* [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165
@ 2021-09-21 9:32 Peter Korsgaard
2021-09-22 19:27 ` Arnout Vandecappelle
0 siblings, 1 reply; 2+ messages in thread
From: Peter Korsgaard @ 2021-09-21 9:32 UTC (permalink / raw)
To: buildroot; +Cc: Mario Lang
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which
allows remote attackers to discover cleartext credentials because they may
appear in SNI data.
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
Upstream unfortunately does not provide a public VCS (only source
snapshots), so fetch the security patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/lynx/lynx.hash | 1 +
package/lynx/lynx.mk | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/package/lynx/lynx.hash b/package/lynx/lynx.hash
index 76d7614a7c..62e2555a99 100644
--- a/package/lynx/lynx.hash
+++ b/package/lynx/lynx.hash
@@ -1,3 +1,4 @@
# Locally calculated:
sha256 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 lynx2.8.9rel.1.tar.bz2
+sha256 b2207e757dbbefc34a20a32b1b4a216b4a4316e1dc812bceca4ac6294871119a 90_CVE-2021-38165.patch
sha256 8406a30ff3134ec23cf752d1ceda92ddaabbe41b4f2dc07ea3cfa139de12d6d6 COPYING
diff --git a/package/lynx/lynx.mk b/package/lynx/lynx.mk
index d115682d64..44d52d90a5 100644
--- a/package/lynx/lynx.mk
+++ b/package/lynx/lynx.mk
@@ -7,6 +7,10 @@
LYNX_VERSION = 2.8.9rel.1
LYNX_SOURCE = lynx$(LYNX_VERSION).tar.bz2
LYNX_SITE = ftp://ftp.invisible-island.net/lynx/tarballs
+LYNX_PATCH = \
+ https://salsa.debian.org/lynx-team/lynx/-/raw/debian/2.9.0dev.6-3_deb11u1/debian/patches/90_CVE-2021-38165.patch
+# 90_CVE-2021-38165.patch
+LYNX_IGNORE_CVES += CVE-2021-38165
LYNX_LICENSE = GPL-2.0
LYNX_LICENSE_FILES = COPYING
--
2.20.1
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165
2021-09-21 9:32 [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165 Peter Korsgaard
@ 2021-09-22 19:27 ` Arnout Vandecappelle
0 siblings, 0 replies; 2+ messages in thread
From: Arnout Vandecappelle @ 2021-09-22 19:27 UTC (permalink / raw)
To: Peter Korsgaard, buildroot; +Cc: Mario Lang
On 21/09/2021 11:32, Peter Korsgaard wrote:
> Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which
> allows remote attackers to discover cleartext credentials because they may
> appear in SNI data.
>
> https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
>
> Upstream unfortunately does not provide a public VCS (only source
> snapshots), so fetch the security patch from Debian.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> package/lynx/lynx.hash | 1 +
> package/lynx/lynx.mk | 4 ++++
> 2 files changed, 5 insertions(+)
>
> diff --git a/package/lynx/lynx.hash b/package/lynx/lynx.hash
> index 76d7614a7c..62e2555a99 100644
> --- a/package/lynx/lynx.hash
> +++ b/package/lynx/lynx.hash
> @@ -1,3 +1,4 @@
> # Locally calculated:
> sha256 387f193d7792f9cfada14c60b0e5c0bff18f227d9257a39483e14fa1aaf79595 lynx2.8.9rel.1.tar.bz2
> +sha256 b2207e757dbbefc34a20a32b1b4a216b4a4316e1dc812bceca4ac6294871119a 90_CVE-2021-38165.patch
> sha256 8406a30ff3134ec23cf752d1ceda92ddaabbe41b4f2dc07ea3cfa139de12d6d6 COPYING
> diff --git a/package/lynx/lynx.mk b/package/lynx/lynx.mk
> index d115682d64..44d52d90a5 100644
> --- a/package/lynx/lynx.mk
> +++ b/package/lynx/lynx.mk
> @@ -7,6 +7,10 @@
> LYNX_VERSION = 2.8.9rel.1
> LYNX_SOURCE = lynx$(LYNX_VERSION).tar.bz2
> LYNX_SITE = ftp://ftp.invisible-island.net/lynx/tarballs
> +LYNX_PATCH = \
> + https://salsa.debian.org/lynx-team/lynx/-/raw/debian/2.9.0dev.6-3_deb11u1/debian/patches/90_CVE-2021-38165.patch
> +# 90_CVE-2021-38165.patch
> +LYNX_IGNORE_CVES += CVE-2021-38165
> LYNX_LICENSE = GPL-2.0
> LYNX_LICENSE_FILES = COPYING
>
>
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-22 19:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-21 9:32 [Buildroot] [PATCH] package/lynx: add security patch for CVE-2021-38165 Peter Korsgaard
2021-09-22 19:27 ` Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.