Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libhtp for openSUSE:Factory checked
in at 2024-04-30 17:28:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libhtp (Old)
and /work/SRC/openSUSE:Factory/.libhtp.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libhtp"
Tue Apr 30 17:28:13 2024 rev:18 rq:1170919 version:0.5.48
Changes:
--------
--- /work/SRC/openSUSE:Factory/libhtp/libhtp.changes 2024-02-22
21:02:45.988484438 +0100
+++ /work/SRC/openSUSE:Factory/.libhtp.new.1880/libhtp.changes 2024-04-30
17:29:52.215648591 +0200
@@ -1,0 +2,9 @@
+Thu Apr 25 20:11:06 UTC 2024 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 0.5.48
+ * decompressor: only take erroneous data on first try
+ * autotools: run autoupdate to modernize build system
+- Update to version 0.5.47
+ * request: limit probing after missing protocol
+
+-------------------------------------------------------------------
Old:
----
libhtp-0.5.46.tar.gz
New:
----
libhtp-0.5.48.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libhtp.spec ++++++
--- /var/tmp/diff_new_pack.QJ6P31/_old 2024-04-30 17:29:52.635663864 +0200
+++ /var/tmp/diff_new_pack.QJ6P31/_new 2024-04-30 17:29:52.635663864 +0200
@@ -19,7 +19,7 @@
%define sover 2
%define lname %{name}%{sover}
Name: libhtp
-Version: 0.5.46
+Version: 0.5.48
Release: 0
Summary: HTTP normalizer and parser
License: BSD-3-Clause
++++++ libhtp-0.5.46.tar.gz -> libhtp-0.5.48.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/ChangeLog new/libhtp-0.5.48/ChangeLog
--- old/libhtp-0.5.46/ChangeLog 2024-02-08 05:34:38.000000000 +0100
+++ new/libhtp-0.5.48/ChangeLog 2024-04-22 16:41:50.000000000 +0200
@@ -1,3 +1,15 @@
+0.5.48 (22 April 2024)
+----------------------
+
+- decompressor: only take erroneous data on first try
+
+- autotools: run autoupdate to modernize build system
+
+0.5.47 (19 March 2024)
+----------------------
+
+- request: limit probing after missing protocol
+
0.5.46 (08 February 2024)
-------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/VERSION new/libhtp-0.5.48/VERSION
--- old/libhtp-0.5.46/VERSION 2024-02-08 05:34:38.000000000 +0100
+++ new/libhtp-0.5.48/VERSION 2024-04-22 16:41:50.000000000 +0200
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.46
+PKG_VERSION=0.5.48
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/configure.ac
new/libhtp-0.5.48/configure.ac
--- old/libhtp-0.5.46/configure.ac 2024-02-08 05:34:38.000000000 +0100
+++ new/libhtp-0.5.48/configure.ac 2024-04-22 16:41:50.000000000 +0200
@@ -3,7 +3,7 @@
dnl Initialization macros
dnl ----------------------
-AC_INIT([LibHTP], m4_esyscmd([./get-version.sh VERSION]))
+AC_INIT([LibHTP],[m4_esyscmd(./get-version.sh VERSION)])
AM_INIT_AUTOMAKE()
AC_CONFIG_HEADERS([htp_config_auto_gen.h])
@@ -86,7 +86,7 @@
AC_PROG_CC
AM_PROG_CC_C_O
AC_PROG_CXX
-AM_PROG_LIBTOOL
+LT_INIT
AM_SANITY_CHECK
# Checks for library functions
@@ -99,7 +99,7 @@
dnl -----------------------------------------------
dnl Checks for libs.
dnl -----------------------------------------------
-AC_CHECK_HEADER(zlib.h,,[AC_ERROR(zlib.h not found ...)])
+AC_CHECK_HEADER(zlib.h,,[AC_MSG_ERROR(zlib.h not found ...)])
ZLIB=""
AC_CHECK_LIB(z, inflate,, ZLIB="no")
if test "$ZLIB" = "no"; then
@@ -161,13 +161,11 @@
TMPLIBS="${LIBS}"
LIBS="${LIBS} ${LIBICONV}"
-AC_TRY_LINK([#include <stdlib.h>
- #include <iconv.h>],
- [int iconv_param = 0;
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdlib.h>
+ #include <iconv.h>]], [[int iconv_param = 0;
iconv_t cd = iconv_open("","");
iconvctl(cd, ICONV_SET_DISCARD_ILSEQ, &iconv_param);
- iconv_close(cd);],
- [ac_cv_func_iconvctl=yes])
+ iconv_close(cd);]])],[ac_cv_func_iconvctl=yes],[])
AC_MSG_RESULT($ac_cv_func_iconvctl)
if test "$ac_cv_func_iconvctl" == yes; then
AC_DEFINE(HAVE_ICONVCTL,1,"Define to 1 if you have the `iconvctl'
function.")
@@ -185,7 +183,7 @@
AC_MSG_CHECKING(for gcc support of -Wstrict-overflow=1)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -Wstrict-overflow=1"
-AC_TRY_COMPILE(,,[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_strict_overflow=yes],[gcc_have_strict_overflow=no])
AC_MSG_RESULT($gcc_have_strict_overflow)
if test "$gcc_have_strict_overflow" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -198,7 +196,7 @@
AC_MSG_CHECKING(for gcc support of stack smashing protection)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -fstack-protector"
-AC_TRY_COMPILE(,,[gcc_have_fstack_protector=yes],[gcc_have_fstack_protector=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_fstack_protector=yes],[gcc_have_fstack_protector=no])
AC_MSG_RESULT($gcc_have_fstack_protector)
if test "$gcc_have_fstack_protector" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -211,7 +209,7 @@
AC_MSG_CHECKING(for gcc support of FORTIFY_SOURCE)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
-AC_TRY_COMPILE(,,[gcc_have_fortify_source=yes],[gcc_have_fortify_source=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_fortify_source=yes],[gcc_have_fortify_source=no])
AC_MSG_RESULT($gcc_have_fortify_source)
if test "$gcc_have_fortify_source" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -223,7 +221,7 @@
AC_MSG_CHECKING(for gcc support of -Wformat -Wformat-security)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -Wformat -Wformat-security"
-AC_TRY_COMPILE(,,[gcc_have_format_security=yes],[gcc_have_format_security=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_format_security=yes],[gcc_have_format_security=no])
AC_MSG_RESULT($gcc_have_format_security)
if test "$gcc_have_format_security" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -232,7 +230,7 @@
AC_MSG_CHECKING(for gcc support of -fPIC)
TMPCFLAGS="${CFLAGS}"
CFLAGS="${CFLAGS} -fPIC"
-AC_TRY_COMPILE(,,[gcc_have_fpic=yes],[gcc_have_fpic=no])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
[[]])],[gcc_have_fpic=yes],[gcc_have_fpic=no])
AC_MSG_RESULT($gcc_have_fpic)
if test "$gcc_have_fpic" != "yes"; then
CFLAGS="${TMPCFLAGS}"
@@ -266,10 +264,11 @@
dnl -----------------------------------------------
AC_PREFIX_DEFAULT(/usr/local)
-AC_OUTPUT(Makefile \
+AC_CONFIG_FILES([Makefile \
htp.pc \
htp/Makefile \
htp/lzma/Makefile \
test/Makefile \
docs/Makefile
-)
+])
+AC_OUTPUT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/htp/htp_decompressors.c
new/libhtp-0.5.48/htp/htp_decompressors.c
--- old/libhtp-0.5.46/htp/htp_decompressors.c 2024-02-08 05:34:38.000000000
+0100
+++ new/libhtp-0.5.48/htp/htp_decompressors.c 2024-04-22 16:41:50.000000000
+0200
@@ -317,7 +317,7 @@
return HTP_ERROR;
}
if (GZIP_BUF_SIZE > drec->stream.avail_out) {
- if (rc == Z_DATA_ERROR) {
+ if (rc == Z_DATA_ERROR && drec->restart == 0) {
// There is data even if there is an error
// So use this data and log a warning
htp_log(d->tx->connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "GZip
decompressor: inflate failed with %d", rc);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libhtp-0.5.46/htp/htp_request.c
new/libhtp-0.5.48/htp/htp_request.c
--- old/libhtp-0.5.46/htp/htp_request.c 2024-02-08 05:34:38.000000000 +0100
+++ new/libhtp-0.5.48/htp/htp_request.c 2024-04-22 16:41:50.000000000 +0200
@@ -732,6 +732,14 @@
return HTP_ERROR;
}
+// HTTP/0.9 is supposed to be only a request line without protocol.
+// Libhtp will still consider the request to be HTTP/0.9 if there
+// are some junk whitespaces after that request line.
+// Libhtp allows the small value of 16 extra bytes/whitespaces,
+// otherwise we consider it to be a HTTP/1.x request with missing protocol.
+// It is unlikely to meet HTTP/0.9, and we want to limit probing.
+#define HTTP09_MAX_JUNK_LEN 16
+
/**
* Determines request protocol.
*
@@ -749,6 +757,14 @@
// Let's check if the protocol was simply missing
int64_t pos = connp->in_current_read_offset;
// Probe if data looks like a header line
+ if (connp->in_current_len > connp->in_current_read_offset +
HTTP09_MAX_JUNK_LEN) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line:
missing protocol");
+ connp->in_tx->is_protocol_0_9 = 0;
+ // Switch to request header parsing.
+ connp->in_state = htp_connp_REQ_HEADERS;
+ connp->in_tx->request_progress = HTP_REQUEST_HEADERS;
+ return HTP_OK;
+ }
while (pos < connp->in_current_len) {
if (!htp_is_space(connp->in_current_data[pos])) {
htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request
line: missing protocol");
