Dickey <dickey@invisible-island.net> +Reviewed-By: Axel Beckert <abe@debian.org> +Bug-Debian: https://bugs.debian.org/991971 +Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html +Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html + +--- a/WWW/Library/Implementation/HTTP.c ++++ b/WWW/Library/Implementation/HTTP.c +@@ -762,6 +762,23 @@ + } + #endif + ++/* ++ * Remove user/password, if any, from the given host-string. ++ */ ++#ifdef USE_SSL ++static char *StripUserAuthents(char *host) ++{ ++ char *p = strchr(host, '@'); ++ ++ if (p != NULL) { ++ char *q = host; ++ ++ while ((*q++ = *++p) != '\0') ; ++ } ++ return host; ++} ++#endif ++ + /* Load Document from HTTP Server HTLoadHTTP() + * ============================== + * +@@ -957,6 +974,7 @@ + /* get host we're connecting to */ + ssl_host = HTParse(url, "", PARSE_HOST); + ssl_host = StripIpv6Brackets(ssl_host); ++ ssl_host = StripUserAuthents(ssl_host); + #if defined(USE_GNUTLS_FUNCS) + ret = gnutls_server_name_set(handle->gnutls_state, + GNUTLS_NAME_DNS, diff --git a/debian/patches/aboutlynx.patch b/debian/patches/aboutlynx.patch new file mode 100644 index 0000000..72335d6 --- /dev/null +++ b/debian/patches/aboutlynx.patch @@ -0,0 +1,19 @@ +Description: Modify about_lynx.html for Debian package +Author: Atsuhito Kohda <kohda@debian.org> +Forwarded: not-needed + +--- ./lynx_help/about_lynx.html.orgl Tue Oct 9 12:34:06 2001 ++++ ./lynx_help/about_lynx.html Tue Oct 9 12:35:16 2001 +@@ -65,9 +65,9 @@ + the University of Kansas. However most of the release (and + corresponding copyright) is the work of developers on the + <a href="#lynx-dev_list"><em>lynx-dev mailing list</em></a>. It +- is distributed <a href="COPYHEADER">without restrictions on usage +- or redistribution</a> under the <a href="COPYING">GNU General +- Public License (Version 2)</a>.</p> ++ is distributed without restrictions on usage ++ or redistribution under the GNU General ++ Public License (Version 2).</p> + + <p><strong>Lynx</strong> was built over an early version of the + Common Code Library developed by the CERN WWW Project. That code diff --git a/debian/patches/fix-tls-1.3.patch b/debian/patches/fix-tls-1.3.patch new file mode 100644 index 0000000..e318b76 --- /dev/null +++ b/debian/patches/fix-tls-1.3.patch @@ -0,0 +1,48 @@ +Description: Fix connection to HTTPS sites offering TLS 1.3 +Author: Andreas Metzler <ametzler@bebt.de> +Origin: https://lists.gnu.org/archive/html/lynx-dev/2018-12/msg00009.html + +--- a/src/tidy_tls.c ++++ b/src/tidy_tls.c +@@ -462,13 +462,25 @@ + { + int rc; + +- rc = (int) gnutls_record_recv(ssl->gnutls_state, buffer, (size_t) length); ++ do ++ { ++ rc = (int) gnutls_record_recv(ssl->gnutls_state, buffer, (size_t) length); ++ } ++ while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); + + if (rc < 0 && gnutls_error_is_fatal(rc) == 0) { + if (rc == GNUTLS_E_REHANDSHAKE) { + (void) gnutls_handshake(ssl->gnutls_state); +- gnutls_record_send(ssl->gnutls_state, ssl->sendbuffer, (size_t) ssl->bytes_sent); +- rc = (int) gnutls_record_recv(ssl->gnutls_state, buffer, (size_t) length); ++ do ++ { ++ rc = (int) gnutls_record_send(ssl->gnutls_state, ssl->sendbuffer, (size_t) ssl->bytes_sent); ++ } ++ while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); ++ do ++ { ++ rc = (int) gnutls_record_recv(ssl->gnutls_state, buffer, (size_t) length); ++ } ++ while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); + } + } + +@@ -500,7 +512,11 @@ + { + int rc; + +- rc = (int) gnutls_record_send(ssl->gnutls_state, buffer, (size_t) length); ++ do ++ { ++ rc = (int) gnutls_record_send(ssl->gnutls_state, buffer, (size_t) length); ++ } ++ while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); + ssl->last_error = rc; + + if (rc < 0) { diff --git a/debian/patches/lynxcfg.patch b/debian/patches/lynxcfg.patch new file mode 100644 index 0000000..fceb8d4 --- /dev/null +++ b/debian/patches/lynxcfg.patch @@ -0,0 +1,219 @@ +Description: Modify the lynx.cfg to Debian system +Author: Atsuhito Kohda <kohda@debian.org> +Author: Denis Briand <debian@denis-briand.fr> +Author: Axel Beckert <abe@debian.org> +Forwarded: not-needed +Last-Update: 2017-10-30 + +--- a/lynx.cfg ++++ b/lynx.cfg +@@ -108,12 +108,13 @@ + # + # Normally we expect you will connect to a remote site, e.g., the Lynx starting + # site: +-STARTFILE:https://lynx.invisible-island.net/ ++#STARTFILE:https://lynx.invisible-island.net/ + # + # As an alternative, you may want to use a local URL. A good choice for this is + # the user's home directory: + .ex + #STARTFILE:file://localhost/~/ ++STARTFILE:file://localhost/usr/share/doc/lynx/lynx_help/about_lynx.html.gz + # + # Your choice of STARTFILE should reflect your site's needs, and be a URL that + # you can connect to reliably. Otherwise users will become confused and think +@@ -132,9 +133,10 @@ + # This definition will be overridden if the "LYNX_HELPFILE" environment + # variable has been set. + # +-HELPFILE:https://lynx.invisible-island.net/lynx_help/lynx_help_main.html ++#HELPFILE:https://lynx.invisible-island.net/lynx_help/lynx_help_main.html + .ex +-#HELPFILE:file://localhost/PATH_TO/lynx_help/lynx_help_main.html ++##HELPFILE:file://localhost/PATH_TO/lynx_help/lynx_help_main.html ++HELPFILE:file://localhost/usr/share/doc/lynx-common/lynx_help/lynx_help_main.html + + .h2 DEFAULT_INDEX_FILE + # DEFAULT_INDEX_FILE is the default file retrieved when the +@@ -454,7 +456,7 @@ + # Find RFC 1345 at + .url http://tools.ietf.org/html/rfc1345 + # +-#CHARACTER_SET:iso-8859-1 ++CHARACTER_SET:iso-8859-1 + + .h2 LOCALE_CHARSET + # LOCALE_CHARSET overrides CHARACTER_SET if true, using the current locale to +@@ -468,6 +470,7 @@ + # happens to give useful values, but other implementations are not guaranteed + # to do this. + #LOCALE_CHARSET:FALSE ++LOCALE_CHARSET:TRUE + + .h2 HTML5_CHARSETS + # HTML5_CHARSETS is an alternative to ASSUME_CHARSET and ASSUME_LOCAL_CHARSET. +@@ -565,7 +568,7 @@ + # compatibility problems with other browsers, see also PREPEND_BASE_TO_SOURCE. + # Note that the prepending is not done for -source dumps. + # +-#PREPEND_CHARSET_TO_SOURCE:TRUE ++PREPEND_CHARSET_TO_SOURCE:FALSE + + .h2 NCR_IN_BOOKMARKS + # NCR_IN_BOOKMARKS:TRUE allows you to save 8-bit characters in bookmark titles +@@ -617,7 +620,7 @@ + # the 'o'ptions menu and save that preference in their RC file. + # This may be a comma-separated list of languages in decreasing preference. + # +-#PREFERRED_LANGUAGE:en ++PREFERRED_LANGUAGE:en + + .h2 PREFERRED_CHARSET + # PREFERRED_CHARSET specifies the character set in MIME notation (e.g., +@@ -809,7 +812,7 @@ + # 'o'ptions menu and saved in the RC file, and always can be toggled + # via the -show_cursor command line switch. + # +-#SHOW_CURSOR:FALSE ++SHOW_CURSOR:TRUE + + .h2 UNDERLINE_LINKS + # UNDERLINE_LINKS controls whether links are underlined by default, or shown +@@ -997,8 +1000,8 @@ + # executed. This is much less dangerous than enabling all execution + # links, but can still be dangerous. + # +-#LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE +-#LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE ++LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE ++LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE + + .h2 TRUSTED_EXEC + # If LOCAL_EXECUTION_LINK_ON_BUT_NOT_REMOTE is TRUE, and no TRUSTED_EXEC +@@ -1045,7 +1048,7 @@ + # as well (i.e., they will only be able to access lynxexec or lynxprog + # URLs which meet any ALWAYS_TRUSTED_EXEC rules). + # +-#TRUSTED_EXEC:none ++TRUSTED_EXEC:none + + .h2 ALWAYS_TRUSTED_EXEC + # If EXEC_LINKS was defined, any lynxexec or lynxprog URL can be made +@@ -1066,7 +1069,7 @@ + # + # The default ALWAYS_TRUSTED_EXEC rule is "none". + # +-#ALWAYS_TRUSTED_EXEC:none ++ALWAYS_TRUSTED_EXEC:none + + .h2 TRUSTED_LYNXCGI + # Unix: +@@ -1085,7 +1088,7 @@ + # + # The default TRUSTED_LYNXCGI rule is "none". + # +-#TRUSTED_LYNXCGI:none ++TRUSTED_LYNXCGI:none + + .h2 LYNXCGI_ENVIRONMENT + # Unix: +@@ -1411,7 +1414,7 @@ + # The default is FALSE, so that the feature needs to be enabled here + # explicitly if you want it. + # +-#PERSISTENT_COOKIES:FALSE ++PERSISTENT_COOKIES:FALSE + + .h2 COOKIE_FILE + # COOKIE_FILE is the default file from which persistent cookies are read +@@ -1858,7 +1861,7 @@ + # and not forced TRUE, the user can regulate it via the 'o'ptions menu (and + # may save the preference in the RC file). + # +-#NO_DOT_FILES:TRUE ++NO_DOT_FILES:FALSE + + .h1 Internal Behavior + +@@ -2119,13 +2122,13 @@ + # + # Unix: + # ==== +-#GLOBAL_EXTENSION_MAP:/usr/local/lib/mosaic/mime.types ++GLOBAL_EXTENSION_MAP:/etc/mime.types + # VMS: + # === + #GLOBAL_EXTENSION_MAP:Lynx_Dir:mime.types + # + # Unix (sought in user's home directory): +-#PERSONAL_EXTENSION_MAP:.mime.types ++PERSONAL_EXTENSION_MAP:.mime.types + # VMS (sought in user's sys$login directory): + #PERSONAL_EXTENSION_MAP:mime.types + +@@ -2260,6 +2263,8 @@ + #SUFFIX:.dms:application/x-dms + #SUFFIX:.html:text/html + #SUFFIX:.txt:text/plain ++SUFFIX:.tgz:application/octet-stream ++SUFFIX:.deb:application/octet-stream + + .h2 XLOADIMAGE_COMMAND + # VMS: +@@ -2363,13 +2368,13 @@ + # + # Unix: + # ==== +-#GLOBAL_MAILCAP:/usr/local/lib/mosaic/mailcap ++GLOBAL_MAILCAP:/etc/mailcap + # VMS: + # === + #GLOBAL_MAILCAP:Lynx_Dir:mailcap + # + # Sought in user's home (Unix) or sys$login (VMS) directory. +-#PERSONAL_MAILCAP:.mailcap ++PERSONAL_MAILCAP:.mailcap + + .h2 PREFERRED_MEDIA_TYPES + # When doing a GET, lynx lists the MIME types which it knows how to present +@@ -3583,7 +3588,7 @@ + # should accept, in case the $SSL_CERT_FILE environment variable is not set, + # e.g., + # +-#SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt ++SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt + #SSL_CERT_FILE:NULL + + .h2 SSL_CLIENT_CERT_FILE +@@ -3623,7 +3628,7 @@ + + .h2 SYSLOG_REQUESTED_URLS + # Log the requested URLs using the syslog interface. +-#SYSLOG_REQUESTED_URLS:TRUE ++SYSLOG_REQUESTED_URLS:FALSE + + .h2 SYSLOG_TEXT + # Add the given text to calls made to syslog, to distinguish Lynx from other +@@ -3797,6 +3802,22 @@ + # several other features of HTTP/1.1. You may encounter a server which does + # not support HTTP/1.0 which can be used by switching to the later protocol. + #HTTP_PROTOCOL:1.0 ++ ++# external ++EXTERNAL:ftp:w3m %s:TRUE ++EXTERNAL:file:w3m %s:TRUE ++EXTERNAL:http:w3m %s:TRUE ++EXTERNAL:http:wget %s:TRUE ++EXTERNAL:http:wget -r %s:TRUE ++EXTERNAL:ftp:x-www-browser %s:TRUE ++EXTERNAL:file:x-www-browser %s:TRUE ++EXTERNAL:http:x-www-browser %s:TRUE ++# include ++INCLUDE:/etc/lynx/local.cfg ++INCLUDE:~/.lynx/colors:COLOR ++INCLUDE:~/.lynx/keymap:KEYMAP ++INCLUDE:~/.lynx/viewers:VIEWER ++INCLUDE:~/.lynx/external:EXTERNAL + + .h2 GUESS_SCHEME + # When true, Lynx may fill in a missing "scheme" for URIs which you provide. diff --git a/debian/patches/nested_tables.patch b/debian/patches/nested_tables.patch new file mode 100644 index 0000000..a36fd67 --- /dev/null +++ b/debian/patches/nested_tables.patch @@ -0,0 +1,15 @@ +Description: turn off nested-tables option +Author: Denis Briand <debian@denis-briand.fr> +Bug-Debian: https://bugs.debian.org/387555 + +--- a/lynx.cfg ++++ b/lynx.cfg +@@ -3033,7 +3033,7 @@ + # It is enabled by default when the COLOR_STYLE configuration is used, + # and false otherwise. + # +-#NESTED_TABLES: true ++NESTED_TABLES: false + + .h2 ASSUMED_COLOR + # If built with a library that recognizes default colors (usually ncurses or diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..e2737bd --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,6 @@ +lynxcfg.patch +aboutlynx.patch +21_do_not_strip_-g.diff +nested_tables.patch +fix-tls-1.3.patch +90_CVE-2021-38165.patch |