Apply patch for CVE-2008-4690 (bug #243058)

(Portage version: 2.1.6.13/cvs/Linux x86_64)

3 files changed, 56 insertions, 2 deletions

diff --git a/www-client/lynx/ChangeLog b/www-client/lynx/ChangeLog
index ee2b655343de..a36e063395d1 100644
--- a/www-client/lynx/ChangeLog
+++ b/www-client/lynx/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for www-client/lynx
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/ChangeLog,v 1.78 2009/07/26 05:36:10 wormo Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/ChangeLog,v 1.79 2009/07/26 05:55:24 wormo Exp $
+
+  26 Jul 2009; Stephanie Lockwood-Childs <wormo@gentoo.org>
+  +files/lynx-2.8.6-CVE-2008-4690.patch, lynx-2.8.6-r2.ebuild:
+  Apply patch for CVE-2008-4690 (bug #243058)
 
   25 Jul 2009; Stephanie Lockwood-Childs <wormo@gentoo.org> metadata.xml,
   lynx-2.8.6-r2.ebuild:
diff --git a/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch b/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch
new file mode 100644
index 000000000000..da2647b49b53
--- /dev/null
+++ b/www-client/lynx/files/lynx-2.8.6-CVE-2008-4690.patch
@@ -0,0 +1,44 @@
+Index: lynx2-8-6/CHANGES
+===================================================================
+--- lynx2-8-6.orig/CHANGES
++++ lynx2-8-6/CHANGES
+@@ -1,6 +1,13 @@
+ Changes since Lynx 2.8 release
+ ===============================================================================
+ 
++2008-10-26
++* modify patch for CVE-2005-2929 to prompt user before executing command via
++  a lynxcgi link even in advanced mode, as the actual URL may not be shown but
++  hidden behind an HTTP redirect
++* set TRUSTED_LYNXCGI:none in lynx.cfg to disable all lynxcgi URLs by default
++  [CVE-2008-4690]
++
+ 2006-11-15 (2.8.6rel.4 diverges from 2.8.7dev.4)
+ * limit files set via PERSONAL_EXTENSION_MAP and PERSONAL_MAILCAP to be found
+   relative to the user's home directory.  This change is less flexible than the
+Index: lynx2-8-6/lynx.cfg
+===================================================================
+--- lynx2-8-6.orig/lynx.cfg
++++ lynx2-8-6/lynx.cfg
+@@ -1026,7 +1026,7 @@ DEFAULT_INDEX_FILE:http://lynx.isc.org/
+ # ====
+ # Do not define this.
+ #
+-#TRUSTED_LYNXCGI:none
++TRUSTED_LYNXCGI:none
+ 
+ 
+ .h2 LYNXCGI_ENVIRONMENT
+Index: lynx2-8-6/src/LYCgi.c
+===================================================================
+--- lynx2-8-6.orig/src/LYCgi.c
++++ lynx2-8-6/src/LYCgi.c
+@@ -165,7 +165,7 @@ static BOOL can_exec_cgi(const char *lin
+     if (!exec_ok(HTLoadedDocumentURL(), linktext, CGI_PATH)) {
+ 	/* exec_ok gives out msg. */
+ 	result = FALSE;
+-    } else if (user_mode < ADVANCED_MODE) {
++    } else {
+ 	StrAllocCopy(command, linktext);
+ 	if (non_empty(linkargs)) {
+ 	    HTSprintf(&command, " %s", linkargs);
diff --git a/www-client/lynx/lynx-2.8.6-r2.ebuild b/www-client/lynx/lynx-2.8.6-r2.ebuild
index 62823c0e33cb..88d0ec6913fa 100644
--- a/www-client/lynx/lynx-2.8.6-r2.ebuild
+++ b/www-client/lynx/lynx-2.8.6-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/lynx-2.8.6-r2.ebuild,v 1.15 2009/07/26 05:36:10 wormo Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-client/lynx/lynx-2.8.6-r2.ebuild,v 1.16 2009/07/26 05:55:24 wormo Exp $
 
 inherit eutils
 
@@ -40,6 +40,12 @@ pkg_setup() {
 	fi
 }
 
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-CVE-2008-4690.patch"
+}
+
 src_compile() {
 	local myconf
 	use unicode && myconf="--with-screen=ncursesw"