From f8dd4b5558f95691ef242fbf064ca52291edd2d3 Mon Sep 17 00:00:00 2001 From: ast Date: Wed, 2 Dec 2020 16:30:50 +0000 Subject: [PATCH] www/nostromo: update to nostromo 1.9.9; patches not needed anymore --- doc/CHANGES-2020 | 3 +- www/nostromo/Makefile | 4 +- www/nostromo/distinfo | 12 ++-- www/nostromo/patches/patch-http_header_comp | 66 --------------------- www/nostromo/patches/patch-strcutl | 62 ------------------- 5 files changed, 9 insertions(+), 138 deletions(-) delete mode 100644 www/nostromo/patches/patch-http_header_comp delete mode 100644 www/nostromo/patches/patch-strcutl diff --git a/doc/CHANGES-2020 b/doc/CHANGES-2020 index 43eb1440bfa5..47ef13dce691 100644 --- a/doc/CHANGES-2020 +++ b/doc/CHANGES-2020 @@ -1,4 +1,4 @@ -$NetBSD: CHANGES-2020,v 1.6528 2020/12/02 15:35:06 fcambus Exp $ +$NetBSD: CHANGES-2020,v 1.6529 2020/12/02 16:30:50 ast Exp $ Changes to the packages collection and infrastructure in 2020: @@ -9512,3 +9512,4 @@ Changes to the packages collection and infrastructure in 2020: Updated www/nginx to 1.18.0nb7 [otis 2020-12-02] Updated www/nginx-devel to 1.19.5nb1 [otis 2020-12-02] Updated converters/bdf2psf to 1.199 [fcambus 2020-12-02] + Updated www/nostromo to 1.9.9 [ast 2020-12-02] diff --git a/www/nostromo/Makefile b/www/nostromo/Makefile index 0f1212feaa40..b18f90416565 100644 --- a/www/nostromo/Makefile +++ b/www/nostromo/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.5 2020/05/10 14:03:01 rillig Exp $ +# $NetBSD: Makefile,v 1.6 2020/12/02 16:30:50 ast Exp $ -DISTNAME= nostromo-1.9.6 +DISTNAME= nostromo-1.9.9 PKGREVISION= 2 CATEGORIES= www MASTER_SITES= http://www.nazgul.ch/dev/ diff --git a/www/nostromo/distinfo b/www/nostromo/distinfo index e569106fc4ca..a463e56acb37 100644 --- a/www/nostromo/distinfo +++ b/www/nostromo/distinfo @@ -1,8 +1,6 @@ -$NetBSD: distinfo,v 1.2 2019/10/20 20:02:13 ast Exp $ +$NetBSD: distinfo,v 1.3 2020/12/02 16:30:50 ast Exp $ -SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e -RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868 -SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea -Size (nostromo-1.9.6.tar.gz) = 50937 bytes -SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70 -SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318 +SHA1 (nostromo-1.9.9.tar.gz) = 50a5aca6cfbd0144cc45dadfd2d1b15613f09960 +RMD160 (nostromo-1.9.9.tar.gz) = a112c635e25809aa42c624b271dce0d5f0a73dc6 +SHA512 (nostromo-1.9.9.tar.gz) = 2b6af94fb39e7691f46fb8ba5289ff1db42b2de2fda05a748309f9d2a05c279303d9a0f4c9a3c36cde321ff4695571ee2f7bd8360649df6907ebef7176051bf7 +Size (nostromo-1.9.9.tar.gz) = 54274 bytes diff --git a/www/nostromo/patches/patch-http_header_comp b/www/nostromo/patches/patch-http_header_comp deleted file mode 100644 index ed1249a1ed2c..000000000000 --- a/www/nostromo/patches/patch-http_header_comp +++ /dev/null @@ -1,66 +0,0 @@ -$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $ - -The function http_header_comp() should return the number of received -headers, not only 0 on fail or 1 on success. - -Without this functionality, one could send more than the default -of 16 headers and overflow the header array to craft a DoS as -shown in nostromo CVE-2019-16279. - -This patch adds the missing header count functionality to the function -http_header_comp(). - ---- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 -+++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 -@@ -1074,21 +1074,21 @@ - * http_header_comp() - * check if received headers arrived complete - * Return: -- * 0 = headers not complete, 1 = headers complete -+ * 0 = headers not complete, = headers complete - */ - int - http_header_comp(char *header, const int len) - { -- int r; -- char *p, *end; -+ int i, headers; -+ char *p; - -- r = 0; -+ headers = 0; - - /* check header for minimum size */ - if (len < 4) - return (0); - -- /* post */ -+ /* post header */ - if (!strncasecmp("POST", header, 4)) { - p = header; - if ((p = strstr(p, "\r\n\r\n")) == NULL) -@@ -1097,12 +1097,19 @@ - return (1); - } - -- /* any header */ -- end = header + (len - 4); -- if (!strcmp(end, "\r\n\r\n")) -- r = 1; -+ /* any other header */ -+ for (i = 0; i < len; i++) { -+ if (header[i] == '\r') { -+ if ((len - i) < 4) -+ break; -+ if (!strncmp(&header[i], "\r\n\r\n", 4)) { -+ headers++; -+ i += 3; -+ } -+ } -+ } - -- return (r); -+ return (headers); - } - - /* diff --git a/www/nostromo/patches/patch-strcutl b/www/nostromo/patches/patch-strcutl deleted file mode 100644 index 1b9220f014a3..000000000000 --- a/www/nostromo/patches/patch-strcutl +++ /dev/null @@ -1,62 +0,0 @@ -$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $ - -Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing -execution of /bin/sh with arbitrary arguments). - -Nostromo as such handles encoded URI correctly but the strcutl() -function in the string manipulation library removes 0x0d in the -URI string resulting in a valid path. What should happen instead -is that the decoded 0x0d character remains in the URI, resulting -in an invalid path, giving rise to a 404. - ---- src/libmy/strcutl.c.orig 2005-06-04 10:30:04.000000000 +0200 -+++ src/libmy/strcutl.c 2019-10-20 11:30:29.704645745 +0200 -@@ -26,8 +26,12 @@ - { - int i = 0, j = 0, cl = 0; - -- /* first count all lines */ -- while (1) { -+ /* requested line must be a positive integer */ -+ if (line <= 0) -+ return -1; -+ -+ /* count lines up to requested line or end of string */ -+ while (line >= cl) { - if (src[i] == '\n' && src[i + 1] == '\0') { - cl++; - break; -@@ -42,24 +46,24 @@ - i++; - } - -- /* do we have the requested line ? */ -- if (line > cl || line == 0) -+ /* did we actually get the requested line ? */ -+ if (line > cl) - return -1; - -- /* go to line start */ -+ /* go to beginning of the requested line */ - for (i = 0, j = 0; j != line - 1; i++) - if (src[i] == '\n') - j++; - -- /* read requested line */ -+ /* copy the requested line to destination buffer */ - for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) { -- if (src[i] != '\r') { -- dst[j] = src[i]; -- j++; -- } -+ if (src[i] == '\r' && src[i + 1] == '\n') -+ continue; -+ dst[j] = src[i]; -+ j++; - } - -- /* terminate string */ -+ /* null terminate destination buffer */ - dst[j] = '\0'; - - return cl;