From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Mario Lang <mlang@blind.guru>
Subject: [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165
Date: Tue, 21 Sep 2021 11:32:49 +0200 [thread overview]
Message-ID: <20210921093250.22812-1-peter@korsgaard.com> (raw)
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which
allows remote attackers to discover cleartext credentials because they may
appear in SNI data.
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
Upstream unfortunately does not provide a public VCS (only source
snapshots), so fetch the security patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lynx/lynx.hash | 1 +
package/lynx/lynx.mk | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/package/lynx/lynx.hash b/package/lynx/lynx.hash
index 76d7614a7c..62e2555a99 100644
--- a/package/lynx/lynx.hash
+++ b/package/lynx/lynx.hash
@@ -1,3 +1,4 @@
# Locally calculated:
sha256 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 lynx2.8.9rel.1.tar.bz2
+sha256 b2207e757dbbefc34a20a32b1b4a216b4a4316e1dc812bceca4ac6294871119a 90_CVE-2021-38165.patch
sha256 8406a30ff3134ec23cf752d1ceda92ddaabbe41b4f2dc07ea3cfa139de12d6d6 COPYING
diff --git a/package/lynx/lynx.mk b/package/lynx/lynx.mk
index d115682d64..44d52d90a5 100644
--- a/package/lynx/lynx.mk
+++ b/package/lynx/lynx.mk
@@ -7,6 +7,10 @@
LYNX_VERSION = 2.8.9rel.1
LYNX_SOURCE = lynx$(LYNX_VERSION).tar.bz2
LYNX_SITE = ftp://ftp.invisible-island.net/lynx/tarballs
+LYNX_PATCH = \
+ https://salsa.debian.org/lynx-team/lynx/-/raw/debian/2.9.0dev.6-3_deb11u1/debian/patches/90_CVE-2021-38165.patch
+# 90_CVE-2021-38165.patch
+LYNX_IGNORE_CVES += CVE-2021-38165
LYNX_LICENSE = GPL-2.0
LYNX_LICENSE_FILES = COPYING
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2021-09-21 9:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-21 9:32 Peter Korsgaard [this message]
2021-09-22 19:27 ` [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165 Arnout Vandecappelle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210921093250.22812-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=mlang@blind.guru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.