pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279
details: https://anonhg.NetBSD.org/pkgsrc/rev/74dfdaf6622b
branches: trunk
changeset: 342519:74dfdaf6622b
user: ast <ast%pkgsrc.org@localhost>
date: Sun Oct 20 20:02:13 2019 +0000
description:
www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279
diffstat:
doc/CHANGES-2019 | 3 +-
www/nostromo/Makefile | 6 +-
www/nostromo/PLIST | 6 +-
www/nostromo/distinfo | 4 +-
www/nostromo/patches/patch-http_header_comp | 66 +++++++++++++++++++++++++++++
www/nostromo/patches/patch-strcutl | 62 +++++++++++++++++++++++++++
6 files changed, 139 insertions(+), 8 deletions(-)
diffs (204 lines):
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b doc/CHANGES-2019
--- a/doc/CHANGES-2019 Sun Oct 20 18:04:41 2019 +0000
+++ b/doc/CHANGES-2019 Sun Oct 20 20:02:13 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2019,v 1.4458 2019/10/20 18:04:41 leot Exp $
+$NetBSD: CHANGES-2019,v 1.4459 2019/10/20 20:08:05 ast Exp $
Changes to the packages collection and infrastructure in 2019:
@@ -7167,3 +7167,4 @@
Added graphics/faba-icon-theme version 4.3 [nia 2019-10-20]
Added graphics/moka-icon-theme version 5.4.0 [nia 2019-10-20]
Added textproc/json2tsv version 0.2 [leot 2019-10-20]
+ Updated www/nostromo to 1.9.6nb2 [ast 2019-10-20]
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b www/nostromo/Makefile
--- a/www/nostromo/Makefile Sun Oct 20 18:04:41 2019 +0000
+++ b/www/nostromo/Makefile Sun Oct 20 20:02:13 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.2 2019/09/03 12:02:48 nia Exp $
+# $NetBSD: Makefile,v 1.3 2019/10/20 20:02:13 ast Exp $
DISTNAME= nostromo-1.9.6
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= www
MASTER_SITES= http://www.nazgul.ch/dev/
DISTFILES= ${DISTNAME}${EXTRACT_SUFX}
@@ -25,7 +25,7 @@
SUBST_CLASSES+= nostromo
SUBST_MESSAGE.nostromo= Fixing GNUmakefile src/nhttpd/GNUmakefile
-SUBST_STAGE.nostromo= pre-patch
+SUBST_STAGE.nostromo= post-extract
SUBST_FILES.nostromo= GNUmakefile \
src/nhttpd/GNUmakefile \
src/tools/GNUmakefile \
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b www/nostromo/PLIST
--- a/www/nostromo/PLIST Sun Oct 20 18:04:41 2019 +0000
+++ b/www/nostromo/PLIST Sun Oct 20 20:02:13 2019 +0000
@@ -1,8 +1,7 @@
-@comment $NetBSD: PLIST,v 1.1 2018/02/11 13:56:21 ast Exp $
+@comment $NetBSD: PLIST,v 1.2 2019/10/20 20:02:13 ast Exp $
+man/man8/nhttpd.8
sbin/crypt
sbin/nhttpd
-man/man8/nhttpd.8
-share/examples/rc.d/nostromo
share/examples/nostromo/conf/mimes
share/examples/nostromo/conf/nhttpd.conf-dist
share/examples/nostromo/htdocs/cgi-bin/printenv
@@ -10,3 +9,4 @@
share/examples/nostromo/htdocs/nostromo.gif
share/examples/nostromo/icons/dir.gif
share/examples/nostromo/icons/file.gif
+share/examples/rc.d/nostromo
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b www/nostromo/distinfo
--- a/www/nostromo/distinfo Sun Oct 20 18:04:41 2019 +0000
+++ b/www/nostromo/distinfo Sun Oct 20 20:02:13 2019 +0000
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.1 2018/02/11 13:56:21 ast Exp $
+$NetBSD: distinfo,v 1.2 2019/10/20 20:02:13 ast Exp $
SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e
RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868
SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea
Size (nostromo-1.9.6.tar.gz) = 50937 bytes
+SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70
+SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b www/nostromo/patches/patch-http_header_comp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/nostromo/patches/patch-http_header_comp Sun Oct 20 20:02:13 2019 +0000
@@ -0,0 +1,66 @@
+$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $
+
+The function http_header_comp() should return the number of received
+headers, not only 0 on fail or 1 on success.
+
+Without this functionality, one could send more than the default
+of 16 headers and overflow the header array to craft a DoS as
+shown in nostromo CVE-2019-16279.
+
+This patch adds the missing header count functionality to the function
+http_header_comp().
+
+--- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200
++++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200
+@@ -1074,21 +1074,21 @@
+ * http_header_comp()
+ * check if received headers arrived complete
+ * Return:
+- * 0 = headers not complete, 1 = headers complete
++ * 0 = headers not complete, <number of headers> = headers complete
+ */
+ int
+ http_header_comp(char *header, const int len)
+ {
+- int r;
+- char *p, *end;
++ int i, headers;
++ char *p;
+
+- r = 0;
++ headers = 0;
+
+ /* check header for minimum size */
+ if (len < 4)
+ return (0);
+
+- /* post */
++ /* post header */
+ if (!strncasecmp("POST", header, 4)) {
+ p = header;
+ if ((p = strstr(p, "\r\n\r\n")) == NULL)
+@@ -1097,12 +1097,19 @@
+ return (1);
+ }
+
+- /* any header */
+- end = header + (len - 4);
+- if (!strcmp(end, "\r\n\r\n"))
+- r = 1;
++ /* any other header */
++ for (i = 0; i < len; i++) {
++ if (header[i] == '\r') {
++ if ((len - i) < 4)
++ break;
++ if (!strncmp(&header[i], "\r\n\r\n", 4)) {
++ headers++;
++ i += 3;
++ }
++ }
++ }
+
+- return (r);
++ return (headers);
+ }
+
+ /*
diff -r 9f2d2dcd8a4f -r 74dfdaf6622b www/nostromo/patches/patch-strcutl
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/nostromo/patches/patch-strcutl Sun Oct 20 20:02:13 2019 +0000
@@ -0,0 +1,62 @@
+$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $
+
+Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing
+execution of /bin/sh with arbitrary arguments).
+
+Nostromo as such handles encoded URI correctly but the strcutl()
+function in the string manipulation library removes 0x0d in the
+URI string resulting in a valid path. What should happen instead
+is that the decoded 0x0d character remains in the URI, resulting
+in an invalid path, giving rise to a 404.
+
+--- src/libmy/strcutl.c.orig 2005-06-04 10:30:04.000000000 +0200
++++ src/libmy/strcutl.c 2019-10-20 11:30:29.704645745 +0200
+@@ -26,8 +26,12 @@
+ {
+ int i = 0, j = 0, cl = 0;
+
+- /* first count all lines */
+- while (1) {
++ /* requested line must be a positive integer */
++ if (line <= 0)
++ return -1;
++
++ /* count lines up to requested line or end of string */
++ while (line >= cl) {
+ if (src[i] == '\n' && src[i + 1] == '\0') {
+ cl++;
+ break;
+@@ -42,24 +46,24 @@
+ i++;
+ }
+
+- /* do we have the requested line ? */
+- if (line > cl || line == 0)
++ /* did we actually get the requested line ? */
++ if (line > cl)
+ return -1;
+
+- /* go to line start */
++ /* go to beginning of the requested line */
+ for (i = 0, j = 0; j != line - 1; i++)
+ if (src[i] == '\n')
+ j++;
+
+- /* read requested line */
++ /* copy the requested line to destination buffer */
+ for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) {
+- if (src[i] != '\r') {
+- dst[j] = src[i];
+- j++;
+- }
++ if (src[i] == '\r' && src[i + 1] == '\n')
++ continue;
++ dst[j] = src[i];
++ j++;
+ }
+
+- /* terminate string */
++ /* null terminate destination buffer */
+ dst[j] = '\0';
+
+ return cl;
Home |
Main Index |
Thread Index |
Old Index