net-misc/tn5250: new revision sans SSLv2/SSLv3 support.

This new revision adds two custom patches. The first drops SSLv2/SSLv3
support by disabling the user's ability to specify "ssl2" or "ssl3" as
his "ssl_method". The fallback "auto" should still work and choose
something secure.

The second patch fixes the build with -Werror=format-security and
consists of trivial format string additions.

Gentoo-Bug: 591940

Package-Manager: portage-2.2.28

2 files changed, 123 insertions, 0 deletions

diff --git a/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
new file mode 100644
index 000000000000..9c8d04f55851
--- /dev/null
+++ b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
@@ -0,0 +1,61 @@
+From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 23 Aug 2016 18:13:47 -0400
+Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method.
+
+The SSLv2 and SSLv3 protocols are insecure, and people have begun to
+operate without them. LibreSSL, for example, does not have them
+enabled, and it is possible to build OpenSSL in the same manner.
+
+If SSLv[23] are disabled, the user would not be able to choose "ssl2"
+or "ssl3" as his "ssl_method", an option that was undocumented
+anywhere. Therefore there is not much lost, and some security to gain,
+by removing the option completely. This commit does that, and uses the
+automatic protocol choice that is capable of negotiating TLSv1,
+TLSv1.1 and TLSv1.2.
+
+Gentoo-Bug: 591940
+---
+ lib5250/sslstream.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
+index 7181566..2f91d1a 100644
+--- a/lib5250/sslstream.c
++++ b/lib5250/sslstream.c
+@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
+ 
+ /*  which SSL method do we use? */
+ 
+-   strcpy(methstr,"auto");
+-   if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
+-        strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
+-        methstr[4] = '\0';
+-   }
+-
+-   if (!strcmp(methstr, "ssl2")) {
+-        meth = SSLv2_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
+-   } else if (!strcmp(methstr, "ssl3")) {
+-        meth = SSLv3_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
+-   } else {
+-        meth = SSLv23_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+-   }
++    /* Ignore the user's choice of ssl_method (which isn't documented
++     * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
++     * and this is only safe supported method left.
++     *
++     * This is a Gentoo-specific modification that lets us build
++     * against LibreSSL and newer OpenSSL with its insecure protocols
++     * disabled.
++     */
++    meth = SSLv23_client_method();
++    TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+ 
+ /*  create a new SSL context */
+ 
+-- 
+2.7.3
+
diff --git a/net-misc/tn5250/files/fix-Wformat-security-warnings.patch b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch
new file mode 100644
index 000000000000..4927bce546f2
--- /dev/null
+++ b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch
@@ -0,0 +1,62 @@
+From 1bc9cac45be4bac46f58e325779bdb8c7b7bf502 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 23 Aug 2016 20:20:15 -0400
+Subject: [PATCH 1/1] Fix format-security warnings.
+
+Newer versions of GCC have the ability to warn you (or throw errors)
+about insecure format strings. Generally this is due to an omitted
+format string in the printf family of functions, and a few of those
+issues existed in the code base. They were all fixed by adding a
+trivial "%s" format string. The project now builds with
+-Werror=format-security.
+---
+ curses/cursesterm.c | 4 ++--
+ lib5250/sslstream.c | 2 +-
+ lib5250/telnetstr.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/curses/cursesterm.c b/curses/cursesterm.c
+index bf20f05..3032966 100644
+--- a/curses/cursesterm.c
++++ b/curses/cursesterm.c
+@@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display
+       if(This->data->is_xterm) {
+          if (This->data->font_132!=NULL) {
+                if (tn5250_display_width (display)>100)
+-                    printf(This->data->font_132);
++		    printf("%s", This->data->font_132);
+                else
+-                    printf(This->data->font_80);
++		    printf("%s", This->data->font_80);
+          }
+ 	 printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1,
+ 	       tn5250_display_width (display));
+diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
+index 2f91d1a..7f3009e 100644
+--- a/lib5250/sslstream.c
++++ b/lib5250/sslstream.c
+@@ -307,7 +307,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len)
+ 
+    if (!tn5250_logfile)
+       return;
+-   fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++));
++   fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++));
+    switch (c=*buf++) {
+       case IS:
+ 		fputs("<IS>",tn5250_logfile);
+diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c
+index 9ad2624..cf1576f 100644
+--- a/lib5250/telnetstr.c
++++ b/lib5250/telnetstr.c
+@@ -282,7 +282,7 @@ static void log_SB_buf(unsigned char *buf, int len)
+ 
+    if (!tn5250_logfile)
+       return;
+-   fprintf(tn5250_logfile,getTelOpt(type=*buf++));
++   fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++));
+    switch (c=*buf++) {
+       case IS:
+ 		fputs("<IS>",tn5250_logfile);
+-- 
+2.7.3
+