Hello community, here is the log from the commit of package links checked in at Fri Aug 24 23:40:37 CEST 2007. -------- --- links/links.changes 2007-08-10 16:06:44.000000000 +0200 +++ /mounts/work_src_done/STABLE/links/links.changes 2007-08-22 12:21:35.000000000 +0200 @@ -1,0 +2,7 @@ +Wed Aug 22 12:20:25 CEST 2007 - bg@suse.de + +- update to version 2.1pre30 + o Fixed security bug: special characters in URL could be passed to a + shell when spawning user viewer + +------------------------------------------------------------------- Old: ---- links-2.1pre29.tar.bz2 New: ---- links-2.1pre30.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ links.spec ++++++ --- /var/tmp/diff_new_pack.N27512/_old 2007-08-24 23:37:56.000000000 +0200 +++ /var/tmp/diff_new_pack.N27512/_new 2007-08-24 23:37:56.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package links (Version 2.1pre29) +# spec file for package links (Version 2.1pre30) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -16,7 +16,7 @@ Group: Productivity/Networking/Web/Browsers Provides: web_browser Autoreqprov: on -Version: 2.1pre29 +Version: 2.1pre30 Release: 1 Summary: Text-Based WWW Browser Source: links-%{version}.tar.bz2 @@ -66,6 +66,10 @@ %doc %{_mandir}/man1/links.1.gz %changelog +* Wed Aug 22 2007 - bg@suse.de +- update to version 2.1pre30 + o Fixed security bug: special characters in URL could be passed to a + shell when spawning user viewer * Fri Aug 10 2007 - bg@suse.de - update to version 2.1pre29 o several fixes ++++++ links-2.1pre29.tar.bz2 -> links-2.1pre30.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/ChangeLog new/links-2.1pre30/ChangeLog --- old/links-2.1pre29/ChangeLog 2007-07-14 20:39:08.000000000 +0200 +++ new/links-2.1pre30/ChangeLog 2007-08-16 17:06:41.000000000 +0200 @@ -1,4 +1,20 @@ -=== RELEASE 2.1pre28 === +=== RELEASE 2.1pre30 === + +Mon Aug 6 04:01:05 MET 2007 PROGMAN: + + Fixed security bug in pre29 (not in any previous versions): + special characters in URL could be passed to a shell when spawning + user viewer + +Sat Jul 28 02:28:15 MET 2007 PROGMAN: + + Fixed needlessly large selection boxes in graphics mode + +Mon Jul 16 02:41:18 MET 2007 mikulas: + + Release mouse when spawning OS shell or user viewers + +=== RELEASE 2.1pre29 === Sun Jul 8 01:05:08 MET DST 2007 mikulas: @@ -11,7 +27,7 @@ Sat Jul 7 03:50:27 cet 2007 mikulas: - Use _getcwd2 on OS/2 --- it returns path including the driver letter + Use _getcwd2 on OS/2 --- it returns path including the drive letter Sat Jul 7 02:19:35 cet 2007 mikulas: diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/configure new/links-2.1pre30/configure --- old/links-2.1pre29/configure 2007-07-14 21:47:52.000000000 +0200 +++ new/links-2.1pre30/configure 2007-08-16 17:22:32.000000000 +0200 @@ -726,7 +726,7 @@ PACKAGE=links -VERSION=2.1pre29 +VERSION=2.1pre30 if test "`cd $srcdir && pwd`" != "`pwd`" && test -f $srcdir/config.status; then { echo "configure: error: source directory already configured; run "make distclean" there first" 1>&2; exit 1; } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/configure.in new/links-2.1pre30/configure.in --- old/links-2.1pre29/configure.in 2007-04-16 02:46:54.000000000 +0200 +++ new/links-2.1pre30/configure.in 2007-08-16 17:09:57.000000000 +0200 @@ -5,7 +5,7 @@ AC_INIT(main.c) -AM_INIT_AUTOMAKE(links, 2.1pre29) +AM_INIT_AUTOMAKE(links, 2.1pre30) ACLOCAL="./missing aclocal" AUTOCONF="./missing autoconf" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/html.c new/links-2.1pre30/html.c --- old/links-2.1pre29/html.c 2007-04-26 21:40:10.000000000 +0200 +++ new/links-2.1pre30/html.c 2007-08-16 17:06:45.000000000 +0200 @@ -2107,7 +2107,7 @@ format.attr |= AT_BOLD | AT_FIXED; format.fontsize = 3; mw = 0; - for (i = 0; i < order; i++) if (lbls[i] && strlen(lbls[i]) > (size_t)mw) mw = strlen(lbls[i]); + for (i = 0; i < order; i++) if (lbls[i] && utf8len(lbls[i]) > mw) mw = utf8len(lbls[i]); for (i = 0; i < mw; i++) put_chrs("_", 1, put_chars_f, f); kill_html_stack_item(&html_top); put_chrs("]", 1, put_chars_f, f); diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/INSTALL new/links-2.1pre30/INSTALL --- old/links-2.1pre29/INSTALL 2007-07-14 22:08:18.000000000 +0200 +++ new/links-2.1pre30/INSTALL 2007-08-16 19:19:38.000000000 +0200 @@ -1,4 +1,4 @@ -Links 2.1pre29 -- How To Install +Links 2.1pre30 -- How To Install -------------------------------- Follow this step-by-step: @@ -6,13 +6,21 @@ them. On a package-driven distribution, you will need both "library" and "library-dev(el)": + Mandatory libraries + ------------------- libpng - required to compile links in graphics mode (not required in text mode). Libpng 2.1.18 has a bug and must be patched by the patch PATCH-libpng-1.2.18 which is shipped with Links. IJG libjpeg - if you want to display JPEG's (probably yes). TIFF Library - if you want TIFFs. SVGAlib - if you want Links to be able to display on SVGAlib. - OpenSSL - if you want SSL connections. + OpenSSL and zlib - if you want SSL connections. zlib is not necessary if you + know the SSL is compiled without zlib. + + Optional libraries + ------------------ + zlib - shows gzipped pages + libbz2 - shows bzipped content If any of the library is not present on the system or is unusably old and you cannot install it (typically because you are not a root), then go to 11) Compiling with diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/kbd.c new/links-2.1pre30/kbd.c --- old/links-2.1pre29/kbd.c 2007-04-10 21:21:20.000000000 +0200 +++ new/links-2.1pre30/kbd.c 2007-08-16 17:06:47.000000000 +0200 @@ -288,6 +288,7 @@ set_handlers(itrm->std_in, (void (*)(void *))in_kbd, NULL, (void (*)(void *))itrm->free_trm, itrm); handle_terminal_resize(itrm->ctl_in, resize_terminal); unblock_stdin(); + itrm->mouse_h = handle_mouse(0, (void (*)(void *, unsigned char *, int))mouse_queue_event, itrm); resize_terminal(); return 0; } @@ -303,6 +304,7 @@ unhandle_terminal_resize(itrm->ctl_in); send_term_sequence(itrm->std_out,itrm->flags); ttcsetattr(itrm->ctl_in, TCSANOW, &itrm->t); + if (itrm->mouse_h) unhandle_mouse(itrm->mouse_h), itrm->mouse_h = NULL; set_handlers(itrm->std_in, NULL, NULL, (void (*)(void *))itrm->free_trm, itrm); } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/README new/links-2.1pre30/README --- old/links-2.1pre29/README 2007-07-14 22:08:18.000000000 +0200 +++ new/links-2.1pre30/README 2007-08-16 19:19:38.000000000 +0200 @@ -1,4 +1,4 @@ -Links 2.1pre29 +Links 2.1pre30 -------------- Links diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/links-2.1pre29/session.c new/links-2.1pre30/session.c --- old/links-2.1pre29/session.c 2007-07-08 00:23:40.000000000 +0200 +++ new/links-2.1pre30/session.c 2007-08-16 17:06:54.000000000 +0200 @@ -481,7 +481,7 @@ unsigned char q[64]; int p, s, ss, m; y += G_BFU_FONT_SIZE; - sprintf(q, "] %3d%%", (int)((longlong)100 * (longlong)stat->prg->pos / (longlong)stat->prg->size)); + sprintf(q, "]%3d%%", (int)((longlong)100 * (longlong)stat->prg->pos / (longlong)stat->prg->size)); s = g_text_width(bfu_style_bw_mono, "["); ss = g_text_width(bfu_style_bw_mono, q); p = w - s - ss; @@ -883,10 +883,14 @@ fn = get_filename_from_url(url, head, 1); fnx = strchr(fn, '.'); if (fnx) { + unsigned char *s; #ifdef OS2 if (strlen(fnx) > 4) fnx[4] = 0; #endif - add_to_str(&name, &nl, fnx); + s = stracpy(fnx); + check_shell_security(&s); + add_to_str(&name, &nl, s); + mem_free(s); } mem_free(fn); return name; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org