CVS commit: pkgsrc/net/socat

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Wed Jan  6 15:12:31 UTC 2021

Modified Files:
        pkgsrc/net/socat: Makefile distinfo

Log Message:
socat: Update to 1.7.4.0

Changes:
1.7.4.0
-------
Security:
 Buffer size option (-b) is internally doubled for CR-CRLF conversion,
 but not checked for integer overflow. This could lead to heap based
 buffer overflow, assuming the attacker could provide this parameter.
 Test: BLKSIZE_INT_OVERFL
 Thanks to Lê Hiếu Bùi for reporting this issue and sending an
 example exploit.

Corrections:
 Socats address parser read over end of string when there were unbalanced
 quotes
 Test: UNBALANCED_QUOTE

 Removed unused usleep() call from sycls.c

 Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
 building failed on Solaris 9.
 Thanks to Greg Earle for reporting this issue and providing a patch.

 Mitigated race condition of quickly terminating SYSTEM or EXEC child
 processes.

 Option o-direct might require alignment of read/write buffer to, e.g.,
 512 bytes, Socat now takes care of this when allocating the buffer.
 With this fix read() succeeds, however, write() still might fail when
 not writing complete pages.
 Test: O_DIRECT

 There was a race condition in the way Socat UDP-RECVFROM and similar
 addresses with option fork prevents one packet from triggering
 multiple processes. The symptom was that Socat master process seemed to
 hang and did not process further packets. The fix makes use of
 pselect() system call.
 Thanks to Fulvio Scapin for reporting this issue.

 UNIX domain client addresses applied file system entry options (group
 NAMED) to the server socket instead of the client (bind) socket entry.
 Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
 Thanks to Nico Williams for reporting this major issue.

 Length of single address options was limited to 511 bytes. This value
 is now increased to 2047 bytes.
 Change suggested by Mario Camou.

 Addresses of type RECVFROM with option fork looped with an error
 message in case that the second address failed before consuming the
 packet. The fix makes RECVFROM drop the packet when the second address
 failed before reading it. Use retry or forever option with the second
 address if you want to avoid data loss.
 Thanks to Chunmei Xu for reporting this issue and proving the patch.

 Socats DTLS implementation has been reworked and appears to work now
 reasonably over UDP.
 New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
        OPENSSL-DTLS-CLIENT (DTLS)
 Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
        OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
 Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
 sending patches.

 filan did not output the socket protocol.
 filan -s assumed each stream socket to be TCP and each datagram socket
 to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.

 Help text showed two parameters for UDP4-RECVFROM address, but only
 <port> is allowed.
 Thanks to John the Scott for reporting this issue.

 Error messages from SSL_read() and SSL_write() sometimes stated
 SSL_connect instead of originating function name.

 Fixed some more non functional minor issues.

Porting:
 In gcc version 10 the default changed from -fcommon to -fno-common.
 Consequently, linking filan and procan failed with error
 "multiple definition of `deny_severity'" and `allow_severity'
 Fixed by removing definitions in filan.c and procan.c
 Debian issue 957823
 Thanks to László Böszörményi and others for reporting this issue.

 Solaris 9 does not provide strndup(); added substitute code.
 Thanks to Greg Earle for providing a patch.

 Added configure option --enable-openssl-base to specify the location of
 a non-OS OpenSSL installation

 There are systems whose kernel understands SCTP but getaddrinfo does
 not. As workaround after EIA_SOCKTYPE on name and service resolution
 fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
 ai_protocol=0 and try again
 Test: SCTP_SERVICENAME

 Per file filesystem options were still name ext2-* and depended on
 <linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
 These fs-* options are also available on old systems with ext2_fs.h

 New options openssl-min-proto-version (min-version) and
 openssl-max-proto-version (max-version) give access to the related
 OpenSSL set-macros and substitute deprecated version-specific methods.
 Test: OPENSSL_MIN_VERSION

 With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
 SSL_library_init.

 With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
 must explicitely be included.
 Thanks to Rosen Penev for reporting and sending a patch.

Testing:
 test.sh now produces a list of tests that could not be performed for
 any reason. This helps to analyse these cases.

 OpenSSL s_server appearently started to neglect TCPs half close feature.
 Test OPENSSL_TCP4 has been changed to tolerate this.

 OpenSSL changed its behaviour when connection is rejected. Tests
 OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
 OPENSSL_CN_SERVER_SECURITY now tolerate this.

 OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
 appropriate tests failed.
 Fix: use TLSv1.2 for renegotiation tests
 Tests: OPENSSLRENEG1 OPENSSLRENEG2

 Ubuntu 20.04 requires 2048 bit certificates with OpenSSL

 Archlinux 2020 has not which command; its ip,ss commands have modified
 version strings

 More testing issues solved:
 * ss to pipe might omit column separator
 * UDP6MULTICAST_UNIDIR fails on newer Linux kernels
 * do not use sort -V
 * renamed testaddrs() to testfeats(), and introduced new testaddrs()

New features:
 GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
 Test: GOPENUNIXSEQPACKET
 Feature suggested by vi0oss.

 The generic setsockopt-int and related options are, in case of
 listening/accepting addresses, applied to the connected socket(s). To enable
 setting options on the listening socket, a new option setsockopt-listen
 has been implemented. See the documentation for info on data types.
 Tests: SETSOCKOPT SETSOCKOPT_LISTEN
 Thanks to Steven Danna and Korian Edeline for reporting this issue.

 Filan option -S gives short description like -s but with improved
 format

 Socat OpenSSL client, when server was specified using IP address, did
 not verify connection on certificates SubjectAltName IP entries.
 Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
 Fixes Red Hat bug 1805132

 Added options -r and -R for raw dump of transferred data to files.
 Test: OPTION_RAW_DUMP

 Added option ip-transparent (socket option IP_TRANSPARENT)
 Thanks to Wang Shanker for sending a patch.

 OPENSSL-CONNECT now automatically uses the SNI feature, option
 openssl-no-sni turns it off. Option openssl-snihost overrides the value
 of option openssl-commonname or the server name.
 Tests: OPENSSL_SNI OPENSSL_NO_SNI
 Thanks to Travis Burtrum for providing the initial patch

 New option accept-timeout (listen-timeout)
 Test: ACCEPTTIMEOUT
 Proposed by Roland

 New option ip-add-source-membership
 Feature inspired by Brian (b f31415)

 INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
 of replies, as it did up to version 1.7.3.4. Use option sourceport when
 you need the old behaviour.
 Test: UDP_DATAGRAM_SOURCEPORT
 Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)

 New option proxy-authorization-file reads PROXY-CONNECT credentials
 from file and makes it possible to hide this data from the process
 table.
 Test: PROXYAUTHFILE
 Thanks to Charles Stephens for sending an initial patch.

 Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
 Developed by Stefano Garzarella.

Coding:
 Added printf formats for uint16_t etc.

Documentation:
 Address UDP-RECV does not support option fork.
 Thanks to Fulvio Scapin for reporting that mistake in docu.

 TUN address documentation showed TCP for backend which may merge
 consecutive packets which causes data loss.
 Thanks to Tomasz Lakota for reporting this issue.


To generate a diff of this commit:
cvs rdiff -u -r1.44 -r1.45 pkgsrc/net/socat/Makefile
cvs rdiff -u -r1.28 -r1.29 pkgsrc/net/socat/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/socat/Makefile
diff -u pkgsrc/net/socat/Makefile:1.44 pkgsrc/net/socat/Makefile:1.45
--- pkgsrc/net/socat/Makefile:1.44      Mon May 18 11:19:13 2020
+++ pkgsrc/net/socat/Makefile   Wed Jan  6 15:12:31 2021
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.44 2020/05/18 11:19:13 nia Exp $
+# $NetBSD: Makefile,v 1.45 2021/01/06 15:12:31 leot Exp $
 
-DISTNAME=      socat-1.7.3.4
+DISTNAME=      socat-1.7.4.0
 CATEGORIES=    net
 MASTER_SITES=  http://www.dest-unreach.org/socat/download/
 

Index: pkgsrc/net/socat/distinfo
diff -u pkgsrc/net/socat/distinfo:1.28 pkgsrc/net/socat/distinfo:1.29
--- pkgsrc/net/socat/distinfo:1.28      Mon May 18 11:19:13 2020
+++ pkgsrc/net/socat/distinfo   Wed Jan  6 15:12:31 2021
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.28 2020/05/18 11:19:13 nia Exp $
+$NetBSD: distinfo,v 1.29 2021/01/06 15:12:31 leot Exp $
 
-SHA1 (socat-1.7.3.4.tar.gz) = 2fa45073df61dd01b7ccbf2f8a8cc78580de7144
-RMD160 (socat-1.7.3.4.tar.gz) = b1cd5a3b893422b470d6a347a677f39835c7124d
-SHA512 (socat-1.7.3.4.tar.gz) = c5699fd1a703e90927076599d02323b85722d49e86bc2f627b4301a41d3df72c634af629f378425ff201cde78343da5cd0cad1044bf857665176c91357401fdd
-Size (socat-1.7.3.4.tar.gz) = 615381 bytes
+SHA1 (socat-1.7.4.0.tar.gz) = d85bf661e445d6a8a892be3bfffc155fac3ede76
+RMD160 (socat-1.7.4.0.tar.gz) = 57d29be7075d7e7c14de15320a850257a0654f5c
+SHA512 (socat-1.7.4.0.tar.gz) = 0e500593f4086a9d94634232f8d5aa79eb57f85cb5f05e3bf0ae06baebd28c7c5d443ab71337d909a38f83538136119b89a8091681a19754b93229c42c23eb05
+Size (socat-1.7.4.0.tar.gz) = 647864 bytes