Add patch from Debian to fix SSL verification issues #253847 by Bruno Buss.

Package-Manager: portage-2.2.0_alpha24/cvs/Linux x86_64

4 files changed, 209 insertions, 5 deletions

diff --git a/www-client/links/ChangeLog b/www-client/links/ChangeLog
index 8f43cfc9c839..962d32255829 100644
--- a/www-client/links/ChangeLog
+++ b/www-client/links/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for www-client/links
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-client/links/ChangeLog,v 1.126 2011/02/20 17:59:29 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-client/links/ChangeLog,v 1.127 2011/02/20 18:30:01 vapier Exp $
+
+*links-2.3_pre1-r1 (20 Feb 2011)
+
+  20 Feb 2011; Mike Frysinger <vapier@gentoo.org> +links-2.3_pre1-r1.ebuild,
+  +files/links-2.3_pre1-verify-ssl-certs.patch:
+  Add patch from Debian to fix SSL verification issues #253847 by Bruno Buss.
 
   20 Feb 2011; Mike Frysinger <vapier@gentoo.org> links-2.3_pre1.ebuild,
   +files/links-2.3_pre1-libpng-1.5.patch:
diff --git a/www-client/links/Manifest b/www-client/links/Manifest
index 8a1a128c81d6..89f42618f72c 100644
--- a/www-client/links/Manifest
+++ b/www-client/links/Manifest
@@ -3,17 +3,19 @@ Hash: SHA256
 
 AUX configure-LANG.patch 2052 RMD160 91f5b90600dfccb10c4e2308a5a1485275fdfeee SHA1 56ecd1d6f2e4bd0b35ac108be72a4f6f60212c38 SHA256 63de6d2dcfe14f21d147abeb1390405b9220c03f8e968f482d4b4c1cf279c88b
 AUX links-2.3_pre1-libpng-1.5.patch 1232 RMD160 999358a40826d30d55eb4222358f71a7f30af9a1 SHA1 13018fbd6e89d3d64bfe436f1e681dec03b5cb15 SHA256 9109075a010ffe68f5b295a70adf573f5ec77d2ff204a7768b8f78e64eb6256a
+AUX links-2.3_pre1-verify-ssl-certs.patch 1840 RMD160 7f38e7ddb1af06fc55cd23a749c02a7afbc0f8c3 SHA1 4726405578261027c3d28177eae02d4d808c480f SHA256 5fb7df573de849a2bfa7ad9b7c6ce150afe3f2c42a862945fabd57ca5ae66c34
 DIST links-2.1pre33-utf8.diff.bz2 4793 RMD160 e946efd34031bd1176b39278ef19b6536214738a SHA1 bc6800c89d5a33caffdb69f20e14126885eee7bc SHA256 a34de30b787e6bab984cd5000c7a576f157437f622e9fe3a076808769a56db75
 DIST links-2.2.tar.bz2 3832115 RMD160 fe051b2655a67e004fdf682045349664611a3101 SHA1 7588c151e98057f83a2e0b81b3f467e7eee9f824 SHA256 d3c60ff425bec5aacd1b15578a643c03090ad73fbb404f6ce8ee8c6219bdbc6d
 DIST links-2.3pre1.tar.bz2 3832651 RMD160 f0cfc8c48c7d5fb759ac58b7f7a00275480ac3de SHA1 6d420a5c4514b45ee245fd3933d2a8cfa6eae76d SHA256 21ab49f2f24359ef2d0e634a7926f76419084bd792af28746323b2f16c229bde
 EBUILD links-2.2.ebuild 3709 RMD160 dc6be1dee2fd49038e38b774268ded2b2ab33038 SHA1 1b38bbc5b54204bdbcb93727da8f7a1cc4705949 SHA256 16643bf5c60048806cd586960a4bac7a7fc70c1c2700bd976fa00bb921bc6ae1
+EBUILD links-2.3_pre1-r1.ebuild 3478 RMD160 c97c88961311b628cb0a45c65c349f653f6a3f2c SHA1 b50a553f395b9945a52b6eefea64574ecf4c5090 SHA256 1170b16a06b57774c4e20af8fd8ad3230585bd7a584501387a90daed147bafd4
 EBUILD links-2.3_pre1.ebuild 3417 RMD160 f38281f12fba9658860422c093eaecebfa39f100 SHA1 9a08e1ef145f49f49093f059ab839b20077e8f65 SHA256 b30f06eb343fa1c5023ecf7a0170b881acdee47e84b690bf45bd8beda427e7df
-MISC ChangeLog 27593 RMD160 209e4baa32ec308b5e00504b5801adab0c4f5c73 SHA1 40d860766494b4330aa23d4c73336cb4bd28e830 SHA256 0e016d34e2f6c707b259c03632ff82670a7abd33aaea88d47e23303520cf3445
+MISC ChangeLog 27831 RMD160 3499c4b547253480a6fddf50f94e98e49c56435b SHA1 e9e35ef34e0c4c89b2803f8c2b0bcb069abec99d SHA256 b13c8cb37dfb1bb543466f57635699f0ca948787e987fb49c38f9589479b8d7b
 MISC metadata.xml 258 RMD160 0b90768495f1b1c9526868f42acb9d57a7755f8a SHA1 832935fff75730ec522cf03fb8f9b349f5cf2be0 SHA256 8d2e5dab18805dccb701c1d05eddedc6b16233bf3dd3d0b2fbd05321359e56e3
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.17 (GNU/Linux)
 
-iF4EAREIAAYFAk1hVogACgkQaC/OocHi7JbXmwD/V8BWp8GtdPwk8DdTwBOmS+dq
-1KwBbLdeQOK7zPt/w74A/1q2qUZgmwq+R+Bcq8sFF5YYCBbf3Izfitq9P+Pyz7Hh
-=9FIx
+iF4EAREIAAYFAk1hXbEACgkQaC/OocHi7JZhXwD7BWBW2NKzkechN9bHxRFpI+ZI
+bR5Ak0fXny+SRtY4g5cA/i84k675GX047rJG6vsRcLW62SQj153SxHl7U2o1M0P0
+=65ky
 -----END PGP SIGNATURE-----
diff --git a/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch b/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch
new file mode 100644
index 000000000000..05975972e5f1
--- /dev/null
+++ b/www-client/links/files/links-2.3_pre1-verify-ssl-certs.patch
@@ -0,0 +1,65 @@
+snipped from Debian
+http://bugs.gentoo.org/253847
+
+Patch to abort if SSL certificate isn't valid to fix #510417.
+
+Patch by Mats Erik Andersson <mats.andersson@gisladisker.se> as posted at 
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510417
+
+Index: links2-2.3pre1/https.c
+===================================================================
+--- links2-2.3pre1.orig/https.c	2009-05-17 21:33:01.000000000 +0200
++++ links2-2.3pre1/https.c	2010-07-08 18:36:22.000000000 +0200
+@@ -25,8 +25,40 @@
+ 
+ #ifdef HAVE_SSL
+ 
++#define VERIFY_DEPTH	10
++
+ SSL_CTX *context = NULL;
+ 
++static int verify_cert(int code, X509_STORE_CTX *context)
++{
++	int error, depth;
++
++	error = X509_STORE_CTX_get_error(context);
++	depth = X509_STORE_CTX_get_error_depth(context);
++
++	if (depth > VERIFY_DEPTH) {
++		error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
++		code = 0;
++	}
++
++	if (!code) {
++		/* Judge self signed certificates as acceptable. */
++		if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
++				error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
++			code = 1;
++		} else {
++			fprintf(stderr, "Verification failure: %s\n",
++						X509_verify_cert_error_string(error));
++			if (depth > VERIFY_DEPTH) {
++				fprintf(stderr, "Excessive depth %d, set depth %d.\n",
++							depth, VERIFY_DEPTH);
++			}
++		}
++	}
++
++	return code;
++} /* verify_cert */
++
+ SSL *getSSL(void)
+ {
+ 	if (!context) {
+@@ -44,8 +76,10 @@
+ 		if (!m) return NULL;
+ 		context = SSL_CTX_new(m);
+ 		if (!context) return NULL;
+-		SSL_CTX_set_options(context, SSL_OP_ALL);
++		SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_ALL);
++		SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
+ 		SSL_CTX_set_default_verify_paths(context);
++		SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
+ /* needed for systems without /dev/random, but obviously kills security. */
+ 		/*{
+ 			char pool[32768];
diff --git a/www-client/links/links-2.3_pre1-r1.ebuild b/www-client/links/links-2.3_pre1-r1.ebuild
new file mode 100644
index 000000000000..e8442bb420f8
--- /dev/null
+++ b/www-client/links/links-2.3_pre1-r1.ebuild
@@ -0,0 +1,131 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-client/links/links-2.3_pre1-r1.ebuild,v 1.1 2011/02/20 18:30:01 vapier Exp $
+
+# SDL support is disabled in this version by upstream
+
+EAPI="2"
+
+inherit eutils autotools
+
+# To handle pre-version ...
+MY_P="${P/_/}"
+DESCRIPTION="links is a fast lightweight text and graphic web-browser"
+HOMEPAGE="http://links.twibright.com/"
+SRC_URI="http://links.twibright.com/download/${MY_P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x86-fbsd ~ia64-hpux ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 directfb fbcon gpm jpeg livecd ssl svga tiff unicode X zlib"
+
+# Note: if X or fbcon usegflag are enabled, links will be built in graphic
+# mode. libpng is required to compile links in graphic mode
+# (not required in text mode), so let's add libpng for X? and fbcon?
+
+# We've also made USE=livecd compile in graphics mode.  This closes bug #75685.
+
+#	sdl? ( >=media-libs/libsdl-1.2.0 )
+RDEPEND="ssl? ( >=dev-libs/openssl-0.9.6c )
+	gpm? ( sys-libs/gpm )
+	jpeg? ( virtual/jpeg )
+	fbcon? (
+		>=media-libs/libpng-1.4
+		virtual/jpeg
+		sys-libs/gpm
+	)
+	tiff? ( >=media-libs/tiff-3.5.7 )
+	svga? (
+		>=media-libs/svgalib-1.4.3
+		>=media-libs/libpng-1.4
+	)
+	X? (
+		x11-libs/libXext
+		>=media-libs/libpng-1.4
+	)
+	directfb? ( dev-libs/DirectFB )
+	sys-libs/ncurses
+	livecd? (
+		>=media-libs/libpng-1.4
+		virtual/jpeg
+		sys-libs/gpm
+	)"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig"
+
+S="${WORKDIR}/${MY_P}"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-libpng-1.5.patch
+	epatch "${FILESDIR}"/${P}-verify-ssl-certs.patch #253847
+
+	if use unicode ; then
+		pushd intl >/dev/null
+		./gen-intl || die
+		./synclang || die
+		popd >/dev/null
+	fi
+
+	# Upstream configure produced by broken autoconf-2.13.  See #131440 and
+	# #103483#c23.  This also fixes toolchain detection.
+	eautoconf || die
+}
+
+src_configure() {
+	local myconf
+
+	if use X || use fbcon || use directfb || use svga || use livecd ; then
+		myconf="${myconf} --enable-graphics"
+	fi
+
+	# Note: --enable-static breaks.
+
+	# Note: ./configure only support 'gpm' features auto-detection, so
+	# we use the autoconf trick
+	( use gpm || use fbcon || use livecd ) || export ac_cv_lib_gpm_Gpm_Open="no"
+
+	if use fbcon || use livecd ; then
+		myconf="${myconf} --with-fb"
+	else
+		myconf="${myconf} --without-fb"
+	fi
+
+	# force --with-libjpeg if livecd flag is set
+	if use livecd ; then
+		myconf="${myconf} --with-libjpeg"
+	fi
+
+	#	$(use_with sdl)
+	econf \
+		$(use_with X x) \
+		$(use_with jpeg libjpeg) \
+		$(use_with tiff libtiff) \
+		$(use_with svga svgalib) \
+		$(use_with directfb) \
+		$(use_with ssl) \
+		$(use_with zlib) \
+		$(use_with bzip2) \
+		${myconf}
+}
+
+src_install() {
+	emake install DESTDIR="${D}" || die
+
+	# Only install links icon if X driver was compiled in ...
+	use X && doicon graphics/links.xpm
+
+	dodoc AUTHORS BUGS ChangeLog NEWS README SITES TODO
+	dohtml doc/links_cal/*
+
+	# Install a compatibility symlink links2:
+	dosym links /usr/bin/links2
+}
+
+pkg_postinst() {
+	if use svga ; then
+		elog "You had the svga USE flag enabled, but for security reasons"
+		elog "the links2 binary is NOT setuid by default. In order to"
+		elog "enable links2 to work in SVGA, please change the permissions"
+		elog "of /usr/bin/links2 to enable suid."
+	fi
+}