diff options
| author |   Mike Frysinger <vapier@gentoo.org> | 2011-02-20 18:30:02 +0000 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2011-02-20 18:30:02 +0000 |
| commit | 29336f6b3af3075a74da1881bcd5fa84e9f8e66b (patch) | |
| tree | c7685e442716bda47fd66f55b27fafe48058d214 | |
| parent | Correct -berkdb option to configure script. Thanks to Jan Psota. Remove old. (diff) | |
| download | gentoo-2-29336f6b3af3075a74da1881bcd5fa84e9f8e66b.tar.gz gentoo-2-29336f6b3af3075a74da1881bcd5fa84e9f8e66b.tar.bz2 gentoo-2-29336f6b3af3075a74da1881bcd5fa84e9f8e66b.zip | |
Add patch from Debian to fix SSL verification issues #253847 by Bruno Buss.
(Portage version: 2.2.0_alpha24/cvs/Linux x86_64)
| -rw-r--r-- | www-client/links/ChangeLog | 8 | ||||
| -rw-r--r-- | www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch | 65 | ||||
| -rw-r--r-- | www-client/links/links-2.3_pre1-r1.ebuild | 131 |
3 files changed, 203 insertions, 1 deletions
diff --git a/www-client/links/ChangeLog b/www-client/links/ChangeLog index 8f43cfc9c839..962d32255829 100644 --- a/www-client/links/ChangeLog +++ b/www-client/links/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for www-client/links # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-client/links/ChangeLog,v 1.126 2011/02/20 17:59:29 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-client/links/ChangeLog,v 1.127 2011/02/20 18:30:01 vapier Exp $ + +*links-2.3_pre1-r1 (20 Feb 2011) + + 20 Feb 2011; Mike Frysinger <vapier@gentoo.org> +links-2.3_pre1-r1.ebuild, + +files/links-2.3_pre1-verify-ssl-certs.patch: + Add patch from Debian to fix SSL verification issues #253847 by Bruno Buss. 20 Feb 2011; Mike Frysinger <vapier@gentoo.org> links-2.3_pre1.ebuild, +files/links-2.3_pre1-libpng-1.5.patch: diff --git a/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch b/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch new file mode 100644 index 000000000000..05975972e5f1 --- /dev/null +++ b/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch @@ -0,0 +1,65 @@ +snipped from Debian +http://bugs.gentoo.org/253847 + +Patch to abort if SSL certificate isn't valid to fix #510417. + +Patch by Mats Erik Andersson <mats.andersson@gisladisker.se> as posted at +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510417 + +Index: links2-2.3pre1/https.c +=================================================================== +--- links2-2.3pre1.orig/https.c 2009-05-17 21:33:01.000000000 +0200 ++++ links2-2.3pre1/https.c 2010-07-08 18:36:22.000000000 +0200 +@@ -25,8 +25,40 @@ + + #ifdef HAVE_SSL + ++#define VERIFY_DEPTH 10 ++ + SSL_CTX *context = NULL; + ++static int verify_cert(int code, X509_STORE_CTX *context) ++{ ++ int error, depth; ++ ++ error = X509_STORE_CTX_get_error(context); ++ depth = X509_STORE_CTX_get_error_depth(context); ++ ++ if (depth > VERIFY_DEPTH) { ++ error = X509_V_ERR_CERT_CHAIN_TOO_LONG; ++ code = 0; ++ } ++ ++ if (!code) { ++ /* Judge self signed certificates as acceptable. */ ++ if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || ++ error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { ++ code = 1; ++ } else { ++ fprintf(stderr, "Verification failure: %s\n", ++ X509_verify_cert_error_string(error)); ++ if (depth > VERIFY_DEPTH) { ++ fprintf(stderr, "Excessive depth %d, set depth %d.\n", ++ depth, VERIFY_DEPTH); ++ } ++ } ++ } ++ ++ return code; ++} /* verify_cert */ ++ + SSL *getSSL(void) + { + if (!context) { +@@ -44,8 +76,10 @@ + if (!m) return NULL; + context = SSL_CTX_new(m); + if (!context) return NULL; +- SSL_CTX_set_options(context, SSL_OP_ALL); ++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_ALL); ++ SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_default_verify_paths(context); ++ SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert); + /* needed for systems without /dev/random, but obviously kills security. */ + /*{ + char pool[32768]; diff --git a/www-client/links/links-2.3_pre1-r1.ebuild b/www-client/links/links-2.3_pre1-r1.ebuild new file mode 100644 index 000000000000..e8442bb420f8 --- /dev/null +++ b/www-client/links/links-2.3_pre1-r1.ebuild @@ -0,0 +1,131 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-client/links/links-2.3_pre1-r1.ebuild,v 1.1 2011/02/20 18:30:01 vapier Exp $ + +# SDL support is disabled in this version by upstream + +EAPI="2" + +inherit eutils autotools + +# To handle pre-version ... +MY_P="${P/_/}" +DESCRIPTION="links is a fast lightweight text and graphic web-browser" +HOMEPAGE="http://links.twibright.com/" +SRC_URI="http://links.twibright.com/download/${MY_P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="2" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x86-fbsd ~ia64-hpux ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 directfb fbcon gpm jpeg livecd ssl svga tiff unicode X zlib" + +# Note: if X or fbcon usegflag are enabled, links will be built in graphic +# mode. libpng is required to compile links in graphic mode +# (not required in text mode), so let's add libpng for X? and fbcon? + +# We've also made USE=livecd compile in graphics mode. This closes bug #75685. + +# sdl? ( >=media-libs/libsdl-1.2.0 ) +RDEPEND="ssl? ( >=dev-libs/openssl-0.9.6c ) + gpm? ( sys-libs/gpm ) + jpeg? ( virtual/jpeg ) + fbcon? ( + >=media-libs/libpng-1.4 + virtual/jpeg + sys-libs/gpm + ) + tiff? ( >=media-libs/tiff-3.5.7 ) + svga? ( + >=media-libs/svgalib-1.4.3 + >=media-libs/libpng-1.4 + ) + X? ( + x11-libs/libXext + >=media-libs/libpng-1.4 + ) + directfb? ( dev-libs/DirectFB ) + sys-libs/ncurses + livecd? ( + >=media-libs/libpng-1.4 + virtual/jpeg + sys-libs/gpm + )" +DEPEND="${RDEPEND} + dev-util/pkgconfig" + +S="${WORKDIR}/${MY_P}" + +src_prepare() { + epatch "${FILESDIR}"/${P}-libpng-1.5.patch + epatch "${FILESDIR}"/${P}-verify-ssl-certs.patch #253847 + + if use unicode ; then + pushd intl >/dev/null + ./gen-intl || die + ./synclang || die + popd >/dev/null + fi + + # Upstream configure produced by broken autoconf-2.13. See #131440 and + # #103483#c23. This also fixes toolchain detection. + eautoconf || die +} + +src_configure() { + local myconf + + if use X || use fbcon || use directfb || use svga || use livecd ; then + myconf="${myconf} --enable-graphics" + fi + + # Note: --enable-static breaks. + + # Note: ./configure only support 'gpm' features auto-detection, so + # we use the autoconf trick + ( use gpm || use fbcon || use livecd ) || export ac_cv_lib_gpm_Gpm_Open="no" + + if use fbcon || use livecd ; then + myconf="${myconf} --with-fb" + else + myconf="${myconf} --without-fb" + fi + + # force --with-libjpeg if livecd flag is set + if use livecd ; then + myconf="${myconf} --with-libjpeg" + fi + + # $(use_with sdl) + econf \ + $(use_with X x) \ + $(use_with jpeg libjpeg) \ + $(use_with tiff libtiff) \ + $(use_with svga svgalib) \ + $(use_with directfb) \ + $(use_with ssl) \ + $(use_with zlib) \ + $(use_with bzip2) \ + ${myconf} +} + +src_install() { + emake install DESTDIR="${D}" || die + + # Only install links icon if X driver was compiled in ... + use X && doicon graphics/links.xpm + + dodoc AUTHORS BUGS ChangeLog NEWS README SITES TODO + dohtml doc/links_cal/* + + # Install a compatibility symlink links2: + dosym links /usr/bin/links2 +} + +pkg_postinst() { + if use svga ; then + elog "You had the svga USE flag enabled, but for security reasons" + elog "the links2 binary is NOT setuid by default. In order to" + elog "enable links2 to work in SVGA, please change the permissions" + elog "of /usr/bin/links2 to enable suid." + fi +} |