Apply patch for CVE-2008-4690 (bug #243058)

Package-Manager: portage-2.1.6.13/cvs/Linux x86_64

4 files changed, 59 insertions, 4 deletions

diff --git a/www-client/lynx/ChangeLog b/www-client/lynx/ChangeLog
index ee2b655343de..a36e063395d1 100644
--- a/www-client/lynx/ChangeLog
+++ b/www-client/lynx/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for www-client/lynx
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/ChangeLog,v 1.78 2009/07/26 05:36:10 wormo Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/ChangeLog,v 1.79 2009/07/26 05:55:24 wormo Exp $
+
+  26 Jul 2009; Stephanie Lockwood-Childs <wormo@gentoo.org>
+  +files/lynx-2.8.6-CVE-2008-4690.patch, lynx-2.8.6-r2.ebuild:
+  Apply patch for CVE-2008-4690 (bug #243058)
 
   25 Jul 2009; Stephanie Lockwood-Childs <wormo@gentoo.org> metadata.xml,
   lynx-2.8.6-r2.ebuild:
diff --git a/www-client/lynx/Manifest b/www-client/lynx/Manifest
index 0e2f36042f6d..b5fae7b67e5f 100644
--- a/www-client/lynx/Manifest
+++ b/www-client/lynx/Manifest
@@ -1,8 +1,9 @@
+AUX lynx-2.8.6-CVE-2008-4690.patch 1598 RMD160 f54f9a8ddf113e1d57eefbc4a624a4b2b0bca8a9 SHA1 3c6784afa7df360927126e9d49c310c62eb0341e SHA256 c65a04c603611c5e3f02ee2aa5f3a5a27a073cb3632063a50c22602b05d7996a
 DIST lynx2.8.6rel.4.tar.bz2 2291156 RMD160 47e48e4136df298bf5168bc8d2d49e1ac92a6820 SHA1 b4e37025e99aabaddb219b2f27b1b0ac5db89708 SHA256 c7d876d52d08e4e593e8f3a04ba6d6c86685570828d1b7a16723702c7643c2a3
 DIST lynx2.8.7pre.4.tar.bz2 2428159 RMD160 625f609dd0a8e8c21ee0327beb984892fdc9cafc SHA1 e3fceb50fad7b00e6887350814b0313497b04c5c SHA256 c4a9a16e5fbc6d4896cec0c832c3730e7a535f4cc9c08aefb345cee5599c5832
 DIST lynx2.8.7pre.6.tar.bz2 2432061 RMD160 3e2b3046665c9618e9f712c60b0c5beabb4b770f SHA1 4cbc840e3d850baf83f4389b083edb67e0e8f051 SHA256 3dbe054290b7cd6dd0d4ccdcccfc270d22da3f9c38366e3e15f65a34d7d80a4a
-EBUILD lynx-2.8.6-r2.ebuild 2151 RMD160 f350699a6e63656948c34f00f86ca86134fe5418 SHA1 9b22bf1ebdc09fa7b63d7f214d4af740b88c929a SHA256 2b2bd3ff0ee41e301f809ea137a5e8a62c13ea056dffe6ae7935569d82b90596
+EBUILD lynx-2.8.6-r2.ebuild 2240 RMD160 3c1b5736a5c47413027213efb9ff7282fa3a5a22 SHA1 e38601c7633413ef2abccd70d59f4eddffd03fa2 SHA256 510e6dc68e5ce9e6b3790de0e72d8efeea219033eb52633d09d9b80b307816b7
 EBUILD lynx-2.8.7_rc4.ebuild 2544 RMD160 c6be673be3f908adc473070c66050f188058847d SHA1 f87fd2848858f68d4c846d8c8cb59840f4ee3395 SHA256 03cf36f733604497b0e3cdc9380d17234ffc1958493a228e32768e3d0eaee5dd
 EBUILD lynx-2.8.7_rc6.ebuild 2543 RMD160 b857daf26699825a7dd0041b4e904deaec34410b SHA1 b631681782ad9cdf48f20022c30fd03d8a89cf19 SHA256 1f81ef1b2594983df0eab0e3d540365e1c2350687b7bbf1f07308dbe6e931303
-MISC ChangeLog 15752 RMD160 9346d288c3261ba55841daf33dffb76855d4724e SHA1 6fdee250e08b5f8cc504e0a45339db322fae2b5c SHA256 09f2b17b0d9e5e1b17cd580ff1c2d941d476506cd524654f9b0efb9f9b35fc82
+MISC ChangeLog 15922 RMD160 eaadc9f54c7832f0eb8e1589b825d822a53f38cf SHA1 16fafd2d514f56d6e4fd8fd7d269236be99ba55c SHA256 e0bc320946333331bc18c77e47a8783d33aa5208de30efdabf127880584e5f7b
 MISC metadata.xml 297 RMD160 7b51665ff33d089acb47620f939c2d99ae33e3aa SHA1 0e73f56752985f703fd72edc0d242c2d530c94cb SHA256 de0d87c33df1475cf0077a08ac329e0267d0986a35160f0176056b6b49e0896d
diff --git a/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch b/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch
new file mode 100644
index 000000000000..da2647b49b53
--- /dev/null
+++ b/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch
@@ -0,0 +1,44 @@
+Index: lynx2-8-6/CHANGES
+===================================================================
+--- lynx2-8-6.orig/CHANGES
++++ lynx2-8-6/CHANGES
+@@ -1,6 +1,13 @@
+ Changes since Lynx 2.8 release
+ ===============================================================================
+ 
++2008-10-26
++* modify patch for CVE-2005-2929 to prompt user before executing command via
++  a lynxcgi link even in advanced mode, as the actual URL may not be shown but
++  hidden behind an HTTP redirect
++* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
++  [CVE-2008-4690]
++
+ 2006-11-15 (2.8.6rel.4 diverges from 2.8.7dev.4)
+ * limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found
+   relative to the user's home directory.  This change is less flexible than the
+Index: lynx2-8-6/lynx.cfg
+===================================================================
+--- lynx2-8-6.orig/lynx.cfg
++++ lynx2-8-6/lynx.cfg
+@@ -1026,7 +1026,7 @@ DEFAULT_INDEX_FILE:http://lynx.isc.org/
+ # ====
+ # Do not define this.
+ #
+-#TRUSTED_LYNXCGI:none
++TRUSTED_LYNXCGI:none
+ 
+ 
+ .h2 LYNXCGI_ENVIRONMENT
+Index: lynx2-8-6/src/LYCgi.c
+===================================================================
+--- lynx2-8-6.orig/src/LYCgi.c
++++ lynx2-8-6/src/LYCgi.c
+@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else if (user_mode < ADVANCED_MODE) {
++    } else {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
diff --git a/www-client/lynx/lynx-2.8.6-r2.ebuild b/www-client/lynx/lynx-2.8.6-r2.ebuild
index 62823c0e33cb..88d0ec6913fa 100644
--- a/www-client/lynx/lynx-2.8.6-r2.ebuild
+++ b/www-client/lynx/lynx-2.8.6-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/lynx-2.8.6-r2.ebuild,v 1.15 2009/07/26 05:36:10 wormo Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/lynx-2.8.6-r2.ebuild,v 1.16 2009/07/26 05:55:24 wormo Exp $
 
 inherit eutils
 
@@ -40,6 +40,12 @@ pkg_setup() {
 	fi
 }
 
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-CVE-2008-4690.patch"
+}
+
 src_compile() {
 	local myconf
 	use unicode && myconf="--with-screen=ncursesw"