From 1eede14194c83b70725b6de062b9d3e0acce6340 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <k...@openmailbox.org>
Date: Fri, 4 Nov 2016 12:43:28 -0400
Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of w3m.

Fixes some security issues seen here:
<http://www.openwall.com/lists/oss-security/2016/11/03/3>

* gnu/packages/w3m.scm (w3m): Switch it.
[source]: Use Debian's git tree. Remove obsolete patches.
[arguments]: Remove unnecessary modification of %standard-phases.
* gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch,
gnu/packages/patches/w3m-disable-weak-ciphers.patch,
gnu/packages/patches/w3m-force-ssl_verify_server-on.patch,
gnu/packages/patches/w3m-libgc.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |  4 -
 .../patches/w3m-disable-sslv2-and-sslv3.patch      | 24 ------
 .../patches/w3m-disable-weak-ciphers.patch         | 24 ------
 .../patches/w3m-force-ssl_verify_server-on.patch   | 24 ------
 gnu/packages/patches/w3m-libgc.patch               | 28 -------
 gnu/packages/w3m.scm                               | 89 ++++++++++------------
 6 files changed, 42 insertions(+), 151 deletions(-)
 delete mode 100644 gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
 delete mode 100644 gnu/packages/patches/w3m-disable-weak-ciphers.patch
 delete mode 100644 gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
 delete mode 100644 gnu/packages/patches/w3m-libgc.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a23d536..a34d8ae 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -891,10 +891,6 @@ dist_patch_DATA =                                          
\
   %D%/packages/patches/vte-CVE-2012-2738-pt1.patch                     \
   %D%/packages/patches/vte-CVE-2012-2738-pt2.patch                     \
   %D%/packages/patches/vtk-mesa-10.patch                       \
-  %D%/packages/patches/w3m-libgc.patch                         \
-  %D%/packages/patches/w3m-force-ssl_verify_server-on.patch    \
-  %D%/packages/patches/w3m-disable-sslv2-and-sslv3.patch       \
-  %D%/packages/patches/w3m-disable-weak-ciphers.patch          \
   %D%/packages/patches/weechat-python.patch                    \
   %D%/packages/patches/weex-vacopy.patch                       \
   %D%/packages/patches/wicd-bitrate-none-fix.patch             \
diff --git a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch 
b/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
deleted file mode 100644
index 5b78f2d..0000000
--- a/gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: Disable SSLv2 and SSLv3.
-
-The only remaining methods are TLSv1.* (the code never distinguishes
-between TLSv1.0, TLSv1.1, and TLSv1.2).
----
- fm.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fm.h b/fm.h
-index 320906c..ddcd4fc 100644
---- a/fm.h
-+++ b/fm.h
-@@ -1144,7 +1144,7 @@ global int ssl_path_modified init(FALSE);
- #endif                                /* defined(USE_SSL) &&
-                                * defined(USE_SSL_VERIFY) */
- #ifdef USE_SSL
--global char *ssl_forbid_method init(NULL);
-+global char *ssl_forbid_method init("2, 3");
- #endif
- 
- global int is_redisplay init(FALSE);
--- 
-2.6.4
-
diff --git a/gnu/packages/patches/w3m-disable-weak-ciphers.patch 
b/gnu/packages/patches/w3m-disable-weak-ciphers.patch
deleted file mode 100644
index 4780d54..0000000
--- a/gnu/packages/patches/w3m-disable-weak-ciphers.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: Disable weak ciphers
-
-Disable RC4, "export ciphers", and all keys < 128 bits.
-
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1325674
----
- url.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/url.c b/url.c
-index ed6062e..e86b1f3 100644
---- a/url.c
-+++ b/url.c
-@@ -326,6 +326,7 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
-       SSL_load_error_strings();
-       if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
-           goto eend;
-+      SSL_CTX_set_cipher_list(ssl_ctx, "DEFAULT:!LOW:!RC4:!EXP");
-       option = SSL_OP_ALL;
-       if (ssl_forbid_method) {
-           if (strchr(ssl_forbid_method, '2'))
--- 
-2.6.4
-
diff --git a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch 
b/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
deleted file mode 100644
index dc9f117..0000000
--- a/gnu/packages/patches/w3m-force-ssl_verify_server-on.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Subject: Force ssl_verify_server on.
-
-By default, SSL/TLS certificates are not verified. This enables the
-verification.
----
- fm.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fm.h b/fm.h
-index 8378939..320906c 100644
---- a/fm.h
-+++ b/fm.h
-@@ -1135,7 +1135,7 @@ global int view_unseenobject init(TRUE);
- #endif
- 
- #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
--global int ssl_verify_server init(FALSE);
-+global int ssl_verify_server init(TRUE);
- global char *ssl_cert_file init(NULL);
- global char *ssl_key_file init(NULL);
- global char *ssl_ca_path init(NULL);
--- 
-2.6.4
-
diff --git a/gnu/packages/patches/w3m-libgc.patch 
b/gnu/packages/patches/w3m-libgc.patch
deleted file mode 100644
index 0dc6a40..0000000
--- a/gnu/packages/patches/w3m-libgc.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-This patch fixes w3m compilation with libgc > 7.2.
-
-Reported:
-https://bugs.archlinux.org/task/33397
-
-Patch with explanation:
-http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=770eec8304bdbe458
----
- main.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/main.c b/main.c
-index b421943..249eb1a 100644
---- a/main.c
-+++ b/main.c
-@@ -833,7 +833,8 @@ main(int argc, char **argv, char **envp)
-     mySignal(SIGPIPE, SigPipe);
- #endif
- 
--    orig_GC_warn_proc = GC_set_warn_proc(wrap_GC_warn_proc);
-+    orig_GC_warn_proc = GC_get_warn_proc();
-+    GC_set_warn_proc(wrap_GC_warn_proc);
-     err_msg = Strnew();
-     if (load_argc == 0) {
-       /* no URL specified */
--- 
-2.6.4
-
diff --git a/gnu/packages/w3m.scm b/gnu/packages/w3m.scm
index e7dd583..8b8a33a 100644
--- a/gnu/packages/w3m.scm
+++ b/gnu/packages/w3m.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Nikita Karetnikov <nik...@karetnikov.org>
 ;;; Copyright © 2016 Leo Famulari <l...@famulari.name>
+;;; Copyright © 2016 Kei Kebreau <k...@openmailbox.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,56 +29,50 @@
   #:use-module (gnu packages tls)
   #:use-module (gnu packages)
   #:use-module (guix packages)
-  #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix build-system gnu))
 
 (define-public w3m
-  (package
-    (name "w3m")
-    (version "0.5.3")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/" name "/" name "/"
-                                 name "-" version "/"
-                                 name "-" version ".tar.gz"))
-             (sha256
-              (base32
-               "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
-
-             ;; cf. https://bugs.archlinux.org/task/33397
-             (patches (search-patches "w3m-libgc.patch"
-                                      "w3m-force-ssl_verify_server-on.patch"
-                                      "w3m-disable-sslv2-and-sslv3.patch"
-                                      "w3m-disable-weak-ciphers.patch"))))
-    (build-system gnu-build-system)
-    (arguments `(#:tests? #f  ; no check target
-                 #:phases (alist-cons-before
-                           'configure 'fix-perl
-                           (lambda _
-                             ;; https://launchpad.net/bugs/935540
-                             ;; 'struct file_handle' is used by 'glibc'
-                             (substitute* '("istream.c" "istream.h")
-                              (("struct[[:blank:]]+file_handle")
-                               "struct w3m_file_handle"))
-                             (substitute* '("scripts/w3mmail.cgi.in"
-                                            "scripts/dirlist.cgi.in")
-                               (("@PERL@") (which "perl"))))
-                           %standard-phases)))
-    (inputs
-     `(("libgc" ,libgc)
-       ("ncurses" ,ncurses)
-       ("openssl" ,openssl)
-       ("zlib" ,zlib)))
-    (native-inputs
-     `(("gettext" ,gnu-gettext)
-       ("perl" ,perl)
-       ("pkg-config" ,pkg-config)))
-    (home-page "http://w3m.sourceforge.net/";)
-    (synopsis "Text-mode web browser")
-    (description
-     "w3m is a text-based web browser as well as a pager like 'more' or
+  (let ((commit "5cf75248f5833db00d53a33c30a525bb40f5512b")
+        (revision "1"))  ; Guix package revision
+    (package
+      (name "w3m")
+      (version (string-append "0.5.3-" revision "." (string-take commit 7)))
+      (source (origin
+                (method git-fetch)
+                ;; Debian's fork of w3m is the only one that is still
+                ;; maintained.
+                (uri (git-reference
+                      (url 
"https://anonscm.debian.org/cgit/collab-maint/w3m.git";)
+                      (commit commit)))
+                (file-name (string-append "w3m-" version "-checkout"))
+                (sha256
+                 (base32
+                  "142vkkmsk76wj9w6r4y2pa1hmy1kkzmc73an9zchx0ikm2z92x6s"))))
+      (build-system gnu-build-system)
+      (arguments `(#:tests? #f  ; no check target
+                   #:phases (alist-cons-before
+                             'configure 'fix-perl
+                             (lambda _
+                               (substitute* '("scripts/w3mmail.cgi.in"
+                                              "scripts/dirlist.cgi.in")
+                                 (("@PERL@") (which "perl"))))
+                             %standard-phases)))
+      (inputs
+       `(("libgc" ,libgc)
+         ("ncurses" ,ncurses)
+         ("openssl" ,openssl)
+         ("zlib" ,zlib)))
+      (native-inputs
+       `(("gettext" ,gnu-gettext)
+         ("perl" ,perl)
+         ("pkg-config" ,pkg-config)))
+      (home-page "http://w3m.sourceforge.net/";)
+      (synopsis "Text-mode web browser")
+      (description
+       "w3m is a text-based web browser as well as a pager like 'more' or
 'less'.  With w3m you can browse web pages through a terminal emulator
 window.  Moreover, w3m can be used as a text formatting tool which
 typesets HTML into plain text.")
-    (license (x11-style "file://doc/README"
-                        "See 'doc/README' in the distribution."))))
+      (license (x11-style "file://doc/README"
+                          "See 'doc/README' in the distribution.")))))
-- 
2.10.2

Updated patch attached!

Leo Famulari <l...@famulari.name> writes:

> On Fri, Nov 04, 2016 at 10:52:55AM -0400, Kei Kebreau wrote:
>
> Thanks!
>
>> From cc7a61d61160817ceb395b648b18c885175441e8 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <k...@openmailbox.org>
>> Date: Fri, 4 Nov 2016 10:48:53 -0400
>> Subject: [PATCH] gnu: w3m: Switch to Debian's actively maintained fork of 
>> w3m.
>> 
>> Fixes some security issues seen here:
>> <http://www.openwall.com/lists/oss-security/2016/11/03/3>
>> 
>> * gnu/packages/w3m.scm (w3m): Switch to Debian's actively maintained
>> fork of w3m.
>
> No need to rewrite the commit title here :)
>

Got it. :)

>> [source]: Use Debian's git tree. Remove obsolete patches.
>> [arguments]: Remove unnecessary modification of %standard-phases.
>> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch: Delete file.
>> * gnu/packages/patches/w3m-disable-weak-ciphers.patch: Delete file.
>> * gnu/packages/patches/w3m-force-ssl_verify_server-on.patch: Delete file.
>> * gnu/packages/patches/w3m-libgc.patch: Delete file.
>
> Or:
> * gnu/packages/patches/w3m-disable-sslv2-and-sslv3.patch,
> gnu/packages/patches/w3m-disable-weak-ciphers.patch,
> gnu/packages/patches/w3m-force-ssl_verify_server-on.patch,
> gnu/packages/patches/w3m-libgc.patch: Delete files.
>

Fixed.

> By the way, I double-checked that all these patches are indeed
> integrated into the release tag used by this package definition.
>

I checked, too! Nice to know that we're doubly safe.

>>  (define-public w3m
>> @@ -36,33 +37,16 @@
>>      (name "w3m")
>>      (version "0.5.3")
>
> This should reflect the tag used in (commit).
>

I adjusted this according to what some other packages have done. Please
tell me if I did it correctly.

>>      (source (origin
>> -             (method url-fetch)
>> -             (uri (string-append "mirror://sourceforge/" name "/" name "/"
>> -                                 name "-" version "/"
>> -                                 name "-" version ".tar.gz"))
>> -             (sha256
>> -              (base32
>> -               "1qx9f0kprf92r1wxl3sacykla0g04qsi0idypzz24b7xy9ix5579"))
>> -
>> -             ;; cf. https://bugs.archlinux.org/task/33397
>> -             (patches (search-patches "w3m-libgc.patch"
>> -                                      "w3m-force-ssl_verify_server-on.patch"
>> -                                      "w3m-disable-sslv2-and-sslv3.patch"
>> -                                      "w3m-disable-weak-ciphers.patch"))))
>> +              (method git-fetch)
>> +              ;; Debian's fork of w3m is the only one that is still 
>> maintained.
>> +              (uri (git-reference
>> +                    (url 
>> "https://anonscm.debian.org/cgit/collab-maint/w3m.git";)
>> +                    (commit "v0.5.3+git20161031")))
>
>> -                             (substitute* '("scripts/w3mmail.cgi.in"
>> -                                            "scripts/dirlist.cgi.in")
>> -                               (("@PERL@") (which "perl"))))
>
> Does this @PERL@ get patched correctly?
>

No, it does not! I added the substitution back in. The other
substitution appears to be handled by Debian upstream.

> Thanks for taking this on!

You're welcome! It frees up other developers' time to handle larger
hacking targets than I can muster.

Attachment: signature.asc
Description: PGP signature

Reply via email to