shellinabox: adress CVE-2018-16789 and cosmetic fixes in Makefile

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: shellinabox: adress CVE-2018-16789 and cosmetic fixes in Makefile
From: ast <ast%NetBSD.org@localhost>
Date: Sun, 07 Apr 2019 07:13:05 +0000

Module Name:	pkgsrc-wip
Committed By:	ast <ast%NetBSD.org@localhost>
Pushed By:	ast
Date:		Sun Apr 7 09:13:05 2019 +0200
Changeset:	cc1f54d6856374e1b2a61130d23cac18b1e9984b

Modified Files:
	shellinabox/Makefile
	shellinabox/distinfo
Added Files:
	shellinabox/patches/patch-libhttp-url-broken-multipart-form-data

Log Message:
shellinabox: adress CVE-2018-16789 and cosmetic fixes in Makefile

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=cc1f54d6856374e1b2a61130d23cac18b1e9984b

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 shellinabox/Makefile                                   |  6 +++---
 shellinabox/distinfo                                   |  1 +
 .../patch-libhttp-url-broken-multipart-form-data       | 18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diffs:
diff --git a/shellinabox/Makefile b/shellinabox/Makefile
index acad228fd3..3727245bb2 100644
--- a/shellinabox/Makefile
+++ b/shellinabox/Makefile
@@ -3,7 +3,7 @@
 PKGBASE=	shellinabox
 SIB_VER=	v2.20
 DISTNAME=	${PKGBASE}-${SIB_VER}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	www
 
 MASTER_SITES=	${MASTER_SITE_GITHUB:=shellinabox/}
@@ -11,7 +11,7 @@ GITHUB_PROJECT=	${PKGBASE}
 GITHUB_TAG=	${SIB_VER}
 
 MAINTAINER=	ast%NetBSD.org@localhost
-HOMEPAGE=	https://code.google.com/archive/p/shellinabox/
+HOMEPAGE=	https://github.com/shellinabox/shellinabox
 COMMENT=	JavaScript/CSS web server instrumentation for terminal emulation
 LICENSE=	gnu-gpl-v2
 
@@ -34,7 +34,7 @@ PKG_GROUPS_VARS=	SIB_USER
 PKG_USERS_VARS=		SIB_GROUP
 
 RCD_SCRIPTS+=		shellinaboxd
-RCD_SCRIPT_SRC.shellinaboxd = ${WRKSRC}/shellinaboxd.in
+RCD_SCRIPT_SRC.shellinaboxd= ${WRKSRC}/shellinaboxd.in
 
 SUBST_CLASSES+=		sib
 SUBST_STAGE.sib=	pre-configure
diff --git a/shellinabox/distinfo b/shellinabox/distinfo
index 613749b6e8..0caf746fa5 100644
--- a/shellinabox/distinfo
+++ b/shellinabox/distinfo
@@ -6,4 +6,5 @@ SHA512 (shellinabox-v2.20.tar.gz) = 369fb6e0041fc3eb52a533f14d1f856a71ec1bf16644
 Size (shellinabox-v2.20.tar.gz) = 745920 bytes
 SHA1 (patch-configure-ptsname_r) = 40c44f37afb09b99b40ee5b4faf470d95add10b7
 SHA1 (patch-configure-shell-syntax) = f6341418e5cc7538935c4c8ee8b2fa812512d579
+SHA1 (patch-libhttp-url-broken-multipart-form-data) = 6bf678d939880bd029548aa85246aacb188fce5a
 SHA1 (patch-service-ssh-rm-rsa-options) = 7e085d515d63dfd4fa3c3975a93a8e0434795e73
diff --git a/shellinabox/patches/patch-libhttp-url-broken-multipart-form-data b/shellinabox/patches/patch-libhttp-url-broken-multipart-form-data
new file mode 100644
index 0000000000..144cc49860
--- /dev/null
+++ b/shellinabox/patches/patch-libhttp-url-broken-multipart-form-data
@@ -0,0 +1,18 @@
+$NetBSD$
+
+Merge https://github.com/shellinabox/shellinabox/pull/446/commits
+commit 7f47efe for CVE-2018-16789: fix for broken multipart/form-data
+to mitigate DoS attack.
+
+--- libhttp/url.c.orig	2019-04-07 08:39:04.352921385 +0200
++++ libhttp/url.c	2019-04-07 08:42:30.746080956 +0200
+@@ -312,6 +312,9 @@
+               }
+             }
+           }
++        } else {
++           warn("[http] broken multipart/form-data!");
++           break;
+         }
+       }
+       if (lastPart) {

Prev by Date: (mail/sendamil) snapshot version from 8.16.0.29 to 8.16.0.41. ChangeLog unknown
Next by Date: efgallery: pkglint fixes; remove unused code in Makefile
Previous by Thread: (mail/sendamil) snapshot version from 8.16.0.29 to 8.16.0.41. ChangeLog unknown
Next by Thread: efgallery: pkglint fixes; remove unused code in Makefile
Indexes:

Home | Main Index | Thread Index | Old Index