Submitted By: Douglas R. Reno Date: 2021-12-18 Initial Package Version: 2.8.9rel.1 Upstream Status: Applied Origin: Arch Linux (https://github.com/archlinux/svntogit-packages/blob/packages/lynx/trunk/CVE-2021-38165.diff) Description: Fixes CVE-2021-38165 in Lynx, which allows for usernames and passwords to be transmitted in cleartext anytime an HTTPS connection is used. diff -Naurp lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c --- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTTP.c 2018-05-04 15:07:43.000000000 -0500 +++ lynx2.8.9rel.1/WWW/Library/Implementation/HTTP.c 2021-12-18 14:12:57.503796366 -0600 @@ -761,6 +761,22 @@ static char *StripIpv6Brackets(char *hos return host; } #endif +/* + * Remove user/password, if any, from the given host-string. + */ +#ifdef USE_SSL +static char *StripUserAuthents(char *host) +{ + char *p = strchr(host, '@'); + + if (p != NULL) { + char *q = host; + + while ((*q++ = *++p) != '\0') ; + } + return host; +} +#endif /* Load Document from HTTP Server HTLoadHTTP() * ============================== @@ -957,6 +973,7 @@ static int HTLoadHTTP(const char *arg, /* get host we're connecting to */ ssl_host = HTParse(url, "", PARSE_HOST); ssl_host = StripIpv6Brackets(ssl_host); + ssl_host = StripUserAuthents(ssl_host); #if defined(USE_GNUTLS_FUNCS) ret = gnutls_server_name_set(handle->gnutls_state, GNUTLS_NAME_DNS,