pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/www/nostromo



Module Name:    pkgsrc
Committed By:   ast
Date:           Sun Oct 20 20:02:14 UTC 2019

Modified Files:
        pkgsrc/www/nostromo: Makefile PLIST distinfo
Added Files:
        pkgsrc/www/nostromo/patches: patch-http_header_comp patch-strcutl

Log Message:
www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/nostromo/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/nostromo/PLIST \
    pkgsrc/www/nostromo/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/nostromo/patches/patch-http_header_comp \
    pkgsrc/www/nostromo/patches/patch-strcutl

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/nostromo/Makefile
diff -u pkgsrc/www/nostromo/Makefile:1.2 pkgsrc/www/nostromo/Makefile:1.3
--- pkgsrc/www/nostromo/Makefile:1.2    Tue Sep  3 12:02:48 2019
+++ pkgsrc/www/nostromo/Makefile        Sun Oct 20 20:02:13 2019
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.2 2019/09/03 12:02:48 nia Exp $
+# $NetBSD: Makefile,v 1.3 2019/10/20 20:02:13 ast Exp $
 
 DISTNAME=      nostromo-1.9.6
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  http://www.nazgul.ch/dev/
 DISTFILES=     ${DISTNAME}${EXTRACT_SUFX}
@@ -25,7 +25,7 @@ INSTALLATION_DIRS+=   ${EGDIR}/htdocs ${EG
 
 SUBST_CLASSES+=                nostromo
 SUBST_MESSAGE.nostromo=        Fixing GNUmakefile src/nhttpd/GNUmakefile
-SUBST_STAGE.nostromo=  pre-patch
+SUBST_STAGE.nostromo=  post-extract
 SUBST_FILES.nostromo=  GNUmakefile \
                        src/nhttpd/GNUmakefile \
                        src/tools/GNUmakefile \

Index: pkgsrc/www/nostromo/PLIST
diff -u pkgsrc/www/nostromo/PLIST:1.1 pkgsrc/www/nostromo/PLIST:1.2
--- pkgsrc/www/nostromo/PLIST:1.1       Sun Feb 11 13:56:21 2018
+++ pkgsrc/www/nostromo/PLIST   Sun Oct 20 20:02:13 2019
@@ -1,8 +1,7 @@
-@comment $NetBSD: PLIST,v 1.1 2018/02/11 13:56:21 ast Exp $
+@comment $NetBSD: PLIST,v 1.2 2019/10/20 20:02:13 ast Exp $
+man/man8/nhttpd.8
 sbin/crypt
 sbin/nhttpd
-man/man8/nhttpd.8
-share/examples/rc.d/nostromo
 share/examples/nostromo/conf/mimes
 share/examples/nostromo/conf/nhttpd.conf-dist
 share/examples/nostromo/htdocs/cgi-bin/printenv
@@ -10,3 +9,4 @@ share/examples/nostromo/htdocs/index.htm
 share/examples/nostromo/htdocs/nostromo.gif
 share/examples/nostromo/icons/dir.gif
 share/examples/nostromo/icons/file.gif
+share/examples/rc.d/nostromo
Index: pkgsrc/www/nostromo/distinfo
diff -u pkgsrc/www/nostromo/distinfo:1.1 pkgsrc/www/nostromo/distinfo:1.2
--- pkgsrc/www/nostromo/distinfo:1.1    Sun Feb 11 13:56:21 2018
+++ pkgsrc/www/nostromo/distinfo        Sun Oct 20 20:02:13 2019
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.1 2018/02/11 13:56:21 ast Exp $
+$NetBSD: distinfo,v 1.2 2019/10/20 20:02:13 ast Exp $
 
 SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e
 RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868
 SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea
 Size (nostromo-1.9.6.tar.gz) = 50937 bytes
+SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70
+SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318

Added files:

Index: pkgsrc/www/nostromo/patches/patch-http_header_comp
diff -u /dev/null pkgsrc/www/nostromo/patches/patch-http_header_comp:1.1
--- /dev/null   Sun Oct 20 20:02:14 2019
+++ pkgsrc/www/nostromo/patches/patch-http_header_comp  Sun Oct 20 20:02:13 2019
@@ -0,0 +1,66 @@
+$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $
+
+The function http_header_comp() should return the number of received
+headers, not only 0 on fail or 1 on success.
+
+Without this functionality, one could send more than the default
+of 16 headers and overflow the header array to craft a DoS as
+shown in nostromo CVE-2019-16279.
+
+This patch adds the missing header count functionality to the function
+http_header_comp().
+
+--- src/nhttpd/http.c.orig     2019-10-20 15:20:47.521119966 +0200
++++ src/nhttpd/http.c  2019-10-20 15:28:02.327722735 +0200
+@@ -1074,21 +1074,21 @@
+  * http_header_comp()
+  *    check if received headers arrived complete
+  * Return:
+- *    0 = headers not complete, 1 = headers complete
++ *    0 = headers not complete, <number of headers> = headers complete
+  */
+ int
+ http_header_comp(char *header, const int len)
+ {
+-      int     r;
+-      char    *p, *end;
++      int     i, headers;
++      char    *p;
+ 
+-      r = 0;
++      headers = 0;
+ 
+       /* check header for minimum size */
+       if (len < 4)
+               return (0);
+ 
+-      /* post */
++      /* post header */
+       if (!strncasecmp("POST", header, 4)) {
+               p = header;
+               if ((p = strstr(p, "\r\n\r\n")) == NULL)
+@@ -1097,12 +1097,19 @@
+                       return (1);
+       }
+ 
+-      /* any header */
+-      end = header + (len - 4);
+-      if (!strcmp(end, "\r\n\r\n"))
+-              r = 1;
++      /* any other header */
++      for (i = 0; i < len; i++) {
++              if (header[i] == '\r') {
++                      if ((len - i) < 4)
++                              break;
++                      if (!strncmp(&header[i], "\r\n\r\n", 4)) {
++                              headers++;
++                              i += 3;
++                      }
++              }
++      }
+ 
+-      return (r);
++      return (headers);
+ }
+ 
+ /*
Index: pkgsrc/www/nostromo/patches/patch-strcutl
diff -u /dev/null pkgsrc/www/nostromo/patches/patch-strcutl:1.1
--- /dev/null   Sun Oct 20 20:02:14 2019
+++ pkgsrc/www/nostromo/patches/patch-strcutl   Sun Oct 20 20:02:13 2019
@@ -0,0 +1,62 @@
+$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $
+
+Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing
+execution of /bin/sh with arbitrary arguments).
+
+Nostromo as such handles encoded URI correctly but the strcutl()
+function in the string manipulation library removes 0x0d in the
+URI string resulting in a valid path. What should happen instead
+is that the decoded 0x0d character remains in the URI, resulting
+in an invalid path, giving rise to a 404.
+
+--- src/libmy/strcutl.c.orig   2005-06-04 10:30:04.000000000 +0200
++++ src/libmy/strcutl.c        2019-10-20 11:30:29.704645745 +0200
+@@ -26,8 +26,12 @@
+ {
+       int     i = 0, j = 0, cl = 0;
+ 
+-      /* first count all lines */
+-      while (1) {
++      /* requested line must be a positive integer */
++      if (line <= 0)
++              return -1;
++
++      /* count lines up to requested line or end of string */
++      while (line >= cl) {
+               if (src[i] == '\n' && src[i + 1] == '\0') {
+                       cl++;
+                       break;
+@@ -42,24 +46,24 @@
+               i++;
+       }
+ 
+-      /* do we have the requested line ? */
+-      if (line > cl || line == 0)
++      /* did we actually get the requested line ? */
++      if (line > cl)
+               return -1;
+ 
+-      /* go to line start */
++      /* go to beginning of the requested line */
+       for (i = 0, j = 0; j != line - 1; i++)
+               if (src[i] == '\n')
+                       j++;
+ 
+-      /* read requested line */
++      /* copy the requested line to destination buffer */
+       for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) {
+-              if (src[i] != '\r') {
+-                      dst[j] = src[i];
+-                      j++;
+-              }
++              if (src[i] == '\r' && src[i + 1] == '\n')
++                      continue;
++              dst[j] = src[i];
++              j++;
+       }
+ 
+-      /* terminate string */
++      /* null terminate destination buffer */
+       dst[j] = '\0';
+ 
+       return cl;



Home | Main Index | Thread Index | Old Index