net-misc/tn5250: new revision sans SSLv2/SSLv3 support.

This new revision adds two custom patches. The first drops SSLv2/SSLv3
support by disabling the user's ability to specify "ssl2" or "ssl3" as
his "ssl_method". The fallback "auto" should still work and choose
something secure.

The second patch fixes the build with -Werror=format-security and
consists of trivial format string additions.

Gentoo-Bug: 591940

Package-Manager: portage-2.2.28

3 files changed, 185 insertions, 0 deletions

diff --git a/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
new file mode 100644
index 000000000000..9c8d04f55851
--- /dev/null
+++ b/net-misc/tn5250/files/disable-sslv2-and-sslv3.patch
@@ -0,0 +1,61 @@
+From 1acfebd966e8804e6573cbe9287b8b6f028a646c Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 23 Aug 2016 18:13:47 -0400
+Subject: [PATCH 1/1] sslstream.c: ignore the user's choice of ssl_method.
+
+The SSLv2 and SSLv3 protocols are insecure, and people have begun to
+operate without them. LibreSSL, for example, does not have them
+enabled, and it is possible to build OpenSSL in the same manner.
+
+If SSLv[23] are disabled, the user would not be able to choose "ssl2"
+or "ssl3" as his "ssl_method", an option that was undocumented
+anywhere. Therefore there is not much lost, and some security to gain,
+by removing the option completely. This commit does that, and uses the
+automatic protocol choice that is capable of negotiating TLSv1,
+TLSv1.1 and TLSv1.2.
+
+Gentoo-Bug: 591940
+---
+ lib5250/sslstream.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
+index 7181566..2f91d1a 100644
+--- a/lib5250/sslstream.c
++++ b/lib5250/sslstream.c
+@@ -362,22 +362,16 @@ int tn5250_ssl_stream_init (Tn5250Stream *This)
+ 
+ /*  which SSL method do we use? */
+ 
+-   strcpy(methstr,"auto");
+-   if (This->config!=NULL && tn5250_config_get (This->config, "ssl_method")) {
+-        strncpy(methstr, tn5250_config_get (This->config, "ssl_method"), 4);
+-        methstr[4] = '\0';
+-   }
+-
+-   if (!strcmp(methstr, "ssl2")) {
+-        meth = SSLv2_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv2_client_method()\n"));
+-   } else if (!strcmp(methstr, "ssl3")) {
+-        meth = SSLv3_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv3_client_method()\n"));
+-   } else {
+-        meth = SSLv23_client_method();         
+-        TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+-   }
++    /* Ignore the user's choice of ssl_method (which isn't documented
++     * anyway...) if it was either "ssl2" or "ssl3". Both are insecure,
++     * and this is only safe supported method left.
++     *
++     * This is a Gentoo-specific modification that lets us build
++     * against LibreSSL and newer OpenSSL with its insecure protocols
++     * disabled.
++     */
++    meth = SSLv23_client_method();
++    TN5250_LOG(("SSL Method = SSLv23_client_method()\n"));
+ 
+ /*  create a new SSL context */
+ 
+-- 
+2.7.3
+
diff --git a/net-misc/tn5250/files/fix-Wformat-security-warnings.patch b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch
new file mode 100644
index 000000000000..4927bce546f2
--- /dev/null
+++ b/net-misc/tn5250/files/fix-Wformat-security-warnings.patch
@@ -0,0 +1,62 @@
+From 1bc9cac45be4bac46f58e325779bdb8c7b7bf502 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Tue, 23 Aug 2016 20:20:15 -0400
+Subject: [PATCH 1/1] Fix format-security warnings.
+
+Newer versions of GCC have the ability to warn you (or throw errors)
+about insecure format strings. Generally this is due to an omitted
+format string in the printf family of functions, and a few of those
+issues existed in the code base. They were all fixed by adding a
+trivial "%s" format string. The project now builds with
+-Werror=format-security.
+---
+ curses/cursesterm.c | 4 ++--
+ lib5250/sslstream.c | 2 +-
+ lib5250/telnetstr.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/curses/cursesterm.c b/curses/cursesterm.c
+index bf20f05..3032966 100644
+--- a/curses/cursesterm.c
++++ b/curses/cursesterm.c
+@@ -640,9 +640,9 @@ static void curses_terminal_update(Tn5250Terminal * This, Tn5250Display *display
+       if(This->data->is_xterm) {
+          if (This->data->font_132!=NULL) {
+                if (tn5250_display_width (display)>100)
+-                    printf(This->data->font_132);
++		    printf("%s", This->data->font_132);
+                else
+-                    printf(This->data->font_80);
++		    printf("%s", This->data->font_80);
+          }
+ 	 printf ("\x1b[8;%d;%dt", tn5250_display_height (display)+1,
+ 	       tn5250_display_width (display));
+diff --git a/lib5250/sslstream.c b/lib5250/sslstream.c
+index 2f91d1a..7f3009e 100644
+--- a/lib5250/sslstream.c
++++ b/lib5250/sslstream.c
+@@ -307,7 +307,7 @@ static void ssl_log_SB_buf(unsigned char *buf, int len)
+ 
+    if (!tn5250_logfile)
+       return;
+-   fprintf(tn5250_logfile,ssl_getTelOpt(type=*buf++));
++   fprintf(tn5250_logfile,"%s",ssl_getTelOpt(type=*buf++));
+    switch (c=*buf++) {
+       case IS:
+ 		fputs("<IS>",tn5250_logfile);
+diff --git a/lib5250/telnetstr.c b/lib5250/telnetstr.c
+index 9ad2624..cf1576f 100644
+--- a/lib5250/telnetstr.c
++++ b/lib5250/telnetstr.c
+@@ -282,7 +282,7 @@ static void log_SB_buf(unsigned char *buf, int len)
+ 
+    if (!tn5250_logfile)
+       return;
+-   fprintf(tn5250_logfile,getTelOpt(type=*buf++));
++   fprintf(tn5250_logfile,"%s",getTelOpt(type=*buf++));
+    switch (c=*buf++) {
+       case IS:
+ 		fputs("<IS>",tn5250_logfile);
+-- 
+2.7.3
+
diff --git a/net-misc/tn5250/tn5250-0.17.4-r2.ebuild b/net-misc/tn5250/tn5250-0.17.4-r2.ebuild
new file mode 100644
index 000000000000..7d7db50c32ac
--- /dev/null
+++ b/net-misc/tn5250/tn5250-0.17.4-r2.ebuild
@@ -0,0 +1,62 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+inherit eutils
+
+DESCRIPTION="IBM AS/400 telnet client which emulates 5250 terminals/printers"
+HOMEPAGE="http://tn5250.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE="X libressl ssl"
+
+RDEPEND="
+	sys-libs/ncurses:=
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
+	)
+"
+
+DEPEND="${RDEPEND}
+	X? ( x11-libs/libXt )
+"
+
+PATCHES=(
+	"${FILESDIR}/disable-sslv2-and-sslv3.patch"
+	"${FILESDIR}/fix-Wformat-security-warnings.patch"
+)
+
+src_prepare() {
+	default
+
+	# Next, the Makefile for the terminfo settings tries to remove
+	# some files it doesn't have access to.	 We can just remove those
+	# lines.
+	sed -i \
+		-e "/rm -f \/usr\/.*\/terminfo.*5250/d" linux/Makefile.in \
+		|| die "sed Makefile.in failed"
+}
+
+src_configure() {
+	econf \
+		--disable-static \
+		--without-python \
+		$(use_with X x) \
+		$(use_with ssl)
+}
+
+src_install() {
+	# The TERMINFO variable needs to be defined for the install
+	# to work, because the install calls "tic."	 man tic for
+	# details.
+	dodir /usr/share/terminfo
+	emake DESTDIR="${D}" TERMINFO="${D}/usr/share/terminfo" install
+
+	einstalldocs
+	prune_libtool_files
+}