libosip: Update to 5.1.1

libosip2 (5.1.1) - 2020-01-16
	* fix vulnerability report: Authentication-Info or Proxy-Authentication-Info are affected by a buffer overflow when building sip messages.
	* fix vulnerability report: when boundary only contains one quote, strncpy will use the unsigned value of -1 as size parameter.
	* fix: avoid several memory leaks detected in the SDP parser upon invalid SDP formats.
	* fix bug #57467: infinite loop in sdp_message_a_attribute_del_at_index
	* fix bug #56071: Heap-buffer-overflow in osip_util_replace_all_lws function in osip_message_parse.c
	* fix to reject any non compliant answer with missing version digits.

libosip2 (5.1.0) - 2019-03-27
	* STRUCTURE change: struct osip_srv_record
	* STRUCTURE change: struct osip_naptr
	* constant renamed: CRLF, LF, CR, SP renamed to OSIP_CRLF, OSIP_LF, OSIP_CR, OSIP_SP

	* new API: int parser_add_comma_separated_header(const char *hname);

	* support larger binary attachment.
	* use strspn for better readability.
	* update osip_naptr & osip_srv_record structures to hold more NAPTR info and store ENUM result.
	* add AM_SILENT_RULES for autotools silent compilation.
	* fix a bug introduced in version 5: The current code is not counting correctly escaped " for multiple
	  headers on one line. This is fixed.
	* In order to prevent incorrect parsing of header that should not appear on one line, osip now contains
	  a list of known headers which are allowed to appear as "multiple header on one line separated with COMMA".
	  Other headers will be parsed as ONE header.
	* new API: parser_add_comma_separated_header API can be used to add other headers in the list, so they
	  will be parsed by osip as "multiple header on one line".
	* support for Visual Studio 2017: rename macro, better usage of WINAPI_FAMILY.
	* add some pre-defined SIP answer code (from www.iana.org/assignments/sip-parameters/)
	* fix windows compilation on mingw/msys if compiling without threads.
	* fix bug report: sr #109265: SIP message body length underflow in libosip2-4.1.0
	  https://savannah.gnu.org/support/?109265
	* other minor changes: warning, compilation...

libosip2 (5.0.0)
	* STRUCTURE change: additionnal parameter for "struct osip_srv_entry" used for failover in eXosip2.

	* fix overflow: sr #109133: Heap buffer overflow in utility function *osip_clrncpy*
	* fix overflow: sr #109132: Heap buffer overflow in *osip_body_to_str*
	* fix overflow: sr #109131: Heap buffer overflow in `_osip_message_to_str`
	* simplify usage of timercmp/timerisset/timerclear
	* optimize list search: use iterator
	* improve/update autotools (./configure and options, Makefile.am, ax_thread.m4...)
	* verify a URI scheme only contains allowed char
	* improve make check (test unit) to make it clear about the results expected.
	* fix a possible buffer overflow of 1 byte in sdp_message_to_str (size=sdp allocated size)
	* fix cseq check in order to stop retransmission of 200ok
	* update to reject negative value in port number
	* add support for ntlm authentication in parser
	* include application_data when cloning sip message
	* fix to allow correct parsing of quoted string in from/to/contact/...
	* add authorizations and proxy_authorizations into ACK for 3xx, 4xx, 5xx, and 6xx (if answer was not 401/407)
	* additionnal check for cseq number for matching incoming ack restransmission
	* patch to transmit ack for OSIP_ICT_ACK_SENT event
	* improve management of body length // fix a bug when initial value of body is \0.
	* increase timer E as soon as we receive 1xx for NICT.
	* update all reasons according to RFC.
	* add some reason code from rfc4412, rfc3261 and rfc6086.
	* parse addr spec with LAQUOT and RAQUOT in generic parameters.
	* avoid issue with comma in userinfo of URI which may appear for several headers such as Contact.
	* do not use multiple header method for t, f, i, r, refer-to, b, referred-by headers.
	* allow faster connection with non blocking reliable sockets.
	* improve android time compensation.
This commit is contained in:
nia 2020-03-06 12:52:20 +00:00
parent 985f154f64
commit ce41db1724
6 changed files with 9 additions and 94 deletions

View file

@ -1,8 +1,6 @@
# $NetBSD: Makefile,v 1.21 2020/01/18 23:30:32 rillig Exp $
#
# $NetBSD: Makefile,v 1.22 2020/03/06 12:52:20 nia Exp $
DISTNAME= libosip2-4.1.0
PKGREVISION= 1
DISTNAME= libosip2-5.1.1
CATEGORIES= devel
MASTER_SITES= ${MASTER_SITE_GNU:=osip/}
@ -11,12 +9,11 @@ HOMEPAGE= https://www.gnu.org/software/osip/
COMMENT= Implementation of SIP
LICENSE= gnu-lgpl-v2.1
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
USE_LIBTOOL= yes
GNU_CONFIGURE= yes
PKGCONFIG_OVERRIDE+= libosip2.pc.in
.include "options.mk"
.include "../../mk/pthread.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"

View file

@ -1,11 +1,7 @@
$NetBSD: distinfo,v 1.16 2019/04/21 16:25:38 khorben Exp $
$NetBSD: distinfo,v 1.17 2020/03/06 12:52:20 nia Exp $
SHA1 (libosip2-4.1.0.tar.gz) = 61459c9052ca2f5e77a6936c9b369e2b0602c080
RMD160 (libosip2-4.1.0.tar.gz) = 3f86bf7872cd382f331b49f5e03a6ddddd338afa
SHA512 (libosip2-4.1.0.tar.gz) = 8a04e047052aa6b970bb107aa8c0f94ed7c984defe69c3f2788f0b7677325812925a9386c1059499aa0940bb524ac1f724b5489f08e5b2210d190bad68271ee7
Size (libosip2-4.1.0.tar.gz) = 636382 bytes
SHA1 (libosip2-5.1.1.tar.gz) = 21e04561d5ebf27c1870cdc72e8387912ea769d2
RMD160 (libosip2-5.1.1.tar.gz) = 42e9230f883734f56e97c23d84ac6f6301f0fc96
SHA512 (libosip2-5.1.1.tar.gz) = 485a385b67ff422878bb45ae16936a5ef4cfbff3c7db618a3ff57b942bae6d269c108fa58d58caf5be1123155fb946595e10aba5cf261ec656168444fddf840a
Size (libosip2-5.1.1.tar.gz) = 721763 bytes
SHA1 (patch-src_osip2_port__sema.c) = 690cc6204025566f605cfc58a1652b95afc8e65f
SHA1 (patch-src_osipparser2_osip__body.c) = fcbbb11e6a1b87f46faa1742d75a1951342b4095
SHA1 (patch-src_osipparser2_osip__message__parse.c) = 2f9fea6f6ebea18b1bccb685a731ddf2295728dd
SHA1 (patch-src_osipparser2_osip__message__to__str.c) = 12d559f25566c2143c9a679befb4b28bd03c3a63
SHA1 (patch-src_osipparser2_osip__port.c) = 3723661ad715531bebb4ba6af7dd2e056f205e93

View file

@ -1,21 +0,0 @@
$NetBSD: patch-src_osipparser2_osip__body.c,v 1.1 2019/04/21 16:25:38 khorben Exp $
Apply fix for CVE-2016-10326 (from Debian)
--- src/osipparser2/osip_body.c.orig 2013-12-18 18:36:46.000000000 +0000
+++ src/osipparser2/osip_body.c
@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
}
if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
+ if (length < tmp_body - ptr + 3) {
+ size_t len;
+
+ len = tmp_body - ptr;
+ length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
+ ptr = osip_realloc (ptr, length);
+ tmp_body = ptr + len;
+ }
tmp_body = osip_strn_append (tmp_body, CRLF, 2);
}
if (length < tmp_body - ptr + body->length + 4) {

View file

@ -1,19 +0,0 @@
$NetBSD: patch-src_osipparser2_osip__message__parse.c,v 1.1 2019/04/21 16:25:38 khorben Exp $
Apply fix for CVE-2017-7853 (from Debian)
--- src/osipparser2/osip_message_parse.c.orig 2013-12-18 18:36:46.000000000 +0000
+++ src/osipparser2/osip_message_parse.c
@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
start_of_body++;
+ /* if message body is empty or contains a single CR/LF */
+ if (end_of_body <= start_of_body) {
+ osip_free (sep_boundary);
+ return OSIP_SYNTAXERROR;
+ }
+
body_len = end_of_body - start_of_body;
/* Skip CR before end boundary. */

View file

@ -1,20 +0,0 @@
$NetBSD: patch-src_osipparser2_osip__message__to__str.c,v 1.1 2019/04/21 16:25:38 khorben Exp $
Apply fix for CVE-2016-10325 (from Debian)
--- src/osipparser2/osip_message_to_str.c.orig 2013-12-18 18:36:46.000000000 +0000
+++ src/osipparser2/osip_message_to_str.c
@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
/* A start-line isn't required for message/sipfrag parts. */
}
else {
+ size_t message_len = strlen(tmp);
+ if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
+ osip_free (tmp);
+ *dest = NULL;
+ return OSIP_NOMEM;
+ }
+
message = osip_str_append (message, tmp);
osip_free (tmp);
message = osip_strn_append (message, CRLF, 2);

View file

@ -1,18 +0,0 @@
$NetBSD: patch-src_osipparser2_osip__port.c,v 1.1 2019/04/21 16:25:38 khorben Exp $
Apply fix for CVE-2016-10324 (from Debian)
--- src/osipparser2/osip_port.c.orig 2013-12-18 18:36:46.000000000 +0000
+++ src/osipparser2/osip_port.c
@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
char *p;
size_t spaceless_length;
- if (src == NULL)
+ if (src == NULL || len == 0) {
+ *dst = '\0';
return NULL;
+ }
/* find the start of relevant text */
pbeg = src;