gnu: w3m: Switch to Debian's actively maintained fork of w3m.
Fixes some security issues seen here: <http://www.openwall.com/lists/oss-security/2016/11/03/3> * gnu/packages/w3m.scm (w3m): Switch it. [source]: Use Debian's git tree. Remove obsolete patches. [arguments]: Remove an unneeded substitute* function. * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch, gnu/packages/patches/w3m-disable-weak-ciphers.patch, gnu/packages/patches/w3m-force-ssl_verify_server-on.patch, gnu/packages/patches/w3m-libgc.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
parent
682bfb8124
commit
674a0f9558
|
@ -891,10 +891,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/vte-CVE-2012-2738-pt1.patch \
|
||||
%D%/packages/patches/vte-CVE-2012-2738-pt2.patch \
|
||||
%D%/packages/patches/vtk-mesa-10.patch \
|
||||
%D%/packages/patches/w3m-libgc.patch \
|
||||
%D%/packages/patches/w3m-force-ssl_verify_server-on.patch \
|
||||
%D%/packages/patches/w3m-disable-sslv2-and-sslv3.patch \
|
||||
%D%/packages/patches/w3m-disable-weak-ciphers.patch \
|
||||
%D%/packages/patches/weechat-python.patch \
|
||||
%D%/packages/patches/weex-vacopy.patch \
|
||||
%D%/packages/patches/wicd-bitrate-none-fix.patch \
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
Subject: Disable SSLv2 and SSLv3.
|
||||
|
||||
The only remaining methods are TLSv1.* (the code never distinguishes
|
||||
between TLSv1.0, TLSv1.1, and TLSv1.2).
|
||||
---
|
||||
fm.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fm.h b/fm.h
|
||||
index 320906c..ddcd4fc 100644
|
||||
--- a/fm.h
|
||||
+++ b/fm.h
|
||||
@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
|
||||
#endif /* defined(USE_SSL) &&
|
||||
* defined(USE_SSL_VERIFY) */
|
||||
#ifdef USE_SSL
|
||||
-global char *ssl_forbid_method init(NULL);
|
||||
+global char *ssl_forbid_method init("2, 3");
|
||||
#endif
|
||||
|
||||
global int is_redisplay init(FALSE);
|
||||
--
|
||||
2.6.4
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
Subject: Disable weak ciphers
|
||||
|
||||
Disable RC4, "export ciphers", and all keys < 128 bits.
|
||||
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
|
||||
---
|
||||
url.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/url.c b/url.c
|
||||
index ed6062e..e86b1f3 100644
|
||||
--- a/url.c
|
||||
+++ b/url.c
|
||||
@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
|
||||
SSL_load_error_strings();
|
||||
if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
|
||||
goto eend;
|
||||
+ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
|
||||
option = SSL_OP_ALL;
|
||||
if (ssl_forbid_method) {
|
||||
if (strchr(ssl_forbid_method, '2'))
|
||||
--
|
||||
2.6.4
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
Subject: Force ssl_verify_server on.
|
||||
|
||||
By default, SSL/TLS certificates are not verified. This enables the
|
||||
verification.
|
||||
---
|
||||
fm.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fm.h b/fm.h
|
||||
index 8378939..320906c 100644
|
||||
--- a/fm.h
|
||||
+++ b/fm.h
|
||||
@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
|
||||
#endif
|
||||
|
||||
#if defined(USE_SSL) && defined(USE_SSL_VERIFY)
|
||||
-global int ssl_verify_server init(FALSE);
|
||||
+global int ssl_verify_server init(TRUE);
|
||||
global char *ssl_cert_file init(NULL);
|
||||
global char *ssl_key_file init(NULL);
|
||||
global char *ssl_ca_path init(NULL);
|
||||
--
|
||||
2.6.4
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
This patch fixes w3m compilation with libgc > 7.2.
|
||||
|
||||
Reported:
|
||||
https://bugs.archlinux.org/task/33397
|
||||
|
||||
Patch with explanation:
|
||||
http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=770eec8304bdbe458
|
||||
---
|
||||
main.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/main.c b/main.c
|
||||
index b421943..249eb1a 100644
|
||||
--- a/main.c
|
||||
+++ b/main.c
|
||||
@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp)
|
||||
mySignal(SIGPIPE, SigPipe);
|
||||
#endif
|
||||
|
||||
- orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc);
|
||||
+ orig_GC_warn_proc = GC_get_warn_proc();
|
||||
+ GC_set_warn_proc(wrap_GC_warn_proc);
|
||||
err_msg = Strnew();
|
||||
if (load_argc == 0) {
|
||||
/* no URL specified */
|
||||
--
|
||||
2.6.4
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
|
||||
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
|
||||
;;; Copyright © 2016 Kei Kebreau <kei@openmailbox.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -28,37 +29,29 @@
|
|||
#:use-module (gnu packages tls)
|
||||
#:use-module (gnu packages)
|
||||
#:use-module (guix packages)
|
||||
#:use-module (guix download)
|
||||
#:use-module (guix git-download)
|
||||
#:use-module (guix build-system gnu))
|
||||
|
||||
(define-public w3m
|
||||
(package
|
||||
(name "w3m")
|
||||
(version "0.5.3")
|
||||
(version "0.5.3+git20161031")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "mirror://sourceforge/" name "/" name "/"
|
||||
name "-" version "/"
|
||||
name "-" version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
|
||||
|
||||
;; cf. https://bugs.archlinux.org/task/33397
|
||||
(patches (search-patches "w3m-libgc.patch"
|
||||
"w3m-force-ssl_verify_server-on.patch"
|
||||
"w3m-disable-sslv2-and-sslv3.patch"
|
||||
"w3m-disable-weak-ciphers.patch"))))
|
||||
(method git-fetch)
|
||||
;; Debian's fork of w3m is the only one that is still
|
||||
;; maintained.
|
||||
(uri (git-reference
|
||||
(url "https://anonscm.debian.org/cgit/collab-maint/w3m.git")
|
||||
(commit version)))
|
||||
(file-name (string-append "w3m-" version "-checkout"))
|
||||
(sha256
|
||||
(base32
|
||||
"142vkkmsk76wj9w6r4y2pa1hmy1kkzmc73an9zchx0ikm2z92x6s"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments `(#:tests? #f ; no check target
|
||||
#:phases (alist-cons-before
|
||||
'configure 'fix-perl
|
||||
(lambda _
|
||||
;; https://launchpad.net/bugs/935540
|
||||
;; 'struct file_handle' is used by 'glibc'
|
||||
(substitute* '("istream.c" "istream.h")
|
||||
(("struct[[:blank:]]+file_handle")
|
||||
"struct w3m_file_handle"))
|
||||
(substitute* '("scripts/w3mmail.cgi.in"
|
||||
"scripts/dirlist.cgi.in")
|
||||
(("@PERL@") (which "perl"))))
|
||||
|
|
Loading…
Reference in New Issue