Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libhtp for openSUSE:Factory checked in at 2022-12-03 15:04:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libhtp (Old) and /work/SRC/openSUSE:Factory/.libhtp.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libhtp" Sat Dec 3 15:04:52 2022 rev:13 rq:1039818 version:0.5.42 Changes: -------- --- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2022-09-29 18:14:00.503331601 +0200 +++ /work/SRC/openSUSE:Factory/.libhtp.new.1835/libhtp.changes 2022-12-03 15:04:53.709835928 +0100 @@ -1,0 +2,9 @@ +Tue Nov 29 18:49:29 UTC 2022 - Michael Ströder <[email protected]> + +- Update to version 0.5.42 + * github: add initial workflow + * htp: fixes warning about bad delimiter in URI + * fuzz: fix a null dereference in a diff report + * htp: fixes warning about integer + +------------------------------------------------------------------- Old: ---- libhtp-0.5.41.tar.gz New: ---- libhtp-0.5.42.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libhtp.spec ++++++ --- /var/tmp/diff_new_pack.Tz6fl7/_old 2022-12-03 15:04:54.341839598 +0100 +++ /var/tmp/diff_new_pack.Tz6fl7/_new 2022-12-03 15:04:54.345839621 +0100 @@ -19,7 +19,7 @@ %define sover 2 %define lname %{name}%{sover} Name: libhtp -Version: 0.5.41 +Version: 0.5.42 Release: 0 Summary: HTTP normalizer and parser License: BSD-3-Clause ++++++ libhtp-0.5.41.tar.gz -> libhtp-0.5.42.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/.github/workflows/builds.yml new/libhtp-0.5.42/.github/workflows/builds.yml --- old/libhtp-0.5.41/.github/workflows/builds.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/libhtp-0.5.42/.github/workflows/builds.yml 2022-11-28 07:01:47.000000000 +0100 @@ -0,0 +1,90 @@ +name: builds + +on: + - push + - pull_request + +permissions: read-all + +env: + DEFAULT_CFLAGS: "-Wall -Wextra -Werror -Wno-unused-parameter -Wno-unused-function" + + # Apt sometimes likes to ask for user input, this will prevent that. + DEBIAN_FRONTEND: "noninteractive" + +jobs: + ubuntu-2004: + name: Ubuntu 20.04 + runs-on: ubuntu-latest + container: ubuntu:20.04 + steps: + - uses: actions/[email protected] + - name: Install system dependencies + run: | + apt update + apt-get upgrade -y + apt-get -y install make \ + autoconf \ + build-essential \ + autoconf \ + automake \ + dpkg-dev \ + debhelper \ + libtool \ + make \ + pkg-config \ + zlib1g-dev + - run: ./autogen.sh + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j2 + - run: make install + - run: make distcheck + + ubuntu-2204: + name: Ubuntu 22.04 + runs-on: ubuntu-latest + container: ubuntu:22.04 + steps: + - uses: actions/[email protected] + - name: Install system dependencies + run: | + apt update + apt-get upgrade -y + apt-get -y install make \ + autoconf \ + build-essential \ + autoconf \ + automake \ + libtool \ + make \ + pkg-config \ + zlib1g-dev + - run: ./autogen.sh + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j2 + - run: make install + - run: make distcheck + + centos-7: + name: CentOS 7 + runs-on: ubuntu-latest + container: centos:7 + steps: + - uses: actions/[email protected] + - name: Install system dependencies + run: | + yum -y install \ + autoconf \ + automake \ + gcc \ + gcc-c++ \ + libtool \ + make \ + pkgconfig \ + which \ + zlib-devel + - run: ./autogen.sh + - run: CFLAGS="${DEFAULT_CFLAGS}" ./configure + - run: make -j2 + - run: make install + - run: make distcheck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/.travis.yml new/libhtp-0.5.42/.travis.yml --- old/libhtp-0.5.41/.travis.yml 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/.travis.yml 1970-01-01 01:00:00.000000000 +0100 @@ -1,24 +0,0 @@ -language: c -compiler: - - gcc - - clang -# Change this to your needs -script: sh autogen.sh && ./configure && make && (make check || cat test/test-suite.log) && make distcheck -before_install: - - sudo apt-get update -qq - - sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make - -matrix: - include: - - name: fuzza - env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address" - compiler: clang - os: linux - - name: fuzzm - env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory" - compiler: clang - os: linux - - name: fuzzu - env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined" - compiler: clang - os: linux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/ChangeLog new/libhtp-0.5.42/ChangeLog --- old/libhtp-0.5.41/ChangeLog 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/ChangeLog 2022-11-28 07:01:47.000000000 +0100 @@ -1,3 +1,14 @@ +0.5.42 (27 November 2022) +------------------------- + +- github: add initial workflow + +- htp: fixes warning about bad delimiter in URI + +- fuzz: fix a null dereference in a diff report + +- htp: fixes warning about integer + 0.5.41 (27 September 2022) -------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/VERSION new/libhtp-0.5.42/VERSION --- old/libhtp-0.5.41/VERSION 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/VERSION 2022-11-28 07:01:47.000000000 +0100 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.41 +PKG_VERSION=0.5.42 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/htp/bstr.c new/libhtp-0.5.42/htp/bstr.c --- old/libhtp-0.5.41/htp/bstr.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/htp/bstr.c 2022-11-28 07:01:47.000000000 +0100 @@ -339,7 +339,7 @@ size_t i = 0; while (i < len) { - data[i] = tolower(data[i]); + data[i] = (uint8_t)tolower(data[i]); i++; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/htp/htp_base64.c new/libhtp-0.5.42/htp/htp_base64.c --- old/libhtp-0.5.41/htp/htp_base64.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/htp/htp_base64.c 2022-11-28 07:01:47.000000000 +0100 @@ -103,7 +103,7 @@ } fragment = (char) htp_base64_decode_single(*codechar++); } while (fragment < 0); - *plainchar = (fragment & 0x03f) << 2; + *plainchar = (unsigned char) ((fragment & 0x03f) << 2); /* fall through */ case step_b: @@ -116,7 +116,7 @@ fragment = (char) htp_base64_decode_single(*codechar++); } while (fragment < 0); *plainchar++ |= (fragment & 0x030) >> 4; - *plainchar = (fragment & 0x00f) << 4; + *plainchar = (unsigned char) ((fragment & 0x00f) << 4); if (--length_out == 0) { return plainchar - plaintext_out; } @@ -132,7 +132,7 @@ fragment = (char) htp_base64_decode_single(*codechar++); } while (fragment < 0); *plainchar++ |= (fragment & 0x03c) >> 2; - *plainchar = (fragment & 0x003) << 6; + *plainchar = (unsigned char) ((fragment & 0x003) << 6); if (--length_out == 0) { return plainchar - plaintext_out; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/htp/htp_config.c new/libhtp-0.5.42/htp/htp_config.c --- old/libhtp-0.5.41/htp/htp_config.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/htp/htp_config.c 2022-11-28 07:01:47.000000000 +0100 @@ -724,11 +724,11 @@ void htp_config_set_bestfit_replacement_byte(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, int b) { if (ctx >= HTP_DECODER_CONTEXTS_MAX) return; - cfg->decoder_cfgs[ctx].bestfit_replacement_byte = b; + cfg->decoder_cfgs[ctx].bestfit_replacement_byte = (unsigned char) b; if (ctx == HTP_DECODER_DEFAULTS) { for (size_t i = 0; i < HTP_DECODER_CONTEXTS_MAX; i++) { - cfg->decoder_cfgs[i].bestfit_replacement_byte = b; + cfg->decoder_cfgs[i].bestfit_replacement_byte = (unsigned char) b; } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/htp/htp_request_generic.c new/libhtp-0.5.42/htp/htp_request_generic.c --- old/libhtp-0.5.41/htp/htp_request_generic.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/htp/htp_request_generic.c 2022-11-28 07:01:47.000000000 +0100 @@ -379,7 +379,17 @@ // special case: even though RFC's allow only SP (0x20), many // implementations allow other delimiters, like tab or other // characters that isspace() accepts. - while ((pos < len) && (!htp_is_space(data[pos]))) pos++; + pos = len - 1; + while ((pos > start) && (!htp_is_space(data[pos]))) pos--; + } else { + // reset bad_delim found in protocol part + bad_delim = 0; + for (size_t i = start; i < pos; i++) { + if (data[i] != 0x20 && htp_is_space(data[i])) { + bad_delim = 1; + break; + } + } } if (bad_delim) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/htp/htp_response.c new/libhtp-0.5.42/htp/htp_response.c --- old/libhtp-0.5.41/htp/htp_response.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/htp/htp_response.c 2022-11-28 07:01:47.000000000 +0100 @@ -401,7 +401,7 @@ // Have we reached the end of the line? Or is this not chunked after all? if (connp->out_next_byte == LF || - (!is_chunked_ctl_char(connp->out_next_byte) && !data_probe_chunk_length(connp))) { + (!is_chunked_ctl_char((unsigned char) connp->out_next_byte) && !data_probe_chunk_length(connp))) { unsigned char *data; size_t len; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libhtp-0.5.41/test/fuzz/fuzz_diff.c new/libhtp-0.5.42/test/fuzz/fuzz_diff.c --- old/libhtp-0.5.41/test/fuzz/fuzz_diff.c 2022-09-27 09:32:46.000000000 +0200 +++ new/libhtp-0.5.42/test/fuzz/fuzz_diff.c 2022-11-28 07:01:47.000000000 +0100 @@ -275,6 +275,14 @@ if (rsbstr == NULL && cbstr == NULL) { return 0; } + if (rsbstr == NULL) { + printf("Assertion failure: Bstr %s rust is zero\n", field); + return 1; + } + if (cbstr == NULL) { + printf("Assertion failure: Bstr %s C is zero\n", field); + return 1; + } size_t len = bstr_len(cbstr); uint8_t * rsptr = bstr_ptr_rs(rsbstr); uint8_t * cptr = bstr_ptr(cbstr);
