Resolves: CVE-2021-38165 - fix disclosure of HTTP auth credentials via SNI data

2021-08-31 13:28:54 +02:00 · 2021-08-31 13:28:54 +02:00 · 8f0f4500b8
commit 8f0f4500b8
parent 5a55c2e0c0
2 changed files with 59 additions and 1 deletions
--- a/lynx-2.8.9-CVE-2021-38165.patch
+++ b/lynx-2.8.9-CVE-2021-38165.patch
@ -0,0 +1,51 @@
+From e786483fb4b6fd2460c9a58ad7074e82ecf91747 Mon Sep 17 00:00:00 2001
+From: Tomas Hoger <thoger@redhat.com>
+Date: Thu, 19 Aug 2021 16:50:02 +0200
+Subject: [PATCH] Upstream patch for CVE-2021-38165
+
+Extracted from lynx 2.9.0dev.9.
+
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1994998#c2
+---
+ WWW/Library/Implementation/HTTP.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/WWW/Library/Implementation/HTTP.c b/WWW/Library/Implementation/HTTP.c
+index 41ab849..4a50b41 100644
+--- a/WWW/Library/Implementation/HTTP.c
+++ b/WWW/Library/Implementation/HTTP.c
+@@ -762,6 +762,23 @@ static char *StripIpv6Brackets(char *host)
+ }
+ #endif
+ 
+/*
+ * Remove user/password, if any, from the given host-string.
+ */
+#ifdef USE_SSL
+static char *StripUserAuthents(char *host)
+{
+    char *p = strchr(host, '@');
+
+    if (p != NULL) {
+	char *q = host;
+
+	while ((*q++ = *++p) != '\0') ;
+    }
+    return host;
+}
+#endif
+
+ /*		Load Document from HTTP Server			HTLoadHTTP()
+  *		==============================
+  *
+@@ -957,6 +974,7 @@ static int HTLoadHTTP(const char *arg,
+ 	/* get host we're connecting to */
+ 	ssl_host = HTParse(url, "", PARSE_HOST);
+ 	ssl_host = StripIpv6Brackets(ssl_host);
+	ssl_host = StripUserAuthents(ssl_host);
+ #if defined(USE_GNUTLS_FUNCS)
+ 	ret = gnutls_server_name_set(handle->gnutls_state,
+ 				     GNUTLS_NAME_DNS,
+-- 
+2.31.1
+
--- a/lynx.spec
+++ b/lynx.spec
@ -3,7 +3,7 @@
 Summary: A text-based Web browser
 Name: lynx
 Version: 2.8.9
-Release: 12%{?dist}
+Release: 13%{?dist}
 License: GPLv2
 Source: https://invisible-mirror.net/archives/lynx/tarballs/lynx%{version}rel.%{devrel}.tar.bz2
 URL: http://lynx.browser.org/
@ -26,6 +26,9 @@ Patch3: lynx-2.8.8-locale.patch
 # fix bugs detected by static analysis
 Patch4: lynx-2.8.9-static-analysis.patch

+# fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165)
+Patch5: lynx-2.8.9-CVE-2021-38165.patch
+
 Provides: webclient
 Provides: text-www-browser
 BuildRequires: dos2unix
@ -58,6 +61,7 @@ exits quickly and swiftly displays web pages.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 sed -e "s,^HELPFILE:.*,HELPFILE:file://localhost%{_pkgdocdir}/lynx_help/lynx_help_main.html,g" -i lynx.cfg
@ -135,6 +139,9 @@ EOF
 %config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg

 %changelog
+* Tue Aug 31 2021 Kamil Dudka <kdudka@redhat.com> - 2.8.9-13
+- fix disclosure of HTTP auth credentials via SNI data (CVE-2021-38165)
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.9-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild