aboutsummaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorTatsuya Kinoshita <tats@vega.ocn.ne.jp>2011-05-04 07:37:56 +0000
committerTatsuya Kinoshita <tats@vega.ocn.ne.jp>2011-05-04 07:37:56 +0000
commit93a6ce5c73d259de8254f19b550324b2d5b5d005 (patch)
treee79af60d9addb5caca5eaf9063438655512b51d9 /debian
parentReleasing debian version 0.5.2-4 (diff)
downloadw3m-93a6ce5c73d259de8254f19b550324b2d5b5d005.tar.gz
w3m-93a6ce5c73d259de8254f19b550324b2d5b5d005.zip
Releasing debian version 0.5.2-5debian/0.5.2-5
Diffstat (limited to '')
-rw-r--r--debian/changelog12
-rw-r--r--debian/control2
-rw-r--r--debian/patches/10_w3m.1-debian-fix.patch (renamed from debian/patches/03-w3m.1-debian-fix)0
-rw-r--r--debian/patches/20_ja-w3m.1-debian-fix.patch (renamed from debian/patches/04-ja-w3m.1-debian-fix)0
-rw-r--r--debian/patches/30_config-debian-fix.patch (renamed from debian/patches/05-config-debian-fix)0
-rw-r--r--debian/patches/40_gnukfreebsd-ftbfs-fix.patch (renamed from debian/patches/06-gnukfreebsd-ftbfs-fix)0
-rw-r--r--debian/patches/50_w3mman-keep-formatting.patch (renamed from debian/patches/10-w3mman-keep-formatting)0
-rw-r--r--debian/patches/60_check-null-cn.patch57
-rw-r--r--debian/patches/70_ssl-init.patch25
-rw-r--r--debian/patches/series12
10 files changed, 102 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog
index d0736d4..0e9235f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+w3m (0.5.2-5) unstable; urgency=high
+
+ * debian/patches/60_check-null-cn.patch: Patch to check for null bytes
+ in CN/subjAltName, provided by Ludwig Nussel. (Closes: #587445)
+ [CVE-2010-2074]
+ * debian/patches/70_ssl-init.patch: Patch to force ssl_verify_server on
+ and disable SSLv2 support, provided by Ludwig Nussel.
+ * debian/patches/*: Renumbered.
+ * debian/control: Update Standards-Version to 3.9.0.
+
+ -- Tatsuya Kinoshita <tats@debian.org> Sat, 03 Jul 2010 19:08:07 +0900
+
w3m (0.5.2-4) unstable; urgency=low
* debian/control: Move migemo from Recommends to Suggests.
diff --git a/debian/control b/debian/control
index c81d695..ea84312 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: standard
Maintainer: Tatsuya Kinoshita <tats@debian.org>
Build-Depends: libgc-dev, libncurses5-dev, libgpmg1-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], zlib1g-dev, libssl-dev, debhelper (>= 7), gawk | awk, libimlib2-dev
Homepage: http://sourceforge.net/projects/w3m
-Standards-Version: 3.8.4
+Standards-Version: 3.9.0
Package: w3m
Architecture: any
diff --git a/debian/patches/03-w3m.1-debian-fix b/debian/patches/10_w3m.1-debian-fix.patch
index e43dae4..e43dae4 100644
--- a/debian/patches/03-w3m.1-debian-fix
+++ b/debian/patches/10_w3m.1-debian-fix.patch
diff --git a/debian/patches/04-ja-w3m.1-debian-fix b/debian/patches/20_ja-w3m.1-debian-fix.patch
index da9961b..da9961b 100644
--- a/debian/patches/04-ja-w3m.1-debian-fix
+++ b/debian/patches/20_ja-w3m.1-debian-fix.patch
diff --git a/debian/patches/05-config-debian-fix b/debian/patches/30_config-debian-fix.patch
index 0f0818d..0f0818d 100644
--- a/debian/patches/05-config-debian-fix
+++ b/debian/patches/30_config-debian-fix.patch
diff --git a/debian/patches/06-gnukfreebsd-ftbfs-fix b/debian/patches/40_gnukfreebsd-ftbfs-fix.patch
index 8398f4d..8398f4d 100644
--- a/debian/patches/06-gnukfreebsd-ftbfs-fix
+++ b/debian/patches/40_gnukfreebsd-ftbfs-fix.patch
diff --git a/debian/patches/10-w3mman-keep-formatting b/debian/patches/50_w3mman-keep-formatting.patch
index 2e3c81c..2e3c81c 100644
--- a/debian/patches/10-w3mman-keep-formatting
+++ b/debian/patches/50_w3mman-keep-formatting.patch
diff --git a/debian/patches/60_check-null-cn.patch b/debian/patches/60_check-null-cn.patch
new file mode 100644
index 0000000..fdab45c
--- /dev/null
+++ b/debian/patches/60_check-null-cn.patch
@@ -0,0 +1,57 @@
+Description: Check for null bytes in CN/subjAltName
+Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+Author: Ludwig Nussel <ludwig.nussel@suse.de>
+Bug-Debian: http://bugs.debian.org/587445
+
+--- w3m-0.5.2.orig/istream.c
++++ w3m-0.5.2/istream.c
+@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hos
+
+ if (!seen_dnsname)
+ seen_dnsname = Strnew();
++ /* replace \0 to make full string visible to user */
++ if (sl != strlen(sn)) {
++ int i;
++ for (i = 0; i < sl; ++i) {
++ if (!sn[i])
++ sn[i] = '!';
++ }
++ }
+ Strcat_m_charp(seen_dnsname, sn, " ", NULL);
+- if (ssl_match_cert_ident(sn, sl, hostname))
++ if (sl == strlen(sn) /* catch \0 in SAN */
++ && ssl_match_cert_ident(sn, sl, hostname))
+ break;
+ }
+ }
+@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hos
+ if (match_ident == FALSE && ret == NULL) {
+ X509_NAME *xn;
+ char buf[2048];
++ int slen;
+
+ xn = X509_get_subject_name(x);
+
+- if (X509_NAME_get_text_by_NID(xn, NID_commonName,
+- buf, sizeof(buf)) == -1)
++ slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
++ if ( slen == -1)
+ /* FIXME: gettextize? */
+ ret = Strnew_charp("Unable to get common name from peer cert");
+- else if (!ssl_match_cert_ident(buf, strlen(buf), hostname))
++ else if (slen != strlen(buf)
++ || !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
++ /* replace \0 to make full string visible to user */
++ if (slen != strlen(buf)) {
++ int i;
++ for (i = 0; i < slen; ++i) {
++ if (!buf[i])
++ buf[i] = '!';
++ }
++ }
+ /* FIXME: gettextize? */
+ ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
++ }
+ else
+ match_ident = TRUE;
+ }
diff --git a/debian/patches/70_ssl-init.patch b/debian/patches/70_ssl-init.patch
new file mode 100644
index 0000000..6d19279
--- /dev/null
+++ b/debian/patches/70_ssl-init.patch
@@ -0,0 +1,25 @@
+Description: Force ssl_verify_server on and disable SSLv2 support
+Origin: http://www.openwall.com/lists/oss-security/2010/06/14/4
+Author: Ludwig Nussel <ludwig.nussel@suse.de>
+Bug-Debian: http://bugs.debian.org/587445
+
+--- w3m-0.5.2.orig/fm.h
++++ w3m-0.5.2/fm.h
+@@ -1120,7 +1120,7 @@ global int view_unseenobject init(TRUE);
+ #endif
+
+ #if defined(USE_SSL) && defined(USE_SSL_VERIFY)
+-global int ssl_verify_server init(FALSE);
++global int ssl_verify_server init(TRUE);
+ global char *ssl_cert_file init(NULL);
+ global char *ssl_key_file init(NULL);
+ global char *ssl_ca_path init(NULL);
+@@ -1129,7 +1129,7 @@ global int ssl_path_modified init(FALSE)
+ #endif /* defined(USE_SSL) &&
+ * defined(USE_SSL_VERIFY) */
+ #ifdef USE_SSL
+-global char *ssl_forbid_method init(NULL);
++global char *ssl_forbid_method init("2");
+ #endif
+
+ global int is_redisplay init(FALSE);
diff --git a/debian/patches/series b/debian/patches/series
index c9dd892..abb32d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,7 @@
-03-w3m.1-debian-fix
-04-ja-w3m.1-debian-fix
-05-config-debian-fix
-06-gnukfreebsd-ftbfs-fix
-10-w3mman-keep-formatting
+10_w3m.1-debian-fix.patch
+20_ja-w3m.1-debian-fix.patch
+30_config-debian-fix.patch
+40_gnukfreebsd-ftbfs-fix.patch
+50_w3mman-keep-formatting.patch
+60_check-null-cn.patch
+70_ssl-init.patch