On Sun 11/02/2018 21:04, Stuart Henderson wrote: > On 2018/02/11 19:46, Björn Ketelaars wrote: > > newsbeuter has been abandoned almost 6 months ago. There is however an > > active maintained fork available (https://newsboat.org), which is in > > ports: www/newsboat. > > > > Any objections to sending www/newsbeuter to the attic? > > No objections here, please send a diff before committing though just so > we can check everything's ok. > > What do you think is best for quirks? Are the two compatible enough that > it would be sane to auto update from newsbeuter to newsboat, or would > it be better to add to $obsolete_reason as "no longer maintained upstream", > maybe with an faq/current.html mention about it? >
Steps: 1.) Addition for quirks https://marc.info/?l=openbsd-ports&m=151843908929681&w=2 2.) Unhook from www https://marc.info/?l=openbsd-ports&m=151843922229742&w=2 3.) Diff below OK? Index: Makefile =================================================================== RCS file: Makefile diff -N Makefile --- Makefile 14 Dec 2017 06:11:09 -0000 1.16 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,37 +0,0 @@ -# $OpenBSD: Makefile,v 1.16 2017/12/14 06:11:09 jca Exp $ - -COMMENT = open-source RSS/Atom feed reader for text terminals -DISTNAME = newsbeuter-2.9 -CATEGORIES = www -REVISION = 1 - -HOMEPAGE = https://newsbeuter.org/ - -# MIT -PERMIT_PACKAGE_CDROM = Yes - -WANTLIB += c crypto curl iconv intl json-c m ncursesw pthread -WANTLIB += sqlite3 stfl xml2 ${COMPILER_LIBCXX} - -MASTER_SITES = https://newsbeuter.org/downloads/ - -# C++11 -COMPILER = base-clang ports-gcc - -BUILD_DEPENDS = devel/gettext-tools - -LIB_DEPENDS = databases/sqlite3 \ - devel/gettext \ - devel/stfl \ - devel/json-c \ - textproc/libxml \ - net/curl - -MAKE_FLAGS = CXX="${CXX}" -FAKE_FLAGS = mandir=${PREFIX}/man - -USE_GMAKE = Yes -CONFIGURE_STYLE = simple -CONFIGURE_SCRIPT = config.sh - -.include <bsd.port.mk> Index: distinfo =================================================================== RCS file: distinfo diff -N distinfo --- distinfo 5 Feb 2017 21:58:16 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,2 +0,0 @@ -SHA256 (newsbeuter-2.9.tar.gz) = dKi/AZsJw7JwupWtwp8rvkjqH1XMBjQnayH8zh8EPcg= -SIZE (newsbeuter-2.9.tar.gz) = 432763 Index: patches/patch-src_controller_cpp =================================================================== RCS file: patches/patch-src_controller_cpp diff -N patches/patch-src_controller_cpp --- patches/patch-src_controller_cpp 17 Sep 2017 17:04:52 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -From 96e9506ae9e252c548665152d1b8968297128307 Mon Sep 17 00:00:00 2001 -From: Alexander Batischev <eual...@gmail.com> -Date: Sun, 13 Aug 2017 21:48:35 +0300 -Subject: [PATCH] Sanitize inputs to bookmark-cmd (#591) - -Newsbeuter didn't properly shell-escape the arguments passed to -bookmarking command, which allows a remote attacker to perform remote -code execution by crafting an RSS item whose title and/or URL contain -something interpretable by the shell (most notably subshell -invocations.) - -This has been reported by Jeriko One <jeriko....@gmx.us>, complete with -PoC and a patch. - -This vulnerability was assigned CVE-2017-12904. - ---- src/controller.cpp -+++ src/controller.cpp -@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl - std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd"); - bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive"); - if (bookmark_cmd.length() > 0) { -- std::string cmdline = utils::strprintf("%s '%s' %s %s", -+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'", - bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(), -- stfl::quote(title).c_str(), stfl::quote(description).c_str()); -+ utils::replace_all(title,"'", "%27").c_str(), -+ utils::replace_all(description,"'", "%27").c_str()); - - LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str()); - Index: patches/patch-src_feedhq_api_cpp =================================================================== RCS file: patches/patch-src_feedhq_api_cpp diff -N patches/patch-src_feedhq_api_cpp --- patches/patch-src_feedhq_api_cpp 5 Feb 2017 21:58:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -$OpenBSD: patch-src_feedhq_api_cpp,v 1.1 2017/02/05 21:58:16 abieber Exp $ ---- src/feedhq_api.cpp.orig Tue Oct 11 09:07:30 2016 -+++ src/feedhq_api.cpp Tue Oct 11 09:12:45 2016 -@@ -1,7 +1,7 @@ - #include <vector> - #include <cstring> - #include <iostream> --#include <wordexp.h> -+#include <glob.h> - - #include <feedhq_api.h> - #include <config.h> -@@ -63,11 +63,13 @@ std::string feedhq_api::retrieve_auth() { - - std::string pass = cfg->get_configvalue("feedhq-password"); - if( pass == "" ) { -- wordexp_t exp; -- std::ifstream ifs; -- wordexp(cfg->get_configvalue("feedhq-passwordfile").c_str(),&exp,0); -- ifs.open(exp.we_wordv[0]); -- wordfree(&exp); -+ glob_t exp; -+ std::ifstream ifs; -+ int res = glob(cfg->get_configvalue("feedhq-passwordfile").c_str(), GLOB_ERR, NULL, &exp); -+ if (!res && exp.gl_pathc == 1 && exp.gl_pathv) { -+ ifs.open(exp.gl_pathv[0]); -+ } -+ globfree(&exp); - if (!ifs) { - if(!flushed) { - std::cout << std::endl; Index: patches/patch-src_oldreader_api_cpp =================================================================== RCS file: patches/patch-src_oldreader_api_cpp diff -N patches/patch-src_oldreader_api_cpp --- patches/patch-src_oldreader_api_cpp 5 Feb 2017 21:58:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -$OpenBSD: patch-src_oldreader_api_cpp,v 1.1 2017/02/05 21:58:16 abieber Exp $ ---- src/oldreader_api.cpp.orig Tue Oct 11 09:07:35 2016 -+++ src/oldreader_api.cpp Tue Oct 11 09:11:49 2016 -@@ -1,7 +1,7 @@ - #include <vector> - #include <cstring> - #include <iostream> --#include <wordexp.h> -+#include <glob.h> - - #include <oldreader_api.h> - #include <config.h> -@@ -65,11 +65,13 @@ std::string oldreader_api::retrieve_auth() { - - std::string pass = cfg->get_configvalue("oldreader-password"); - if( pass == "" ) { -- wordexp_t exp; -- std::ifstream ifs; -- wordexp(cfg->get_configvalue("oldreader-passwordfile").c_str(),&exp,0); -- ifs.open(exp.we_wordv[0]); -- wordfree(&exp); -+ glob_t exp; -+ std::ifstream ifs; -+ int res = glob(cfg->get_configvalue("oldreader-passwordfile").c_str(), GLOB_ERR, NULL, &exp); -+ if (!res && exp.gl_pathc == 1 && exp.gl_pathv) { -+ ifs.open(exp.gl_pathv[0]); -+ } -+ globfree(&exp); - if (!ifs) { - if(!flushed) { - std::cout << std::endl; Index: patches/patch-src_pb_controller_cpp =================================================================== RCS file: patches/patch-src_pb_controller_cpp diff -N patches/patch-src_pb_controller_cpp --- patches/patch-src_pb_controller_cpp 17 Sep 2017 17:04:52 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,31 +0,0 @@ -From c8fea2f60c18ed30bdd1bb6f798e994e51a58260 Mon Sep 17 00:00:00 2001 -From: Alexander Batischev <eual...@gmail.com> -Date: Sun, 27 Aug 2017 22:37:02 +0300 -Subject: [PATCH] Work around shell code in podcast names (#598) - ---- src/pb_controller.cpp -+++ src/pb_controller.cpp -@@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) { - if (player == "") - return; - cmdline.append(player); -- cmdline.append(" \""); -- cmdline.append(utils::replace_all(file,"\"", "\\\"")); -- cmdline.append("\""); -+ cmdline.append(" \'"); -+ cmdline.append(utils::replace_all(file,"'", "%27")); -+ cmdline.append("\'"); - stfl::reset(); - LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); - ::system(cmdline.c_str()); ---- src/queueloader.cpp -+++ src/queueloader.cpp -@@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) { - strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); - fn.append(lbuf); - } else { -- fn.append(base); -+ fn.append(utils::replace_all(base, "'", "%27")); - } - return fn; - } Index: patches/patch-src_ttrss_api_cpp =================================================================== RCS file: patches/patch-src_ttrss_api_cpp diff -N patches/patch-src_ttrss_api_cpp --- patches/patch-src_ttrss_api_cpp 5 Feb 2017 21:58:16 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,30 +0,0 @@ -$OpenBSD: patch-src_ttrss_api_cpp,v 1.1 2017/02/05 21:58:16 abieber Exp $ ---- src/ttrss_api.cpp.orig Tue Oct 11 09:07:40 2016 -+++ src/ttrss_api.cpp Tue Oct 11 09:10:44 2016 -@@ -4,7 +4,7 @@ - #include <cstring> - #include <algorithm> - --#include <wordexp.h> -+#include <glob.h> - #include <unistd.h> - #include <iostream> - -@@ -54,11 +54,13 @@ std::string ttrss_api::retrieve_sid() { - - std::string pass = cfg->get_configvalue("ttrss-password"); - if (pass == "") { -- wordexp_t exp; -+ glob_t exp; - std::ifstream ifs; -- wordexp(cfg->get_configvalue("ttrss-passwordfile").c_str(),&exp,0); -- ifs.open(exp.we_wordv[0]); -- wordfree(&exp); -+ int res = glob(cfg->get_configvalue("ttrss-passwordfile").c_str(), GLOB_ERR, NULL, &exp); -+ if (!res && exp.gl_pathc == 1 && exp.gl_pathv) { -+ ifs.open(exp.gl_pathv[0]); -+ } -+ globfree(&exp); - if (!ifs) { - if(!flushed) { - std::cout << std::endl; Index: pkg/DESCR =================================================================== RCS file: pkg/DESCR diff -N pkg/DESCR --- pkg/DESCR 16 Oct 2013 18:05:25 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,4 +0,0 @@ -Newsbeuter is an open-source RSS/Atom feed reader for text terminals. -Newsbeuter's great configurability and vast number of features make -it a perfect choice for people that need a slick and fast feed -reader that can be completely controlled via keyboard. Index: pkg/PLIST =================================================================== RCS file: pkg/PLIST diff -N pkg/PLIST --- pkg/PLIST 16 Oct 2013 18:05:25 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,30 +0,0 @@ -@comment $OpenBSD: PLIST,v 1.1.1.1 2013/10/16 18:05:25 abieber Exp $ -@bin bin/newsbeuter -@bin bin/podbeuter -@man man/man1/newsbeuter.1 -@man man/man1/podbeuter.1 -share/doc/newsbeuter/ -share/doc/newsbeuter/docbook-xsl.css -share/doc/newsbeuter/examples/ -share/doc/newsbeuter/examples/config -share/doc/newsbeuter/newsbeuter.html -share/locale/de/LC_MESSAGES/newsbeuter.mo -share/locale/es/LC_MESSAGES/newsbeuter.mo -share/locale/es_ES/ -share/locale/es_ES/LC_MESSAGES/ -share/locale/es_ES/LC_MESSAGES/newsbeuter.mo -share/locale/fr/LC_MESSAGES/newsbeuter.mo -share/locale/hu/LC_MESSAGES/newsbeuter.mo -share/locale/it/LC_MESSAGES/newsbeuter.mo -share/locale/nb/LC_MESSAGES/newsbeuter.mo -share/locale/nl/LC_MESSAGES/newsbeuter.mo -share/locale/pl/LC_MESSAGES/newsbeuter.mo -share/locale/pt_BR/LC_MESSAGES/newsbeuter.mo -share/locale/ru/LC_MESSAGES/newsbeuter.mo -share/locale/sv/LC_MESSAGES/newsbeuter.mo -share/locale/tr/LC_MESSAGES/newsbeuter.mo -share/locale/uk/LC_MESSAGES/newsbeuter.mo -share/locale/zh/ -share/locale/zh/LC_MESSAGES/ -share/locale/zh/LC_MESSAGES/newsbeuter.mo -share/locale/zh_TW/LC_MESSAGES/newsbeuter.mo
