diff options
author | Tatsuya Kinoshita <tats@vega.ocn.ne.jp> | 2011-05-04 07:37:56 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@vega.ocn.ne.jp> | 2011-05-04 07:37:56 +0000 |
commit | 93a6ce5c73d259de8254f19b550324b2d5b5d005 (patch) | |
tree | e79af60d9addb5caca5eaf9063438655512b51d9 | |
parent | Releasing debian version 0.5.2-4 (diff) | |
download | w3m-93a6ce5c73d259de8254f19b550324b2d5b5d005.tar.gz w3m-93a6ce5c73d259de8254f19b550324b2d5b5d005.zip |
Releasing debian version 0.5.2-5debian/0.5.2-5
-rw-r--r-- | debian/changelog | 12 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rw-r--r-- | debian/patches/10_w3m.1-debian-fix.patch (renamed from debian/patches/03-w3m.1-debian-fix) | 0 | ||||
-rw-r--r-- | debian/patches/20_ja-w3m.1-debian-fix.patch (renamed from debian/patches/04-ja-w3m.1-debian-fix) | 0 | ||||
-rw-r--r-- | debian/patches/30_config-debian-fix.patch (renamed from debian/patches/05-config-debian-fix) | 0 | ||||
-rw-r--r-- | debian/patches/40_gnukfreebsd-ftbfs-fix.patch (renamed from debian/patches/06-gnukfreebsd-ftbfs-fix) | 0 | ||||
-rw-r--r-- | debian/patches/50_w3mman-keep-formatting.patch (renamed from debian/patches/10-w3mman-keep-formatting) | 0 | ||||
-rw-r--r-- | debian/patches/60_check-null-cn.patch | 57 | ||||
-rw-r--r-- | debian/patches/70_ssl-init.patch | 25 | ||||
-rw-r--r-- | debian/patches/series | 12 |
10 files changed, 102 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index d0736d4..0e9235f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +w3m (0.5.2-5) unstable; urgency=high + + * debian/patches/60_check-null-cn.patch: Patch to check for null bytes + in CN/subjAltName, provided by Ludwig Nussel. (Closes: #587445) + [CVE-2010-2074] + * debian/patches/70_ssl-init.patch: Patch to force ssl_verify_server on + and disable SSLv2 support, provided by Ludwig Nussel. + * debian/patches/*: Renumbered. + * debian/control: Update Standards-Version to 3.9.0. + + -- Tatsuya Kinoshita <tats@debian.org> Sat, 03 Jul 2010 19:08:07 +0900 + w3m (0.5.2-4) unstable; urgency=low * debian/control: Move migemo from Recommends to Suggests. diff --git a/debian/control b/debian/control index c81d695..ea84312 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: standard Maintainer: Tatsuya Kinoshita <tats@debian.org> Build-Depends: libgc-dev, libncurses5-dev, libgpmg1-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], zlib1g-dev, libssl-dev, debhelper (>= 7), gawk | awk, libimlib2-dev Homepage: http://sourceforge.net/projects/w3m -Standards-Version: 3.8.4 +Standards-Version: 3.9.0 Package: w3m Architecture: any diff --git a/debian/patches/03-w3m.1-debian-fix b/debian/patches/10_w3m.1-debian-fix.patch index e43dae4..e43dae4 100644 --- a/debian/patches/03-w3m.1-debian-fix +++ b/debian/patches/10_w3m.1-debian-fix.patch diff --git a/debian/patches/04-ja-w3m.1-debian-fix b/debian/patches/20_ja-w3m.1-debian-fix.patch index da9961b..da9961b 100644 --- a/debian/patches/04-ja-w3m.1-debian-fix +++ b/debian/patches/20_ja-w3m.1-debian-fix.patch diff --git a/debian/patches/05-config-debian-fix b/debian/patches/30_config-debian-fix.patch index 0f0818d..0f0818d 100644 --- a/debian/patches/05-config-debian-fix +++ b/debian/patches/30_config-debian-fix.patch diff --git a/debian/patches/06-gnukfreebsd-ftbfs-fix b/debian/patches/40_gnukfreebsd-ftbfs-fix.patch index 8398f4d..8398f4d 100644 --- a/debian/patches/06-gnukfreebsd-ftbfs-fix +++ b/debian/patches/40_gnukfreebsd-ftbfs-fix.patch diff --git a/debian/patches/10-w3mman-keep-formatting b/debian/patches/50_w3mman-keep-formatting.patch index 2e3c81c..2e3c81c 100644 --- a/debian/patches/10-w3mman-keep-formatting +++ b/debian/patches/50_w3mman-keep-formatting.patch diff --git a/debian/patches/60_check-null-cn.patch b/debian/patches/60_check-null-cn.patch new file mode 100644 index 0000000..fdab45c --- /dev/null +++ b/debian/patches/60_check-null-cn.patch @@ -0,0 +1,57 @@ +Description: Check for null bytes in CN/subjAltName +Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 +Author: Ludwig Nussel <ludwig.nussel@suse.de> +Bug-Debian: http://bugs.debian.org/587445 + +--- w3m-0.5.2.orig/istream.c ++++ w3m-0.5.2/istream.c +@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos + + if (!seen_dnsname) + seen_dnsname = Strnew(); ++ /* replace \0 to make full string visible to user */ ++ if (sl != strlen(sn)) { ++ int i; ++ for (i = 0; i < sl; ++i) { ++ if (!sn[i]) ++ sn[i] = '!'; ++ } ++ } + Strcat_m_charp(seen_dnsname, sn, " ", NULL); +- if (ssl_match_cert_ident(sn, sl, hostname)) ++ if (sl == strlen(sn) /* catch \0 in SAN */ ++ && ssl_match_cert_ident(sn, sl, hostname)) + break; + } + } +@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos + if (match_ident == FALSE && ret == NULL) { + X509_NAME *xn; + char buf[2048]; ++ int slen; + + xn = X509_get_subject_name(x); + +- if (X509_NAME_get_text_by_NID(xn, NID_commonName, +- buf, sizeof(buf)) == -1) ++ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); ++ if ( slen == -1) + /* FIXME: gettextize? */ + ret = Strnew_charp("Unable to get common name from peer cert"); +- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname)) ++ else if (slen != strlen(buf) ++ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) { ++ /* replace \0 to make full string visible to user */ ++ if (slen != strlen(buf)) { ++ int i; ++ for (i = 0; i < slen; ++i) { ++ if (!buf[i]) ++ buf[i] = '!'; ++ } ++ } + /* FIXME: gettextize? */ + ret = Sprintf("Bad cert ident %s from %s", buf, hostname); ++ } + else + match_ident = TRUE; + } diff --git a/debian/patches/70_ssl-init.patch b/debian/patches/70_ssl-init.patch new file mode 100644 index 0000000..6d19279 --- /dev/null +++ b/debian/patches/70_ssl-init.patch @@ -0,0 +1,25 @@ +Description: Force ssl_verify_server on and disable SSLv2 support +Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4 +Author: Ludwig Nussel <ludwig.nussel@suse.de> +Bug-Debian: http://bugs.debian.org/587445 + +--- w3m-0.5.2.orig/fm.h ++++ w3m-0.5.2/fm.h +@@ -1120,7 +1120,7 @@ global int view_unseenobject init(TRUE); + #endif + + #if defined(USE_SSL) && defined(USE_SSL_VERIFY) +-global int ssl_verify_server init(FALSE); ++global int ssl_verify_server init(TRUE); + global char *ssl_cert_file init(NULL); + global char *ssl_key_file init(NULL); + global char *ssl_ca_path init(NULL); +@@ -1129,7 +1129,7 @@ global int ssl_path_modified init(FALSE) + #endif /* defined(USE_SSL) && + * defined(USE_SSL_VERIFY) */ + #ifdef USE_SSL +-global char *ssl_forbid_method init(NULL); ++global char *ssl_forbid_method init("2"); + #endif + + global int is_redisplay init(FALSE); diff --git a/debian/patches/series b/debian/patches/series index c9dd892..abb32d3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,7 @@ -03-w3m.1-debian-fix -04-ja-w3m.1-debian-fix -05-config-debian-fix -06-gnukfreebsd-ftbfs-fix -10-w3mman-keep-formatting +10_w3m.1-debian-fix.patch +20_ja-w3m.1-debian-fix.patch +30_config-debian-fix.patch +40_gnukfreebsd-ftbfs-fix.patch +50_w3mman-keep-formatting.patch +60_check-null-cn.patch +70_ssl-init.patch |