[pkgsrc/trunk]: pkgsrc www/nostromo: update to nostromo 1.9.9; patches not ne...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc www/nostromo: update to nostromo 1.9.9; patches not ne...
From: ast <ast%pkgsrc.org@localhost>
Date: Wed, 02 Dec 2020 17:35:59 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/5b9199e6087a
branches:  trunk
changeset: 442886:5b9199e6087a
user:      ast <ast%pkgsrc.org@localhost>
date:      Wed Dec 02 16:30:50 2020 +0000

description:
www/nostromo: update to nostromo 1.9.9; patches not needed anymore

diffstat:

 doc/CHANGES-2020                            |   3 +-
 www/nostromo/Makefile                       |   4 +-
 www/nostromo/distinfo                       |  12 ++---
 www/nostromo/patches/patch-http_header_comp |  66 -----------------------------
 www/nostromo/patches/patch-strcutl          |  62 ---------------------------
 5 files changed, 9 insertions(+), 138 deletions(-)

diffs (179 lines):

diff -r 9a5c9989e17c -r 5b9199e6087a doc/CHANGES-2020
--- a/doc/CHANGES-2020  Wed Dec 02 15:35:06 2020 +0000
+++ b/doc/CHANGES-2020  Wed Dec 02 16:30:50 2020 +0000
@@ -1,4 +1,4 @@
-$NetBSD: CHANGES-2020,v 1.6528 2020/12/02 15:35:06 fcambus Exp $
+$NetBSD: CHANGES-2020,v 1.6529 2020/12/02 16:30:50 ast Exp $
 
 Changes to the packages collection and infrastructure in 2020:
 
@@ -9512,3 +9512,4 @@
        Updated www/nginx to 1.18.0nb7 [otis 2020-12-02]
        Updated www/nginx-devel to 1.19.5nb1 [otis 2020-12-02]
        Updated converters/bdf2psf to 1.199 [fcambus 2020-12-02]
+       Updated www/nostromo to 1.9.9 [ast 2020-12-02]
diff -r 9a5c9989e17c -r 5b9199e6087a www/nostromo/Makefile
--- a/www/nostromo/Makefile     Wed Dec 02 15:35:06 2020 +0000
+++ b/www/nostromo/Makefile     Wed Dec 02 16:30:50 2020 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.5 2020/05/10 14:03:01 rillig Exp $
+# $NetBSD: Makefile,v 1.6 2020/12/02 16:30:50 ast Exp $
 
-DISTNAME=      nostromo-1.9.6
+DISTNAME=      nostromo-1.9.9
 PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  http://www.nazgul.ch/dev/
diff -r 9a5c9989e17c -r 5b9199e6087a www/nostromo/distinfo
--- a/www/nostromo/distinfo     Wed Dec 02 15:35:06 2020 +0000
+++ b/www/nostromo/distinfo     Wed Dec 02 16:30:50 2020 +0000
@@ -1,8 +1,6 @@
-$NetBSD: distinfo,v 1.2 2019/10/20 20:02:13 ast Exp $
+$NetBSD: distinfo,v 1.3 2020/12/02 16:30:50 ast Exp $
 
-SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e
-RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868
-SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea
-Size (nostromo-1.9.6.tar.gz) = 50937 bytes
-SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70
-SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318
+SHA1 (nostromo-1.9.9.tar.gz) = 50a5aca6cfbd0144cc45dadfd2d1b15613f09960
+RMD160 (nostromo-1.9.9.tar.gz) = a112c635e25809aa42c624b271dce0d5f0a73dc6
+SHA512 (nostromo-1.9.9.tar.gz) = 2b6af94fb39e7691f46fb8ba5289ff1db42b2de2fda05a748309f9d2a05c279303d9a0f4c9a3c36cde321ff4695571ee2f7bd8360649df6907ebef7176051bf7
+Size (nostromo-1.9.9.tar.gz) = 54274 bytes
diff -r 9a5c9989e17c -r 5b9199e6087a www/nostromo/patches/patch-http_header_comp
--- a/www/nostromo/patches/patch-http_header_comp       Wed Dec 02 15:35:06 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,66 +0,0 @@
-$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $
-
-The function http_header_comp() should return the number of received
-headers, not only 0 on fail or 1 on success.
-
-Without this functionality, one could send more than the default
-of 16 headers and overflow the header array to craft a DoS as
-shown in nostromo CVE-2019-16279.
-
-This patch adds the missing header count functionality to the function
-http_header_comp().
-
---- src/nhttpd/http.c.orig     2019-10-20 15:20:47.521119966 +0200
-+++ src/nhttpd/http.c  2019-10-20 15:28:02.327722735 +0200
-@@ -1074,21 +1074,21 @@
-  * http_header_comp()
-  *    check if received headers arrived complete
-  * Return:
-- *    0 = headers not complete, 1 = headers complete
-+ *    0 = headers not complete, <number of headers> = headers complete
-  */
- int
- http_header_comp(char *header, const int len)
- {
--      int     r;
--      char    *p, *end;
-+      int     i, headers;
-+      char    *p;
- 
--      r = 0;
-+      headers = 0;
- 
-       /* check header for minimum size */
-       if (len < 4)
-               return (0);
- 
--      /* post */
-+      /* post header */
-       if (!strncasecmp("POST", header, 4)) {
-               p = header;
-               if ((p = strstr(p, "\r\n\r\n")) == NULL)
-@@ -1097,12 +1097,19 @@
-                       return (1);
-       }
- 
--      /* any header */
--      end = header + (len - 4);
--      if (!strcmp(end, "\r\n\r\n"))
--              r = 1;
-+      /* any other header */
-+      for (i = 0; i < len; i++) {
-+              if (header[i] == '\r') {
-+                      if ((len - i) < 4)
-+                              break;
-+                      if (!strncmp(&header[i], "\r\n\r\n", 4)) {
-+                              headers++;
-+                              i += 3;
-+                      }
-+              }
-+      }
- 
--      return (r);
-+      return (headers);
- }
- 
- /*
diff -r 9a5c9989e17c -r 5b9199e6087a www/nostromo/patches/patch-strcutl
--- a/www/nostromo/patches/patch-strcutl        Wed Dec 02 15:35:06 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,62 +0,0 @@
-$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $
-
-Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing
-execution of /bin/sh with arbitrary arguments).
-
-Nostromo as such handles encoded URI correctly but the strcutl()
-function in the string manipulation library removes 0x0d in the
-URI string resulting in a valid path. What should happen instead
-is that the decoded 0x0d character remains in the URI, resulting
-in an invalid path, giving rise to a 404.
-
---- src/libmy/strcutl.c.orig   2005-06-04 10:30:04.000000000 +0200
-+++ src/libmy/strcutl.c        2019-10-20 11:30:29.704645745 +0200
-@@ -26,8 +26,12 @@
- {
-       int     i = 0, j = 0, cl = 0;
- 
--      /* first count all lines */
--      while (1) {
-+      /* requested line must be a positive integer */
-+      if (line <= 0)
-+              return -1;
-+
-+      /* count lines up to requested line or end of string */
-+      while (line >= cl) {
-               if (src[i] == '\n' && src[i + 1] == '\0') {
-                       cl++;
-                       break;
-@@ -42,24 +46,24 @@
-               i++;
-       }
- 
--      /* do we have the requested line ? */
--      if (line > cl || line == 0)
-+      /* did we actually get the requested line ? */
-+      if (line > cl)
-               return -1;
- 
--      /* go to line start */
-+      /* go to beginning of the requested line */
-       for (i = 0, j = 0; j != line - 1; i++)
-               if (src[i] == '\n')
-                       j++;
- 
--      /* read requested line */
-+      /* copy the requested line to destination buffer */
-       for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) {
--              if (src[i] != '\r') {
--                      dst[j] = src[i];
--                      j++;
--              }
-+              if (src[i] == '\r' && src[i + 1] == '\n')
-+                      continue;
-+              dst[j] = src[i];
-+              j++;
-       }
- 
--      /* terminate string */
-+      /* null terminate destination buffer */
-       dst[j] = '\0';
- 
-       return cl;
Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated converters/bdf2psf to 1.199
Next by Date: [pkgsrc/trunk]: pkgsrc/doc changes: remove wrong versions
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated converters/bdf2psf to 1.199
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc changes: remove wrong versions
Indexes:
Home | Main Index | Thread Index | Old Index