Hello community, here is the log from the commit of package thttpd.2328 for openSUSE:13.1:Update checked in at 2013-12-12 17:04:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/thttpd.2328 (Old) and /work/SRC/openSUSE:13.1:Update/.thttpd.2328.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "thttpd.2328" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:13.1:Update/.thttpd.2328.new/thttpd.changes 2013-12-12 17:04:29.000000000 +0100 @@ -0,0 +1,336 @@ +------------------------------------------------------------------- +Tue Dec 3 14:31:18 UTC 2013 - [email protected] + +- fix CVE-2013-0348 (bnc#853381) + * don't create a world readable logfile + +------------------------------------------------------------------- +Thu Jun 27 21:03:49 UTC 2013 - [email protected] + +- DO not add sample index.html that will conflict with apache + +------------------------------------------------------------------- +Mon Mar 4 16:04:08 UTC 2013 - [email protected] + +- added checks for crypt() return value (CVE-2012-5640) (bnc#783165) + * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch + +------------------------------------------------------------------- +Wed Oct 24 21:20:29 UTC 2012 - [email protected] + +- use different versions of automake (SLE) + +------------------------------------------------------------------- +Fri Jun 8 14:29:40 UTC 2012 - [email protected] + +- use %set_permissions instead of %run_permissions (bnc#764110) + +------------------------------------------------------------------- +Tue May 29 14:06:26 UTC 2012 - [email protected] + +- fix build with automake 1.12 + +------------------------------------------------------------------- +Thu Mar 22 09:33:49 UTC 2012 - [email protected] + +- drop thttpd-2.25b-x86_64_machine_not_recognized.patch but copy + config.guess from automake to fix ppc64 as well + +------------------------------------------------------------------- +Tue Jan 31 13:07:43 UTC 2012 - [email protected] + +- fixed build and added -fpie for makeweb + +------------------------------------------------------------------- +Wed Nov 23 09:32:34 UTC 2011 - [email protected] + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Jun 8 00:41:37 CEST 2009 - [email protected] + +- rename getline to my_getline to avoid collision with function + from glibc + +------------------------------------------------------------------- +Tue May 26 15:18:48 CEST 2009 - [email protected] + +- add new branding (bnc#492693) + +------------------------------------------------------------------- +Mon Jun 11 11:10:28 CEST 2007 - [email protected] + +- fixed another syntax error in config file + +------------------------------------------------------------------- +Fri Jun 8 19:21:06 CEST 2007 - [email protected] + +- fix syntax error in config file + +------------------------------------------------------------------- +Wed Jun 6 13:16:46 CEST 2007 - [email protected] + +- use %config(noreplace) for /etc/thttpd.conf + +------------------------------------------------------------------- +Tue Jun 5 21:53:06 CEST 2007 - [email protected] + +- added Short-Description tag into init script + +------------------------------------------------------------------- +Fri Jun 1 19:34:10 CEST 2007 - [email protected] + +- added config file (/etc/thttpd.conf) + +------------------------------------------------------------------- +Fri Feb 16 17:36:35 CET 2007 - [email protected] + +- Adding check for zero length + - from Marcus Meissner + - zerolen.patch +- Replacing strcpy with memmove when they overlap + - strcpy.patch +- Both from #230776 + +------------------------------------------------------------------- +Wed Feb 14 15:04:06 CET 2007 - [email protected] + +- Fix building as non-root. + +------------------------------------------------------------------- +Fri Mar 10 17:14:09 CET 2006 - [email protected] + +- fix buffer overflows in htpasswd (#156978) + +------------------------------------------------------------------- +Wed Jan 25 21:42:09 CET 2006 - [email protected] + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Nov 21 15:57:27 CET 2005 - [email protected] + +- fix tmp race in syslogtocern (#131056) + +------------------------------------------------------------------- +Wed Oct 12 19:11:17 CEST 2005 - [email protected] + +- use %config(noreplace) for index.html + +------------------------------------------------------------------- +Wed Jun 22 15:54:10 CEST 2005 - [email protected] + +- compile dynamic binaries instead of static +- compile htpasswd with -pie + +------------------------------------------------------------------- +Wed Mar 9 18:26:33 CET 2005 - [email protected] + +- do not conflict with other webservers (bug #71742) + +------------------------------------------------------------------- +Tue Feb 17 17:46:41 CET 2004 - [email protected] + +- update to version 2.25b + +------------------------------------------------------------------- +Tue Jan 13 18:07:52 CET 2004 - [email protected] + +- Fix use of aclocal. + +------------------------------------------------------------------- +Wed Oct 29 16:59:58 CET 2003 - [email protected] + +- update to 2.24, includes a fix for a buffer overflow [bug #32734] +- fixed virtual hosting security hole [bug #32757] +- fixed permissions according to permissions.secure, + added macros %run_permissions and %verify_permissions + +------------------------------------------------------------------- +Mon Sep 01 20:40:30 CEST 2003 - [email protected] + +- added macros %stop_on_removal and %restart_on_update [bug #29022] + +------------------------------------------------------------------- +Thu Jun 5 15:57:54 CEST 2003 - [email protected] + +- remove unpackaged files from buildroot + +------------------------------------------------------------------- +Tue Mar 11 16:55:30 CET 2003 - [email protected] + +- fixed permissions of the init scipt [bug #25084] + +------------------------------------------------------------------- +Tue Oct 15 15:08:21 CEST 2002 - [email protected] + +- substitute correct servroot during built + +------------------------------------------------------------------- +Mon Oct 14 19:52:11 CEST 2002 - [email protected] + +- use /srv/www rather then /usr/local/httpd [bug #20802] + +------------------------------------------------------------------- +Fri Aug 2 01:23:09 CEST 2002 - [email protected] + +- adapt server root + +------------------------------------------------------------------- +Sat Jul 27 19:01:40 CEST 2002 - [email protected] + +- Change group from wwwadmin to www + +------------------------------------------------------------------- +Sat Jul 27 18:54:13 CEST 2002 - [email protected] + +- do not source rc.config anymore + +------------------------------------------------------------------- +Tue Jul 02 15:15:28 CEST 2002 - [email protected] + +- update to version 2.23beta1 + +------------------------------------------------------------------- +Tue Jan 15 13:14:02 CET 2002 - [email protected] + +- update to version 2.20c ++++ 139 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.thttpd.2328.new/thttpd.changes New: ---- thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch thttpd-2.25b-chown.diff thttpd-2.25b-configure.patch thttpd-2.25b-dirs.patch thttpd-2.25b-getline.patch thttpd-2.25b-newautoconf.patch thttpd-2.25b-overflow.diff thttpd-2.25b-pie.patch thttpd-2.25b-sec.patch thttpd-2.25b-static.patch thttpd-2.25b-strcpy.patch thttpd-2.25b-syslogtocern.diff thttpd-2.25b-time_h.patch thttpd-2.25b-zerolen.patch thttpd-2.25b.tar.bz2 thttpd-CVE-2013-0348.patch thttpd-SuSE.tar.bz2 thttpd.changes thttpd.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ thttpd.spec ++++++ # # spec file for package thttpd # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: thttpd Provides: http_daemon PreReq: %fillup_prereq %insserv_prereq permissions Version: 2.25b Release: 0 Source: %{name}-%{version}.tar.bz2 Source1: %{name}-SuSE.tar.bz2 Patch0: %{name}-%{version}-configure.patch Patch1: %{name}-%{version}-dirs.patch Patch2: %{name}-%{version}-time_h.patch Patch3: %{name}-%{version}-newautoconf.patch Patch4: %{name}-%{version}-sec.patch Patch5: %{name}-%{version}-static.patch Patch6: %{name}-%{version}-pie.patch Patch7: %{name}-%{version}-syslogtocern.diff Patch8: %{name}-%{version}-overflow.diff Patch9: %{name}-%{version}-chown.diff Patch10: %{name}-%{version}-zerolen.patch Patch11: %{name}-%{version}-strcpy.patch Patch12: thttpd-2.25b-getline.patch # PATCH-FIX-SUSE CVE-2012-5640 Patch13: thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch Patch14: thttpd-CVE-2013-0348.patch Url: http://www.acme.com/software/thttpd/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Small and very simple webserver License: BSD-3-Clause Group: Productivity/Networking/Web/Servers BuildRequires: automake BuildRequires: libtool %description Thttpd is a very compact no-frills httpd serving daemon that can handle very high loads. While lacking many of the advanced features of Roxen or Apache, thttpd operates without forking and is extremely efficient in memory use. Basic support for cgi scripts, authentication, and ssi is provided for. Advanced features include the ability to throttle traffic. Authors: -------- [email protected] %define serverroot /srv/www %prep %setup -q -a 1 %patch0 %patch1 %patch2 %patch3 %patch4 %patch5 %patch6 %patch7 %patch8 %patch9 %patch10 %patch11 %patch12 %patch13 -p1 %patch14 -p1 %build cp /usr/share/automake-1.*/config.* . # update server root path sed -i "s@__SRVROOT__@%{serverroot}/htdocs@g" README.SuSE SuSE/etc/thttpd.conf sed -i "s@__PREFIX__@%{_prefix}@g;\ s@__SYSCONFDIR__@%{_sysconfdir}@g;\ s@__NAME__@%{name}@g;\ s@__VERSION__@%{version}@g" SuSE/etc/init.d/thttpd chmod 744 SuSE/etc/init.d/thttpd chmod 644 SuSE/etc/thttpd.conf mv aclocal.m4 acinclude.m4 libtoolize --force aclocal --force autoconf -f V_CCOPT="$RPM_OPT_FLAGS -Wall" \ ./configure \ --mandir=%{_mandir} \ --prefix=%{_prefix} \ --infodir=%{_infodir} \ --sysconfdir=%{_sysconfdir} %ifarch s390 s390x make F_PIE="-fPIE" %else make F_PIE="-fpie" %endif %install install -d %{buildroot}/usr/bin \ %{buildroot}/usr/sbin \ %{buildroot}%{_mandir}/man1 \ %{buildroot}%{_mandir}/man8 \ %{buildroot}%{serverroot}/htdocs/users make DESTDIR=%{buildroot} install cp -a SuSE/* %{buildroot} rm -f %{buildroot}%{serverroot}/htdocs/index.html %post %{fillup_and_insserv thttpd} %if 0%{?suse_version} <= 1130 %run_permissions %else %set_permissions /usr/bin/makeweb %endif %verifyscript %verify_permissions -e /usr/bin/makeweb %preun %stop_on_removal thttpd %postun %restart_on_update thttpd %{insserv_cleanup} %clean rm -rf "%{buildroot}" %files %defattr(-, root, root) %doc README README.SuSE config.h %{serverroot}/htdocs/* %attr(775, root, www) %{serverroot}/htdocs/users %verify(not mode) %attr(2750, root, www) /usr/bin/makeweb /usr/bin/htpasswd /usr/sbin/* /usr/share/man/*/* %config /etc/init.d/thttpd %config(noreplace) /etc/thttpd.conf %changelog ++++++ thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch ++++++ Index: thttpd-2.25b/libhttpd.c =================================================================== --- thttpd-2.25b.orig/libhttpd.c 2013-03-04 18:01:55.209721739 +0100 +++ thttpd-2.25b/libhttpd.c 2013-03-04 18:01:55.244722735 +0100 @@ -1024,6 +1024,7 @@ auth_check2( httpd_conn* hc, char* dirna static size_t maxprevuser = 0; static char* prevcryp; static size_t maxprevcryp = 0; + char *crypt_result; /* Construct auth filename. */ httpd_realloc_str( @@ -1072,7 +1073,10 @@ auth_check2( httpd_conn* hc, char* dirna strcmp( authinfo, prevuser ) == 0 ) { /* Yes. Check against the cached encrypted password. */ - if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 ) + crypt_result = crypt( authpass, prevcryp ); + if ( ! crypt_result ) + return -1; + if ( strcmp( crypt_result, prevcryp ) == 0 ) { /* Ok! */ httpd_realloc_str( @@ -1121,7 +1125,10 @@ auth_check2( httpd_conn* hc, char* dirna /* Yes. */ (void) fclose( fp ); /* So is the password right? */ - if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 ) + crypt_result = crypt( authpass, cryp ); + if ( ! crypt_result ) + return -1; + if ( strcmp( crypt_result, cryp ) == 0 ) { /* Ok! */ httpd_realloc_str( Index: thttpd-2.25b/extras/htpasswd.c =================================================================== --- thttpd-2.25b.orig/extras/htpasswd.c 2013-03-04 18:01:55.226722223 +0100 +++ thttpd-2.25b/extras/htpasswd.c 2013-03-04 18:02:15.755306445 +0100 @@ -133,7 +133,10 @@ add_password( char* user, FILE* f ) (void) srandom( (int) time( (time_t*) 0 ) ); to64( &salt[0], random(), 2 ); cpw = crypt( pw, salt ); - (void) fprintf( f, "%s:%s\n", user, cpw ); + if (cpw) + (void) fprintf( f, "%s:%s\n", user, cpw ); + else + (void) fprintf( stderr, "crypt() returned NULL, sorry\n" ); } static void usage(void) { ++++++ thttpd-2.25b-chown.diff ++++++ --- Makefile.in +++ Makefile.in @@ -111,11 +111,11 @@ installthis: -mkdir -p $(DESTDIR)$(BINDIR) - $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(SBINDIR) + $(INSTALL) -m 555 thttpd $(DESTDIR)$(SBINDIR) install-man: -mkdir -p $(DESTDIR)$(MANDIR)/man8 - $(INSTALL) -m 444 -o bin -g bin thttpd.8 $(DESTDIR)$(MANDIR)/man8 + $(INSTALL) -m 444 thttpd.8 $(DESTDIR)$(MANDIR)/man8 installsubdirs: for i in $(SUBDIRS) ; do ( \ --- extras/Makefile.in +++ extras/Makefile.in @@ -69,7 +69,7 @@ install: all rm -f $(SBINDIR)/makeweb $(SBINDIR)/htpasswd $(SBINDIR)/syslogtocern cp makeweb $(BINDIR)/makeweb - chgrp $(WEBGROUP) $(BINDIR)/makeweb + -chgrp $(WEBGROUP) $(BINDIR)/makeweb chmod 2755 $(BINDIR)/makeweb cp htpasswd $(BINDIR)/htpasswd cp syslogtocern $(SBINDIR)/syslogtocern ++++++ thttpd-2.25b-configure.patch ++++++ --- config.h +++ config.h @@ -57,17 +57,7 @@ ** as a security measure that's how you do it, just don't define any ** pattern here and don't run with the -c flag. */ -#ifdef notdef -/* Some sample patterns. Allow programs only in one central directory: */ -#define CGI_PATTERN "/cgi-bin/*" -/* Allow programs in a central directory, or anywhere in a trusted -** user's tree: */ -#define CGI_PATTERN "/cgi-bin/*|/jef/**" -/* Allow any program ending with a .cgi: */ -#define CGI_PATTERN "**.cgi" -/* When virtual hosting, enable the central directory on every host: */ -#define CGI_PATTERN "/*/cgi-bin/*" -#endif +#define CGI_PATTERN "/cgi-bin/*|**.cgi" /* CONFIGURE: How many seconds to allow CGI programs to run before killing ** them. This is in case someone writes a CGI program that goes into an @@ -75,7 +65,7 @@ ** or whatever. If you don't want any limit, comment this out, but that's ** probably a really bad idea. */ -#define CGI_TIMELIMIT 30 +#define CGI_TIMELIMIT 60 /* CONFIGURE: Maximum number of simultaneous CGI programs allowed. ** If this many are already running, then attempts to run more will @@ -123,8 +113,8 @@ ** You can also leave both options undefined, and thttpd will not do ** anything special about tildes. Enabling both options is an error. */ -#ifdef notdef #define TILDE_MAP_1 "users" +#ifdef notdef #define TILDE_MAP_2 "public_html" #endif @@ -185,9 +175,7 @@ ** measure, to prevent inadvertant exposure by accidentally running without -r. ** You can still disable it at runtime with the -nor flag. */ -#ifdef notdef #define ALWAYS_CHROOT -#endif /* CONFIGURE: Define this if you want to always do virtual hosting, without ** having to give the -v command line flag. You can still disable it at @@ -237,7 +225,7 @@ ** initializing. If this user (or the one specified by the -u flag) does ** not exist, the program will refuse to run. */ -#define DEFAULT_USER "nobody" +#define DEFAULT_USER "wwwrun" /* CONFIGURE: When started as root, the program can automatically chdir() ** to the home directory of the user specified by -u or DEFAULT_USER. @@ -276,7 +264,7 @@ /* CONFIGURE: $PATH to use for CGI programs. */ -#define CGI_PATH "/usr/local/bin:/usr/ucb:/bin:/usr/bin" +#define CGI_PATH "/bin:/usr/bin" /* CONFIGURE: If defined, $LD_LIBRARY_PATH to use for CGI programs. */ @@ -333,7 +321,7 @@ /* CONFIGURE: A list of index filenames to check. The files are searched ** for in this order. */ -#define INDEX_NAMES "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", "index.cgi" +#define INDEX_NAMES "index.html", "index.htm", "index.xhtml", "index.xht", "index.cgi" /* CONFIGURE: If this is defined then thttpd will automatically generate ** index pages for directories that don't have an explicit index file. --- configure.in +++ configure.in @@ -6,8 +6,10 @@ AC_PROG_CC -V_CCOPT="-O" -if test "$GCC" = yes ; then +if test "x$V_CCOPT" = "x"; then + V_CCOPT="-O" + + if test "$GCC" = yes ; then AC_MSG_CHECKING(gcc version) AC_CACHE_VAL(ac_cv_lbl_gcc_vers, ac_cv_lbl_gcc_vers=`$CC -dumpversion 2>&1 | \ @@ -16,7 +18,8 @@ if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then V_CCOPT="-O2" fi -fi + fi +fi if test -f .devel ; then V_CCOPT="-g $V_CCOPT -Wall -Wmissing-prototypes -Wstrict-prototypes" fi ++++++ thttpd-2.25b-dirs.patch ++++++ --- Makefile.in +++ Makefile.in @@ -30,11 +30,12 @@ prefix = @prefix@ exec_prefix = @exec_prefix@ # Pathname of directory to install the binary. -BINDIR = @sbindir@ +BINDIR = @bindir@ +SBINDIR = @sbindir@ # Pathname of directory to install the man page. MANDIR = @mandir@ # Pathname of directory to install the CGI programs. -WEBDIR = $(prefix)/www +WEBDIR = /srv/www/htdocs # CONFIGURE: The group that the web directory belongs to. This is so that # the makeweb program can be installed set-group-id to that group, and make @@ -110,7 +111,7 @@ installthis: -mkdir -p $(DESTDIR)$(BINDIR) - $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(BINDIR) + $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(SBINDIR) install-man: -mkdir -p $(DESTDIR)$(MANDIR)/man8 @@ -121,9 +122,11 @@ cd $$i ; \ pwd ; \ $(MAKE) $(MFLAGS) \ - WEBDIR=$(WEBDIR) \ - CGIBINDIR=$(CGIBINDIR) \ - MANDIR=$(MANDIR) \ + BINDIR=$(DESTDIR)$(BINDIR) \ + SBINDIR=$(DESTDIR)$(SBINDIR) \ + WEBDIR=$(DESTDIR)$(WEBDIR) \ + CGIBINDIR=$(DESTDIR)$(CGIBINDIR) \ + MANDIR=$(DESTDIR)$(MANDIR) \ WEBGROUP=$(WEBGROUP) \ install \ ) ; done --- extras/Makefile.in +++ extras/Makefile.in @@ -26,7 +26,8 @@ prefix = @prefix@ exec_prefix = @exec_prefix@ -BINDIR = @sbindir@ +BINDIR = @bindir@ +SBINDIR = @sbindir@ WEBDIR = $(prefix)/www CGIBINDIR = $(WEBDIR)/cgi-bin MANDIR = @mandir@ @@ -66,12 +67,12 @@ install: all - rm -f $(BINDIR)/makeweb $(BINDIR)/htpasswd $(BINDIR)/syslogtocern + rm -f $(SBINDIR)/makeweb $(SBINDIR)/htpasswd $(SBINDIR)/syslogtocern cp makeweb $(BINDIR)/makeweb chgrp $(WEBGROUP) $(BINDIR)/makeweb chmod 2755 $(BINDIR)/makeweb cp htpasswd $(BINDIR)/htpasswd - cp syslogtocern $(BINDIR)/syslogtocern + cp syslogtocern $(SBINDIR)/syslogtocern rm -f $(MANDIR)/man1/makeweb.1 cp makeweb.1 $(MANDIR)/man1/makeweb.1 rm -f $(MANDIR)/man1/htpasswd.1 ++++++ thttpd-2.25b-getline.patch ++++++ --- extras/htpasswd.c +++ extras/htpasswd.c @@ -49,7 +49,7 @@ while((line[y++] = line[x++])); } -static int getline(char *s, int n, FILE *f) { +static int my_getline(char *s, int n, FILE *f) { register int i=0; while(1) { @@ -189,7 +189,7 @@ strncpy(user,argv[2],MAX_STRING_LEN); user[MAX_STRING_LEN-1]='\0'; found = 0; - while(!(getline(line,MAX_STRING_LEN,f))) { + while(!(my_getline(line,MAX_STRING_LEN,f))) { if(found || (line[0] == '#') || (!line[0])) { putline(tfp,line); continue; ++++++ thttpd-2.25b-newautoconf.patch ++++++ --- aclocal.m4 +++ aclocal.m4 @@ -26,7 +26,7 @@ AC_TRY_LINK(dnl ifelse([$2], [main], , dnl Avoid conflicting decl of main. [/* Override any gcc2 internal prototype to avoid an error. */ -]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus +]ifelse([AC_LANG], CPLUSPLUS, [#ifdef __cplusplus extern "C" #endif ])dnl ++++++ thttpd-2.25b-overflow.diff ++++++ --- extras/htpasswd.c +++ extras/htpasswd.c @@ -186,15 +186,16 @@ fprintf(stderr,"Use -c option to create new one.\n"); exit(1); } - strcpy(user,argv[2]); - + strncpy(user,argv[2],MAX_STRING_LEN); + user[MAX_STRING_LEN-1]='\0'; found = 0; while(!(getline(line,MAX_STRING_LEN,f))) { if(found || (line[0] == '#') || (!line[0])) { putline(tfp,line); continue; } - strcpy(l,line); + strncpy(l,line,MAX_STRING_LEN); + l[MAX_STRING_LEN-1]='\0'; getword(w,l,':'); if(strcmp(user,w)) { putline(tfp,line); @@ -212,7 +213,8 @@ } fclose(f); fclose(tfp); - sprintf(command,"cp %s %s",temp_template,argv[1]); + snprintf(command,MAX_STRING_LEN,"cp %s %s",temp_template,argv[1]); + command[MAX_STRING_LEN-1]='\0'; system(command); unlink(temp_template); exit(0); ++++++ thttpd-2.25b-pie.patch ++++++ Index: extras/Makefile.in =================================================================== --- extras/Makefile.in.orig 2012-01-31 14:03:08.735817916 +0100 +++ extras/Makefile.in 2012-01-31 14:05:10.222510744 +0100 @@ -54,16 +54,16 @@ all: makeweb htpasswd makeweb: makeweb.o - $(CC) $(LDFLAGS) makeweb.o -o makeweb $(LIBS) $(NETLIBS) + $(CC) $(LDFLAGS) -pie makeweb.o -o makeweb $(LIBS) $(NETLIBS) makeweb.o: makeweb.c ../config.h - $(CC) $(CFLAGS) -DWEBDIR=\"$(WEBDIR)\" -c makeweb.c + $(CC) $(CFLAGS) $(F_PIE) -DWEBDIR=\"$(WEBDIR)\" -c makeweb.c htpasswd: htpasswd.o - $(CC) $(LDFLAGS) $(STATICFLAG) htpasswd.o -o htpasswd $(LIBS) + $(CC) $(LDFLAGS) $(STATICFLAG) -pie htpasswd.o -o htpasswd $(LIBS) htpasswd.o: htpasswd.c ../config.h - $(CC) $(CFLAGS) -DWEBDIR=\"$(WEBDIR)\" -c htpasswd.c + $(CC) $(CFLAGS) $(F_PIE) -DWEBDIR=\"$(WEBDIR)\" -c htpasswd.c install: all ++++++ thttpd-2.25b-sec.patch ++++++ --- libhttpd.c +++ libhttpd.c @@ -1044,10 +1044,12 @@ } /* Decode it. */ + memset(authinfo, 0, sizeof(authinfo)); l = b64_decode( &(hc->authorization[6]), (unsigned char*) authinfo, sizeof(authinfo) - 1 ); - authinfo[l] = '\0'; + authinfo[sizeof(authinfo)-1] = '\0'; + /* Split into user and password. */ authpass = strchr( authinfo, ':' ); if ( authpass == (char*) 0 ) ++++++ thttpd-2.25b-static.patch ++++++ --- configure.in +++ configure.in @@ -24,34 +24,6 @@ V_CCOPT="-g $V_CCOPT -Wall -Wmissing-prototypes -Wstrict-prototypes" fi -dnl -dnl maybe this should be a loop -dnl -AC_MSG_CHECKING(how to link static binaries) -AC_CACHE_VAL(ac_cv_lbl_static_flag, - ac_cv_lbl_static_flag=unknown - echo 'main() {}' > conftest.c - if test "$GCC" != yes ; then - trial_flag="-Bstatic" - test=`$CC $trial_flag -o conftest conftest.c 2>&1` - if test -z "$test" ; then - ac_cv_lbl_static_flag="$trial_flag" - fi - rm -f conftest - fi - if test "$ac_cv_lbl_static_flag" = unknown ; then - trial_flag="-static" - test=`$CC $trial_flag -o conftest conftest.c 2>&1` - if test -z "$test" ; then - ac_cv_lbl_static_flag="$trial_flag" - fi - rm -f conftest - fi - rm conftest.c) -AC_MSG_RESULT($ac_cv_lbl_static_flag) -if test "$ac_cv_lbl_static_flag" != unknown ; then - V_STATICFLAG="$ac_cv_lbl_static_flag" -fi AC_MSG_CHECKING(for __progname) AC_CACHE_VAL(ac_cv_extern__progname, ++++++ thttpd-2.25b-strcpy.patch ++++++ --- libhttpd.c +++ libhttpd.c @@ -294,7 +294,8 @@ } /* Nuke any leading slashes in the cgi pattern. */ while ( ( cp = strstr( hs->cgi_pattern, "|/" ) ) != (char*) 0 ) - (void) strcpy( cp + 1, cp + 2 ); + /* -2 for the offset, +1 for the '\0' */ + (void) memmove( cp + 1, cp + 2, strlen( cp ) - 1 ); } hs->cgi_limit = cgi_limit; hs->cgi_count = 0; @@ -1496,7 +1497,8 @@ /* Remove any leading slashes. */ while ( rest[0] == '/' ) { - (void) strcpy( rest, &(rest[1]) ); + /*One more for '\0', one less for the eaten first*/ + (void) memmove( rest, &(rest[1]), strlen(rest) ); --restlen; } r = rest; @@ -2333,8 +2335,8 @@ hc->expnfilename, hc->hs->cwd, strlen( hc->hs->cwd ) ) == 0 ) { /* Elide the current directory. */ - (void) strcpy( - hc->expnfilename, &hc->expnfilename[strlen( hc->hs->cwd )] ); + (void) memmove( + hc->expnfilename, &hc->expnfilename[strlen( hc->hs->cwd )], strlen(hc->expnfilename) - strlen( hc->hs->cwd ) + 1 ); } #ifdef TILDE_MAP_2 else if ( hc->altdir[0] != '\0' && @@ -2405,15 +2407,15 @@ /* Remove leading ./ and any /./ sequences. */ while ( strncmp( file, "./", 2 ) == 0 ) - (void) strcpy( file, file + 2 ); + (void) memmove( file, file + 2, strlen( file ) - 1 ); while ( ( cp = strstr( file, "/./") ) != (char*) 0 ) - (void) strcpy( cp, cp + 2 ); + (void) memmove( cp, cp + 2, strlen( file ) - 1 ); /* Alternate between removing leading ../ and removing xxx/../ */ for (;;) { while ( strncmp( file, "../", 3 ) == 0 ) - (void) strcpy( file, file + 3 ); + (void) memmove( file, file + 3, strlen( file ) - 2 ); cp = strstr( file, "/../" ); if ( cp == (char*) 0 ) break; @@ -4083,7 +4085,7 @@ } else if ( IN6_IS_ADDR_V4MAPPED( &saP->sa_in6.sin6_addr ) && strncmp( str, "::ffff:", 7 ) == 0 ) /* Elide IPv6ish prefix for IPv4 addresses. */ - (void) strcpy( str, &str[7] ); + (void) memmove( str, &str[7], strlen( str ) - 6 ); return str; --- thttpd.c +++ thttpd.c @@ -573,7 +573,7 @@ { if ( strncmp( logfile, cwd, strlen( cwd ) ) == 0 ) { - (void) strcpy( logfile, &logfile[strlen( cwd ) - 1] ); + (void) memmove( logfile, &logfile[strlen( cwd ) - 1], strlen(logfile) - (strlen( cwd ) - 1) + 1 ); /* (We already guaranteed that cwd ends with a slash, so leaving ** that slash in logfile makes it an absolute pathname within ** the chroot tree.) @@ -1422,9 +1422,9 @@ /* Nuke any leading slashes in pattern. */ if ( pattern[0] == '/' ) - (void) strcpy( pattern, &pattern[1] ); + (void) memmove( pattern, &pattern[1], strlen(pattern) ); while ( ( cp = strstr( pattern, "|/" ) ) != (char*) 0 ) - (void) strcpy( cp + 1, cp + 2 ); + (void) memmove( cp + 1, cp + 2, strlen(cp) - 1 ); /* Check for room in throttles. */ if ( numthrottles >= maxthrottles ) ++++++ thttpd-2.25b-syslogtocern.diff ++++++ --- extras/syslogtocern +++ extras/syslogtocern @@ -31,8 +31,8 @@ exit 1 fi -tmp1=/tmp/stc1.$$ -rm -f $tmp1 +tmp1=`mktemp -t stc1.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; } +trap " [ -f \"$tmp1\" ] && /bin/rm -f -- \"$tmp1\"" 0 1 2 3 13 15 # Gather up all the thttpd entries. egrep -h ' thttpd\[' "$@" > $tmp1 @@ -65,4 +65,3 @@ sed -e "s,\([A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\) [^ ]* thttpd\[[0-9]*\]: \(.*\),[\1 ${year}] \2," > error_log # Done. -rm -f $tmp1 ++++++ thttpd-2.25b-time_h.patch ++++++ --- libhttpd.h +++ libhttpd.h @@ -28,6 +28,8 @@ #ifndef _LIBHTTPD_H_ #define _LIBHTTPD_H_ +#include <time.h> + #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> ++++++ thttpd-2.25b-zerolen.patch ++++++ --- libhttpd.c +++ libhttpd.c @@ -1471,7 +1471,7 @@ httpd_realloc_str( &checked, &maxchecked, checkedlen ); (void) strcpy( checked, path ); /* Trim trailing slashes. */ - while ( checked[checkedlen - 1] == '/' ) + while ( checkedlen && checked[checkedlen - 1] == '/' ) { checked[checkedlen - 1] = '\0'; --checkedlen; @@ -1490,7 +1490,7 @@ restlen = strlen( path ); httpd_realloc_str( &rest, &maxrest, restlen ); (void) strcpy( rest, path ); - if ( rest[restlen - 1] == '/' ) + if ( restlen && rest[restlen - 1] == '/' ) rest[--restlen] = '\0'; /* trim trailing slash */ if ( ! tildemapped ) /* Remove any leading slashes. */ ++++++ thttpd-CVE-2013-0348.patch ++++++ >From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001 From: "Anthony G. Basile" <[email protected]> Date: Tue, 26 Feb 2013 14:28:26 -0500 Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348. Make sure that the logfile is created or reopened as read/write by thttpd user only. X-gentoo-Bug: 458896 X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896 Reported-by: Agostino Sarubbo <[email protected]> Signed-off-by: Anthony G. Basile <[email protected]> --- src/thttpd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: thttpd-2.25b/thttpd.c =================================================================== --- thttpd-2.25b.orig/thttpd.c 2013-12-03 15:38:31.719334530 +0100 +++ thttpd-2.25b/thttpd.c 2013-12-03 15:38:31.754334893 +0100 @@ -331,6 +331,7 @@ static void re_open_logfile( void ) { FILE* logfp; + int retchmod; if ( no_log || hs == (httpd_server*) 0 ) return; @@ -340,7 +341,8 @@ re_open_logfile( void ) { syslog( LOG_NOTICE, "re-opening logfile" ); logfp = fopen( logfile, "a" ); - if ( logfp == (FILE*) 0 ) + retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); + if ( logfp == (FILE*) 0 || retchmod != 0 ) { syslog( LOG_CRIT, "re-opening %.80s - %m", logfile ); return; @@ -360,6 +362,7 @@ main( int argc, char** argv ) gid_t gid = 32767; char cwd[MAXPATHLEN+1]; FILE* logfp; + int retchmod; int num_ready; int cnum; connecttab* c; @@ -429,7 +432,8 @@ main( int argc, char** argv ) else { logfp = fopen( logfile, "a" ); - if ( logfp == (FILE*) 0 ) + retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); + if ( logfp == (FILE*) 0 || retchmod != 0 ) { syslog( LOG_CRIT, "%.80s - %m", logfile ); perror( logfile ); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
