Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tinyproxy for openSUSE:Factory checked in at 2024-05-09 12:13:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tinyproxy (Old) and /work/SRC/openSUSE:Factory/.tinyproxy.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tinyproxy" Thu May 9 12:13:50 2024 rev:19 rq:1172807 version:1.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/tinyproxy/tinyproxy.changes 2024-02-07 18:53:58.646785243 +0100 +++ /work/SRC/openSUSE:Factory/.tinyproxy.new.1880/tinyproxy.changes 2024-05-09 12:13:52.158940612 +0200 @@ -1,0 +2,11 @@ +Wed May 8 19:02:38 UTC 2024 - Jan Engelhardt <jeng...@inai.de> + +- Update to release 1.11.2 + * Fix potential use-after-free in header handling + [CVE-2023-49606, boo#1233746] + * Prevent junk from showing up in error page in invalid requests + [CVE-2022-40468, CVE-2023-40533, boo#1223743] +- Delete 0001-prevent-junk-from-showing-up-in-error-page-in-invali.patch + (merged) + +------------------------------------------------------------------- Old: ---- 0001-prevent-junk-from-showing-up-in-error-page-in-invali.patch tinyproxy-1.11.1.tar.xz New: ---- tinyproxy-1.11.2.tar.xz BETA DEBUG BEGIN: Old: [CVE-2022-40468, CVE-2023-40533, boo#1223743] - Delete 0001-prevent-junk-from-showing-up-in-error-page-in-invali.patch (merged) BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tinyproxy.spec ++++++ --- /var/tmp/diff_new_pack.8zLeA4/_old 2024-05-09 12:13:53.470988238 +0200 +++ /var/tmp/diff_new_pack.8zLeA4/_new 2024-05-09 12:13:53.474988384 +0200 @@ -17,15 +17,14 @@ Name: tinyproxy -Version: 1.11.1 +Version: 1.11.2 Release: 0 Summary: Minimalist WWW proxy License: GPL-2.0-or-later Group: Productivity/Networking/Web/Proxy URL: https://tinyproxy.github.io/ -Source: https://github.com/tinyproxy/tinyproxy/releases/download/%version/tinyproxy-%version.tar.xz +Source: https://github.com/tinyproxy/tinyproxy/releases/download/%version/%name-%version.tar.xz Source1: %name.logrotate -Patch1: 0001-prevent-junk-from-showing-up-in-error-page-in-invali.patch BuildRequires: systemd-rpm-macros BuildRequires: sysuser-tools BuildRequires: xz ++++++ tinyproxy-1.11.1.tar.xz -> tinyproxy-1.11.2.tar.xz ++++++ ++++ 14222 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/INSTALL new/tinyproxy-1.11.2/INSTALL --- old/tinyproxy-1.11.1/INSTALL 2022-05-27 16:08:02.000000000 +0200 +++ new/tinyproxy-1.11.2/INSTALL 2024-05-08 20:25:30.000000000 +0200 @@ -1,8 +1,8 @@ Installation Instructions ************************* - Copyright (C) 1994-1996, 1999-2002, 2004-2016 Free Software -Foundation, Inc. + Copyright (C) 1994-1996, 1999-2002, 2004-2017, 2020-2021 Free +Software Foundation, Inc. Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright @@ -225,7 +225,7 @@ and if that doesn't work, install pre-built binaries of GCC for HP-UX. - HP-UX 'make' updates targets which have the same time stamps as their + HP-UX 'make' updates targets which have the same timestamps as their prerequisites, which makes it generally unusable when shipped generated files such as 'configure' are involved. Use GNU 'make' instead. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/VERSION new/tinyproxy-1.11.2/VERSION --- old/tinyproxy-1.11.1/VERSION 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/VERSION 2024-05-08 20:25:23.000000000 +0200 @@ -1 +1 @@ -1.11.1 +1.11.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/compile new/tinyproxy-1.11.2/compile --- old/tinyproxy-1.11.1/compile 2022-05-27 16:08:02.000000000 +0200 +++ new/tinyproxy-1.11.2/compile 2024-05-08 20:25:30.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2018 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # Written by Tom Tromey <tro...@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/config.h.in new/tinyproxy-1.11.2/config.h.in --- old/tinyproxy-1.11.1/config.h.in 2022-05-27 16:08:02.000000000 +0200 +++ new/tinyproxy-1.11.2/config.h.in 2024-05-08 20:25:29.000000000 +0200 @@ -27,6 +27,9 @@ /* Define to 1 if you have the <memory.h> header file. */ #undef HAVE_MEMORY_H +/* Define to 1 if you have the <minix/config.h> header file. */ +#undef HAVE_MINIX_CONFIG_H + /* Define to 1 if you have the <poll.h> header file. */ #undef HAVE_POLL_H @@ -36,6 +39,9 @@ /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H +/* Define to 1 if you have the <stdio.h> header file. */ +#undef HAVE_STDIO_H + /* Define to 1 if you have the <stdlib.h> header file. */ #undef HAVE_STDLIB_H @@ -60,6 +66,9 @@ /* Define to 1 if you have the <sys/stat.h> header file. */ #undef HAVE_SYS_STAT_H +/* Define to 1 if you have the <sys/time.h> header file. */ +#undef HAVE_SYS_TIME_H + /* Define to 1 if you have the <sys/types.h> header file. */ #undef HAVE_SYS_TYPES_H @@ -72,6 +81,9 @@ /* Define to 1 if you have the <values.h> header file. */ #undef HAVE_VALUES_H +/* Define to 1 if you have the <wchar.h> header file. */ +#undef HAVE_WCHAR_H + /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ #undef LSTAT_FOLLOWS_SLASHED_SYMLINK @@ -103,10 +115,13 @@ /* Include support for reverse proxy. */ #undef REVERSE_SUPPORT -/* Define to 1 if you have the ANSI C header files. */ +/* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for + backward compatibility; new code need not use it. */ #undef STDC_HEADERS -/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ +/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. This + macro is obsolete. */ #undef TIME_WITH_SYS_TIME /* This controls remote proxy stats display. */ @@ -125,21 +140,87 @@ #ifndef _ALL_SOURCE # undef _ALL_SOURCE #endif +/* Enable general extensions on macOS. */ +#ifndef _DARWIN_C_SOURCE +# undef _DARWIN_C_SOURCE +#endif +/* Enable general extensions on Solaris. */ +#ifndef __EXTENSIONS__ +# undef __EXTENSIONS__ +#endif /* Enable GNU extensions on systems that have them. */ #ifndef _GNU_SOURCE # undef _GNU_SOURCE #endif -/* Enable threading extensions on Solaris. */ +/* Enable X/Open compliant socket functions that do not require linking + with -lxnet on HP-UX 11.11. */ +#ifndef _HPUX_ALT_XOPEN_SOCKET_API +# undef _HPUX_ALT_XOPEN_SOCKET_API +#endif +/* Identify the host operating system as Minix. + This macro does not affect the system headers' behavior. + A future release of Autoconf may stop defining this macro. */ +#ifndef _MINIX +# undef _MINIX +#endif +/* Enable general extensions on NetBSD. + Enable NetBSD compatibility extensions on Minix. */ +#ifndef _NETBSD_SOURCE +# undef _NETBSD_SOURCE +#endif +/* Enable OpenBSD compatibility extensions on NetBSD. + Oddly enough, this does nothing on OpenBSD. */ +#ifndef _OPENBSD_SOURCE +# undef _OPENBSD_SOURCE +#endif +/* Define to 1 if needed for POSIX-compatible behavior. */ +#ifndef _POSIX_SOURCE +# undef _POSIX_SOURCE +#endif +/* Define to 2 if needed for POSIX-compatible behavior. */ +#ifndef _POSIX_1_SOURCE +# undef _POSIX_1_SOURCE +#endif +/* Enable POSIX-compatible threading on Solaris. */ #ifndef _POSIX_PTHREAD_SEMANTICS # undef _POSIX_PTHREAD_SEMANTICS #endif +/* Enable extensions specified by ISO/IEC TS 18661-5:2014. */ +#ifndef __STDC_WANT_IEC_60559_ATTRIBS_EXT__ +# undef __STDC_WANT_IEC_60559_ATTRIBS_EXT__ +#endif +/* Enable extensions specified by ISO/IEC TS 18661-1:2014. */ +#ifndef __STDC_WANT_IEC_60559_BFP_EXT__ +# undef __STDC_WANT_IEC_60559_BFP_EXT__ +#endif +/* Enable extensions specified by ISO/IEC TS 18661-2:2015. */ +#ifndef __STDC_WANT_IEC_60559_DFP_EXT__ +# undef __STDC_WANT_IEC_60559_DFP_EXT__ +#endif +/* Enable extensions specified by ISO/IEC TS 18661-4:2015. */ +#ifndef __STDC_WANT_IEC_60559_FUNCS_EXT__ +# undef __STDC_WANT_IEC_60559_FUNCS_EXT__ +#endif +/* Enable extensions specified by ISO/IEC TS 18661-3:2015. */ +#ifndef __STDC_WANT_IEC_60559_TYPES_EXT__ +# undef __STDC_WANT_IEC_60559_TYPES_EXT__ +#endif +/* Enable extensions specified by ISO/IEC TR 24731-2:2010. */ +#ifndef __STDC_WANT_LIB_EXT2__ +# undef __STDC_WANT_LIB_EXT2__ +#endif +/* Enable extensions specified by ISO/IEC 24747:2009. */ +#ifndef __STDC_WANT_MATH_SPEC_FUNCS__ +# undef __STDC_WANT_MATH_SPEC_FUNCS__ +#endif /* Enable extensions on HP NonStop. */ #ifndef _TANDEM_SOURCE # undef _TANDEM_SOURCE #endif -/* Enable general extensions on Solaris. */ -#ifndef __EXTENSIONS__ -# undef __EXTENSIONS__ +/* Enable X/Open extensions. Define to 500 only if necessary + to make mbstate_t available. */ +#ifndef _XOPEN_SOURCE +# undef _XOPEN_SOURCE #endif @@ -149,13 +230,3 @@ /* Define if you want to have the peer's IP address included in a XTinyproxy header sent to the server. */ #undef XTINYPROXY_ENABLE - -/* Define to 1 if on MINIX. */ -#undef _MINIX - -/* Define to 2 if the system does not provide POSIX.1 features except with - this defined. */ -#undef _POSIX_1_SOURCE - -/* Define to 1 if you need to in order for `stat' and other things to work. */ -#undef _POSIX_SOURCE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/docs/man5/tinyproxy.conf.5 new/tinyproxy-1.11.2/docs/man5/tinyproxy.conf.5 --- old/tinyproxy-1.11.1/docs/man5/tinyproxy.conf.5 2022-05-27 16:08:06.000000000 +0200 +++ new/tinyproxy-1.11.2/docs/man5/tinyproxy.conf.5 2024-05-08 20:25:32.000000000 +0200 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) +.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "TINYPROXY.CONF 5" -.TH TINYPROXY.CONF 5 "2022-05-27" "Version 1.11.1" "Tinyproxy manual" +.TH TINYPROXY.CONF 5 "2024-05-08" "Version 1.11.2" "Tinyproxy manual" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -153,8 +153,8 @@ The Tinyproxy configuration file contains key-value pairs, one per line. Lines starting with `#` and empty lines are comments and are ignored. Keywords are case-insensitive, whereas values are -case-sensitive. Values may be enclosed in double-quotes (") if they -contain spaces. +case-sensitive. Some string values must be enclosed in double +quotes (") as noted below. .PP The possible keywords and their descriptions are as follows: .IP "\fBUser\fR" 4 @@ -181,7 +181,7 @@ .IP "\fBBind\fR" 4 .IX Item "Bind" This allows you to specify which address Tinyproxy will bind -to for outgoing connections to web servers or upstream proxies. +to for outgoing connections. This parameter may be specified multiple times, then Tinyproxy will try all the specified addresses in order. .IP "\fBBindSame\fR" 4 @@ -197,26 +197,26 @@ .IX Item "ErrorFile" This parameter controls which \s-1HTML\s0 file Tinyproxy returns when a given \s-1HTTP\s0 error occurs. It takes two arguments, the error number -and the location of the \s-1HTML\s0 error file. +and the location of the \s-1HTML\s0 error file. Enclose the file location +in double quotes. .IP "\fBDefaultErrorFile\fR" 4 .IX Item "DefaultErrorFile" -This parameter controls the \s-1HTML\s0 template file returned when an -error occurs for which no specific error file has been set. +The \s-1HTML\s0 template file returned when an error occurs for which no +specific error file has been set. Enclose in double quotes. .IP "\fBStatHost\fR" 4 .IX Item "StatHost" -This configures the host name or \s-1IP\s0 address that is treated -as the `stat host`: Whenever a request for this host is received, -Tinyproxy will return an internal statistics page instead of -forwarding the request to that host. The template for this -page can be configured with the `StatFile` configuration option. -The default value of `StatHost` is `tinyproxy.stats`. +The host name or \s-1IP\s0 address that is treated as the `stat host`. +Enclose in double quotes. Whenever Tinyproxy receives a request for +the `stat host` it returns an internal statistics page instead of +forwarding the request to that host. The template for this page can be +configured with the `StatFile` configuration option. The default value +of `StatHost` is `tinyproxy.stats`. .IP "\fBStatFile\fR" 4 .IX Item "StatFile" -This configures the \s-1HTML\s0 file that Tinyproxy sends when -a request for the stathost is received. If this parameter is -not set, Tinyproxy returns a hard-coded basic statistics page. -See the \s-1STATHOST\s0 section in the \fBtinyproxy\fR\|(8) manual page -for details. +The \s-1HTML\s0 file that Tinyproxy sends in response to a request for the +`stat host`. Enclose in double quotes. If this parameter is not set, +Tinyproxy returns a hard-coded basic statistics page. See the \s-1STATHOST\s0 +section in the \fBtinyproxy\fR\|(8) manual page for details. .Sp Note that the StatFile and the error files configured with ErrorFile and DefaultErrorFile are template files that can contain a few @@ -226,9 +226,9 @@ manual page contains a description of all template variables. .IP "\fBLogFile\fR" 4 .IX Item "LogFile" -This controls the location of the file to which Tinyproxy -writes its debug output. Alternatively, Tinyproxy can log -to syslog \*(-- see the Syslog option. +The location of the file to which Tinyproxy writes its debug output. +Enclose in double quotes. Alternatively, Tinyproxy can log to syslog +\&\*(-- see the Syslog option. .IP "\fBSyslog\fR" 4 .IX Item "Syslog" When set to `On`, this option tells Tinyproxy to write its @@ -258,8 +258,8 @@ .RE .IP "\fBPidFile\fR" 4 .IX Item "PidFile" -This option controls the location of the file where the main -Tinyproxy process stores its process \s-1ID\s0 for signaling purposes. +The location of the file where the main Tinyproxy process stores its +process \s-1ID\s0 for signaling purposes. Enclose in double quotes. .IP "\fBXTinyproxy\fR" 4 .IX Item "XTinyproxy" Setting this option to `Yes` tells Tinyproxy to add a header @@ -290,6 +290,10 @@ .RE .RS 4 .Sp +It's recommended to use raw \s-1IP\s0 addresses to specify the upstream host, so +no costly \s-1DNS\s0 lookup has to be done everytime it is used. +IPv6 addresses need to be enclosed in square brackets. +.Sp The site can be specified in various forms as a hostname, domain name or as an \s-1IP\s0 range: .IP "\(bu" 4 @@ -361,7 +365,8 @@ requests, but using the real host name can be a security concern. If the `ViaProxyname` option is present, then its string value will be used as the host name in the Via header. -Otherwise, the server's host name will be used. +Otherwise, the server's host name will be used. Enclose in double +quotes. .IP "\fBDisableViaHeader\fR" 4 .IX Item "DisableViaHeader" When this is set to yes, Tinyproxy does \s-1NOT\s0 add the `Via` header @@ -449,7 +454,7 @@ is enabled. The headers listed with `Anonymous` are allowed through, while all others are denied. If no Anonymous keyword is present, then all headers are allowed through. You must -include quotes around the headers. +include double quotes around the headers. .Sp Most sites require cookies to be enabled for them to work correctly, so you will need to allow cookies through if you access those sites. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/docs/man5/tinyproxy.conf.txt.in new/tinyproxy-1.11.2/docs/man5/tinyproxy.conf.txt.in --- old/tinyproxy-1.11.1/docs/man5/tinyproxy.conf.txt.in 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/docs/man5/tinyproxy.conf.txt.in 2024-05-08 20:25:23.000000000 +0200 @@ -22,8 +22,8 @@ The Tinyproxy configuration file contains key-value pairs, one per line. Lines starting with `#` and empty lines are comments and are ignored. Keywords are case-insensitive, whereas values are -case-sensitive. Values may be enclosed in double-quotes (") if they -contain spaces. +case-sensitive. Some string values must be enclosed in double +quotes (") as noted below. The possible keywords and their descriptions are as follows: @@ -57,7 +57,7 @@ =item B<Bind> This allows you to specify which address Tinyproxy will bind -to for outgoing connections to web servers or upstream proxies. +to for outgoing connections. This parameter may be specified multiple times, then Tinyproxy will try all the specified addresses in order. @@ -76,29 +76,29 @@ This parameter controls which HTML file Tinyproxy returns when a given HTTP error occurs. It takes two arguments, the error number -and the location of the HTML error file. +and the location of the HTML error file. Enclose the file location +in double quotes. =item B<DefaultErrorFile> -This parameter controls the HTML template file returned when an -error occurs for which no specific error file has been set. +The HTML template file returned when an error occurs for which no +specific error file has been set. Enclose in double quotes. =item B<StatHost> -This configures the host name or IP address that is treated -as the `stat host`: Whenever a request for this host is received, -Tinyproxy will return an internal statistics page instead of -forwarding the request to that host. The template for this -page can be configured with the `StatFile` configuration option. -The default value of `StatHost` is `@TINYPROXY_STATHOST@`. +The host name or IP address that is treated as the `stat host`. +Enclose in double quotes. Whenever Tinyproxy receives a request for +the `stat host` it returns an internal statistics page instead of +forwarding the request to that host. The template for this page can be +configured with the `StatFile` configuration option. The default value +of `StatHost` is `@TINYPROXY_STATHOST@`. =item B<StatFile> -This configures the HTML file that Tinyproxy sends when -a request for the stathost is received. If this parameter is -not set, Tinyproxy returns a hard-coded basic statistics page. -See the STATHOST section in the L<tinyproxy(8)> manual page -for details. +The HTML file that Tinyproxy sends in response to a request for the +`stat host`. Enclose in double quotes. If this parameter is not set, +Tinyproxy returns a hard-coded basic statistics page. See the STATHOST +section in the L<tinyproxy(8)> manual page for details. Note that the StatFile and the error files configured with ErrorFile and DefaultErrorFile are template files that can contain a few @@ -109,9 +109,9 @@ =item B<LogFile> -This controls the location of the file to which Tinyproxy -writes its debug output. Alternatively, Tinyproxy can log -to syslog -- see the Syslog option. +The location of the file to which Tinyproxy writes its debug output. +Enclose in double quotes. Alternatively, Tinyproxy can log to syslog +-- see the Syslog option. =item B<Syslog> @@ -144,8 +144,8 @@ =item B<PidFile> -This option controls the location of the file where the main -Tinyproxy process stores its process ID for signaling purposes. +The location of the file where the main Tinyproxy process stores its +process ID for signaling purposes. Enclose in double quotes. =item B<XTinyproxy> @@ -179,6 +179,10 @@ =back +It's recommended to use raw IP addresses to specify the upstream host, so +no costly DNS lookup has to be done everytime it is used. +IPv6 addresses need to be enclosed in square brackets. + The site can be specified in various forms as a hostname, domain name or as an IP range: @@ -250,7 +254,8 @@ requests, but using the real host name can be a security concern. If the `ViaProxyname` option is present, then its string value will be used as the host name in the Via header. -Otherwise, the server's host name will be used. +Otherwise, the server's host name will be used. Enclose in double +quotes. =item B<DisableViaHeader> @@ -344,7 +349,7 @@ is enabled. The headers listed with `Anonymous` are allowed through, while all others are denied. If no Anonymous keyword is present, then all headers are allowed through. You must -include quotes around the headers. +include double quotes around the headers. Most sites require cookies to be enabled for them to work correctly, so you will need to allow cookies through if you access those sites. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/docs/man8/tinyproxy.8 new/tinyproxy-1.11.2/docs/man8/tinyproxy.8 --- old/tinyproxy-1.11.1/docs/man8/tinyproxy.8 2022-05-27 16:08:06.000000000 +0200 +++ new/tinyproxy-1.11.2/docs/man8/tinyproxy.8 2024-05-08 20:25:33.000000000 +0200 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) +.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "TINYPROXY 8" -.TH TINYPROXY 8 "2022-05-27" "Version 1.11.1" "Tinyproxy manual" +.TH TINYPROXY 8 "2024-05-08" "Version 1.11.2" "Tinyproxy manual" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/etc/tinyproxy.conf.in new/tinyproxy-1.11.2/etc/tinyproxy.conf.in --- old/tinyproxy-1.11.1/etc/tinyproxy.conf.in 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/etc/tinyproxy.conf.in 2024-05-08 20:25:23.000000000 +0200 @@ -3,7 +3,7 @@ ## ## This example tinyproxy.conf file contains example settings ## with explanations in comments. For decriptions of all -## parameters, see the tinproxy.conf(5) manual page. +## parameters, see the tinyproxy.conf(5) manual page. ## # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/missing new/tinyproxy-1.11.2/missing --- old/tinyproxy-1.11.1/missing 2022-05-27 16:08:02.000000000 +0200 +++ new/tinyproxy-1.11.2/missing 2024-05-08 20:25:30.000000000 +0200 @@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2018 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/src/child.c new/tinyproxy-1.11.2/src/child.c --- old/tinyproxy-1.11.1/src/child.c 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/src/child.c 2024-05-08 20:25:23.000000000 +0200 @@ -81,7 +81,7 @@ int connfd; union sockaddr_union cliaddr_storage; struct sockaddr *cliaddr = (void*) &cliaddr_storage; - socklen_t clilen = sizeof(cliaddr_storage); + socklen_t clilen; int nfds = sblist_getsize(listen_fds); pollfd_struct *fds = safecalloc(nfds, sizeof *fds); ssize_t i; @@ -167,6 +167,7 @@ * Continue handling this connection. */ + clilen = sizeof(cliaddr_storage); connfd = accept (listenfd, cliaddr, &clilen); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/src/conf.c new/tinyproxy-1.11.2/src/conf.c --- old/tinyproxy-1.11.1/src/conf.c 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/src/conf.c 2024-05-08 20:25:23.000000000 +0200 @@ -66,9 +66,10 @@ #define PASSWORD "([^@]*)" #define IP "((([0-9]{1,3})\\.){3}[0-9]{1,3})" #define IPMASK "(" IP "(/" DIGIT "+)?)" +#define IPV6SCOPE "((%[^ \t\\/]{1,16})?)" #define IPV6 "(" \ - "(([0-9a-f:]{2,39}))|" \ - "(([0-9a-f:]{0,29}:" IP "))" \ + "([0-9a-f:]{2,39})" IPV6SCOPE "|" \ + "([0-9a-f:]{0,29}:" IP ")" IPV6SCOPE \ ")" #define IPV6MASK "(" IPV6 "(/" DIGIT "+)?)" @@ -80,7 +81,7 @@ * number. Given the usual structure of the configuration file, sixteen * substring matches should be plenty. */ -#define RE_MAX_MATCHES 24 +#define RE_MAX_MATCHES 33 #define CP_WARN(FMT, ...) \ log_message (LOG_WARNING, "line %lu: " FMT, lineno, __VA_ARGS__) @@ -224,7 +225,7 @@ handle_deny), STDCONF (bind, "(" IP "|" IPV6 ")", handle_bind), /* other */ - STDCONF (basicauth, ALNUM WS ALNUM, handle_basicauth), + STDCONF (basicauth, USERNAME WS PASSWORD, handle_basicauth), STDCONF (errorfile, INT WS STR, handle_errorfile), STDCONF (addheader, STR WS STR, handle_addheader), @@ -249,7 +250,7 @@ "(" "(none)" WS STR ")|" \ "(" "(http|socks4|socks5)" WS \ "(" USERNAME /*username*/ ":" PASSWORD /*password*/ "@" ")?" - "(" IP "|" ALNUM ")" + "(" IP "|" "\\[(" IPV6 ")\\]" "|" ALNUM ")" ":" INT "(" WS STR ")?" ")", handle_upstream), #endif /* loglevel */ @@ -427,7 +428,7 @@ while(isspace(*p))p++; if(!*p) continue; q = p; - while(!isspace(*q))q++; + while(*q && !isspace(*q))q++; c = *q; *q = 0; e = config_directive_find(p, strlen(p)); @@ -1008,7 +1009,7 @@ if (!type) return -1; for(i=0;i<sizeof(ftmap)/sizeof(ftmap[0]);++i) - if(!strcmp(ftmap[i].type, type)) + if(!strcasecmp(ftmap[i].type, type)) conf->filter_opts |= ftmap[i].flag; safefree (type); @@ -1114,10 +1115,13 @@ pass = get_string_arg (line, &match[mi]); mi++; - ip = get_string_arg (line, &match[mi]); + if (match[mi+4].rm_so != -1) /* IPv6 address in square brackets */ + ip = get_string_arg (line, &match[mi+4]); + else + ip = get_string_arg (line, &match[mi]); if (!ip) return -1; - mi += 5; + mi += 16; port = (int) get_long_arg (line, &match[mi]); mi += 3; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/src/hsearch.c new/tinyproxy-1.11.2/src/hsearch.c --- old/tinyproxy-1.11.1/src/hsearch.c 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/src/hsearch.c 2024-05-08 20:25:23.000000000 +0200 @@ -80,9 +80,10 @@ { size_t newsize; size_t i, j; + size_t oldmask = htab->mask; struct elem *e, *newe; struct elem *oldtab = htab->elems; - struct elem *oldend = htab->elems + htab->mask + 1; + struct elem *oldend; if (nel > MAXSIZE) nel = MAXSIZE; @@ -95,6 +96,8 @@ htab->mask = newsize - 1; if (!oldtab) return 1; + + oldend = oldtab + oldmask + 1; for (e = oldtab; e < oldend; e++) if (e->item.key) { for (i=e->hash,j=1; ; i+=j++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/src/main.c new/tinyproxy-1.11.2/src/main.c --- old/tinyproxy-1.11.1/src/main.c 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/src/main.c 2024-05-08 20:25:23.000000000 +0200 @@ -257,7 +257,7 @@ int ret, ret2; struct config_s *c_next = get_next_config(); - log_message (LOG_NOTICE, "Reloading config file"); + log_message (LOG_NOTICE, "Reloading config file (%s)", config_file); if (reload_logging) shutdown_logging (); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/tinyproxy-1.11.1/src/reqs.c new/tinyproxy-1.11.2/src/reqs.c --- old/tinyproxy-1.11.1/src/reqs.c 2022-05-27 16:07:50.000000000 +0200 +++ new/tinyproxy-1.11.2/src/reqs.c 2024-05-08 20:25:23.000000000 +0200 @@ -301,21 +301,16 @@ } /* - * These two defines are for the SSL tunnelling. + * Send the appropriate response to the client to establish a + * connection via CONNECT method. */ -#define SSL_CONNECTION_RESPONSE "HTTP/1.0 200 Connection established" -#define PROXY_AGENT "Proxy-agent: " PACKAGE "/" VERSION - -/* - * Send the appropriate response to the client to establish a SSL - * connection. - */ -static int send_ssl_response (struct conn_s *connptr) +static int send_connect_method_response (struct conn_s *connptr) { return write_message (connptr->client_fd, - "%s\r\n" - "%s\r\n" - "\r\n", SSL_CONNECTION_RESPONSE, PROXY_AGENT); + "HTTP/1.%u 200 Connection established\r\n" + "Proxy-agent: " PACKAGE "/" VERSION "\r\n" + "\r\n", connptr->protocol.major != 1 ? 0 : + connptr->protocol.minor); } /* @@ -327,9 +322,11 @@ { char *url; struct request_s *request; - int ret; + int ret, skip_trans; size_t request_len; + skip_trans = 0; + /* NULL out all the fields so frees don't cause segfaults. */ request = (struct request_s *) safecalloc (1, sizeof (struct request_s)); @@ -346,8 +343,12 @@ goto fail; } + /* zero-terminate the strings so they don't contain junk in error page */ + request->method[0] = url[0] = request->protocol[0] = 0; + ret = sscanf (connptr->request_line, "%[^ ] %[^ ] %[^ ]", request->method, url, request->protocol); + if (ret == 2 && !strcasecmp (request->method, "GET")) { request->protocol[0] = 0; @@ -402,6 +403,7 @@ } safefree (url); url = reverse_url; + skip_trans = 1; } else if (config->reverseonly) { log_message (LOG_ERR, "Bad request, no mapping for '%s' found", @@ -451,11 +453,13 @@ connptr->connect_method = TRUE; } else { #ifdef TRANSPARENT_PROXY - if (!do_transparent_proxy - (connptr, hashofheaders, request, config, &url)) { - goto fail; - } -#else + if (!skip_trans) { + if (!do_transparent_proxy + (connptr, hashofheaders, request, config, &url)) + goto fail; + } else +#endif + { indicate_http_error (connptr, 501, "Not Implemented", "detail", "Unknown method or unsupported protocol.", @@ -463,7 +467,7 @@ log_message (LOG_INFO, "Unknown method (%s) or protocol (%s)", request->method, url); goto fail; -#endif + } } #ifdef FILTER_ENABLE @@ -775,7 +779,7 @@ char *data; char *ptr; ssize_t len; - int i; + int i,j,df; for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) { /* Look for the connection header. If it's not found, return. */ @@ -800,7 +804,12 @@ */ ptr = data; while (ptr < data + len) { - orderedmap_remove (hashofheaders, ptr); + df = 0; + /* check that ptr isn't one of headers to prevent + double-free (CVE-2023-49606) */ + for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j) + if(!strcasecmp(ptr, headers[j])) df = 1; + if (!df) orderedmap_remove (hashofheaders, ptr); /* Advance ptr to the next token */ ptr += strlen (ptr) + 1; @@ -1684,6 +1693,10 @@ if(failure) { e401: update_stats (STAT_DENIED); + log_message (LOG_INFO, + "Failed auth attempt (file descriptor: %d), ip %s", + connptr->client_fd, + connptr->client_ip_addr); indicate_http_error (connptr, 401, "Unauthorized", "detail", "The administrator of this proxy has not configured " @@ -1762,10 +1775,10 @@ HC_FAIL(); } } else { - if (send_ssl_response (connptr) < 0) { + if (send_connect_method_response (connptr) < 0) { log_message (LOG_ERR, - "handle_connection: Could not send SSL greeting " - "to client."); + "handle_connection: Could not send CONNECT" + " method greeting to client."); update_stats (STAT_BADCONN); HC_FAIL(); }
