From 1eede14194c83b70725b6de062b9d3e0acce6340 Mon Sep 17 00:00:00 2001 From: Kei Kebreau <k...@openmailbox.org> Date: Fri, 4 Nov 2016 12:43:28 -0400 Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of w3m.
Fixes some security issues seen here: <http://www.openwall.com/lists/oss-security/2016/11/03/3> * gnu/packages/w3m.scm (w3m): Switch it. [source]: Use Debian's git tree. Remove obsolete patches. [arguments]: Remove unnecessary modification of %standard-phases. * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch, gnu/packages/patches/w3m-disable-weak-ciphers.patch, gnu/packages/patches/w3m-force-ssl_verify_server-on.patch, gnu/packages/patches/w3m-libgc.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 4 - .../patches/w3m-disable-sslv2-and-sslv3.patch | 24 ------ .../patches/w3m-disable-weak-ciphers.patch | 24 ------ .../patches/w3m-force-ssl_verify_server-on.patch | 24 ------ gnu/packages/patches/w3m-libgc.patch | 28 ------- gnu/packages/w3m.scm | 89 ++++++++++------------ 6 files changed, 42 insertions(+), 151 deletions(-) delete mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch delete mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch delete mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch delete mode 100644 gnu/packages/patches/w3m-libgc.patch diff --git a/gnu/local.mk b/gnu/local.mk index a23d536..a34d8ae 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -891,10 +891,6 @@ dist_patch_DATA = \ %D%/packages/patches/vte-CVE-2012-2738-pt1.patch \ %D%/packages/patches/vte-CVE-2012-2738-pt2.patch \ %D%/packages/patches/vtk-mesa-10.patch \ - %D%/packages/patches/w3m-libgc.patch \ - %D%/packages/patches/w3m-force-ssl_verify_server-on.patch \ - %D%/packages/patches/w3m-disable-sslv2-and-sslv3.patch \ - %D%/packages/patches/w3m-disable-weak-ciphers.patch \ %D%/packages/patches/weechat-python.patch \ %D%/packages/patches/weex-vacopy.patch \ %D%/packages/patches/wicd-bitrate-none-fix.patch \ diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch deleted file mode 100644 index 5b78f2d..0000000 --- a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: Disable SSLv2 and SSLv3. - -The only remaining methods are TLSv1.* (the code never distinguishes -between TLSv1.0, TLSv1.1, and TLSv1.2). ---- - fm.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fm.h b/fm.h -index 320906c..ddcd4fc 100644 ---- a/fm.h -+++ b/fm.h -@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE); - #endif /* defined(USE_SSL) && - * defined(USE_SSL_VERIFY) */ - #ifdef USE_SSL --global char *ssl_forbid_method init(NULL); -+global char *ssl_forbid_method init("2, 3"); - #endif - - global int is_redisplay init(FALSE); --- -2.6.4 - diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch b/gnu/packages/patches/w3m-disable-weak-ciphers.patch deleted file mode 100644 index 4780d54..0000000 --- a/gnu/packages/patches/w3m-disable-weak-ciphers.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: Disable weak ciphers - -Disable RC4, "export ciphers", and all keys < 128 bits. - -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674 ---- - url.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/url.c b/url.c -index ed6062e..e86b1f3 100644 ---- a/url.c -+++ b/url.c -@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert) - SSL_load_error_strings(); - if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) - goto eend; -+ SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP"); - option = SSL_OP_ALL; - if (ssl_forbid_method) { - if (strchr(ssl_forbid_method, '2')) --- -2.6.4 - diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch deleted file mode 100644 index dc9f117..0000000 --- a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: Force ssl_verify_server on. - -By default, SSL/TLS certificates are not verified. This enables the -verification. ---- - fm.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fm.h b/fm.h -index 8378939..320906c 100644 ---- a/fm.h -+++ b/fm.h -@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE); - #endif - - #if defined(USE_SSL) && defined(USE_SSL_VERIFY) --global int ssl_verify_server init(FALSE); -+global int ssl_verify_server init(TRUE); - global char *ssl_cert_file init(NULL); - global char *ssl_key_file init(NULL); - global char *ssl_ca_path init(NULL); --- -2.6.4 - diff --git a/gnu/packages/patches/w3m-libgc.patch b/gnu/packages/patches/w3m-libgc.patch deleted file mode 100644 index 0dc6a40..0000000 --- a/gnu/packages/patches/w3m-libgc.patch +++ /dev/null @@ -1,28 +0,0 @@ -This patch fixes w3m compilation with libgc > 7.2. - -Reported: -https://bugs.archlinux.org/task/33397 - -Patch with explanation: -http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=770eec8304bdbe458 ---- - main.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/main.c b/main.c -index b421943..249eb1a 100644 ---- a/main.c -+++ b/main.c -@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp) - mySignal(SIGPIPE, SigPipe); - #endif - -- orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc); -+ orig_GC_warn_proc = GC_get_warn_proc(); -+ GC_set_warn_proc(wrap_GC_warn_proc); - err_msg = Strnew(); - if (load_argc == 0) { - /* no URL specified */ --- -2.6.4 - diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm index e7dd583..8b8a33a 100644 --- a/gnu/packages/w3m.scm +++ b/gnu/packages/w3m.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Nikita Karetnikov <nik...@karetnikov.org> ;;; Copyright © 2016 Leo Famulari <l...@famulari.name> +;;; Copyright © 2016 Kei Kebreau <k...@openmailbox.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,56 +29,50 @@ #:use-module (gnu packages tls) #:use-module (gnu packages) #:use-module (guix packages) - #:use-module (guix download) + #:use-module (guix git-download) #:use-module (guix build-system gnu)) (define-public w3m - (package - (name "w3m") - (version "0.5.3") - (source (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/" name "/" name "/" - name "-" version "/" - name "-" version ".tar.gz")) - (sha256 - (base32 - "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) - - ;; cf. https://bugs.archlinux.org/task/33397 - (patches (search-patches "w3m-libgc.patch" - "w3m-force-ssl_verify_server-on.patch" - "w3m-disable-sslv2-and-sslv3.patch" - "w3m-disable-weak-ciphers.patch")))) - (build-system gnu-build-system) - (arguments `(#:tests? #f ; no check target - #:phases (alist-cons-before - 'configure 'fix-perl - (lambda _ - ;; https://launchpad.net/bugs/935540 - ;; 'struct file_handle' is used by 'glibc' - (substitute* '("istream.c" "istream.h") - (("struct[[:blank:]]+file_handle") - "struct w3m_file_handle")) - (substitute* '("scripts/w3mmail.cgi.in" - "scripts/dirlist.cgi.in") - (("@PERL@") (which "perl")))) - %standard-phases))) - (inputs - `(("libgc" ,libgc) - ("ncurses" ,ncurses) - ("openssl" ,openssl) - ("zlib" ,zlib))) - (native-inputs - `(("gettext" ,gnu-gettext) - ("perl" ,perl) - ("pkg-config" ,pkg-config))) - (home-page "http://w3m.sourceforge.net/") - (synopsis "Text-mode web browser") - (description - "w3m is a text-based web browser as well as a pager like 'more' or + (let ((commit "5cf75248f5833db00d53a33c30a525bb40f5512b") + (revision "1")) ; Guix package revision + (package + (name "w3m") + (version (string-append "0.5.3-" revision "." (string-take commit 7))) + (source (origin + (method git-fetch) + ;; Debian's fork of w3m is the only one that is still + ;; maintained. + (uri (git-reference + (url "https://anonscm.debian.org/cgit/collab-maint/w3m.git") + (commit commit))) + (file-name (string-append "w3m-" version "-checkout")) + (sha256 + (base32 + "142vkkmsk76wj9w6r4y2pa1hmy1kkzmc73an9zchx0ikm2z92x6s")))) + (build-system gnu-build-system) + (arguments `(#:tests? #f ; no check target + #:phases (alist-cons-before + 'configure 'fix-perl + (lambda _ + (substitute* '("scripts/w3mmail.cgi.in" + "scripts/dirlist.cgi.in") + (("@PERL@") (which "perl")))) + %standard-phases))) + (inputs + `(("libgc" ,libgc) + ("ncurses" ,ncurses) + ("openssl" ,openssl) + ("zlib" ,zlib))) + (native-inputs + `(("gettext" ,gnu-gettext) + ("perl" ,perl) + ("pkg-config" ,pkg-config))) + (home-page "http://w3m.sourceforge.net/") + (synopsis "Text-mode web browser") + (description + "w3m is a text-based web browser as well as a pager like 'more' or 'less'. With w3m you can browse web pages through a terminal emulator window. Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.") - (license (x11-style "file://doc/README" - "See 'doc/README' in the distribution.")))) + (license (x11-style "file://doc/README" + "See 'doc/README' in the distribution."))))) -- 2.10.2
Updated patch attached! Leo Famulari <l...@famulari.name> writes: > On Fri, Nov 04, 2016 at 10:52:55AM -0400, Kei Kebreau wrote: > > Thanks! > >> From cc7a61d61160817ceb395b648b18c885175441e8 Mon Sep 17 00:00:00 2001 >> From: Kei Kebreau <k...@openmailbox.org> >> Date: Fri, 4 Nov 2016 10:48:53 -0400 >> Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of >> w3m. >> >> Fixes some security issues seen here: >> <http://www.openwall.com/lists/oss-security/2016/11/03/3> >> >> * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained >> fork of w3m. > > No need to rewrite the commit title here :) > Got it. :) >> [source]: Use Debian's git tree. Remove obsolete patches. >> [arguments]: Remove unnecessary modification of %standard-phases. >> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: Delete file. >> * gnu/packages/patches/w3m-disable-weak-ciphers.patch: Delete file. >> * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: Delete file. >> * gnu/packages/patches/w3m-libgc.patch: Delete file. > > Or: > * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch, > gnu/packages/patches/w3m-disable-weak-ciphers.patch, > gnu/packages/patches/w3m-force-ssl_verify_server-on.patch, > gnu/packages/patches/w3m-libgc.patch: Delete files. > Fixed. > By the way, I double-checked that all these patches are indeed > integrated into the release tag used by this package definition. > I checked, too! Nice to know that we're doubly safe. >> (define-public w3m >> @@ -36,33 +37,16 @@ >> (name "w3m") >> (version "0.5.3") > > This should reflect the tag used in (commit). > I adjusted this according to what some other packages have done. Please tell me if I did it correctly. >> (source (origin >> - (method url-fetch) >> - (uri (string-append "mirror://sourceforge/" name "/" name "/" >> - name "-" version "/" >> - name "-" version ".tar.gz")) >> - (sha256 >> - (base32 >> - "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579")) >> - >> - ;; cf. https://bugs.archlinux.org/task/33397 >> - (patches (search-patches "w3m-libgc.patch" >> - "w3m-force-ssl_verify_server-on.patch" >> - "w3m-disable-sslv2-and-sslv3.patch" >> - "w3m-disable-weak-ciphers.patch")))) >> + (method git-fetch) >> + ;; Debian's fork of w3m is the only one that is still >> maintained. >> + (uri (git-reference >> + (url >> "https://anonscm.debian.org/cgit/collab-maint/w3m.git") >> + (commit "v0.5.3+git20161031"))) > >> - (substitute* '("scripts/w3mmail.cgi.in" >> - "scripts/dirlist.cgi.in") >> - (("@PERL@") (which "perl")))) > > Does this @PERL@ get patched correctly? > No, it does not! I added the substitution back in. The other substitution appears to be handled by Debian upstream. > Thanks for taking this on! You're welcome! It frees up other developers' time to handle larger hacking targets than I can muster.
signature.asc
Description: PGP signature