Your message dated Sun, 05 May 2019 14:19:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#928389: unblock: libhtp/1:0.5.30-1
has caused the Debian Bug report #928389,
regarding unblock: libhtp/1:0.5.30-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928389
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package libhtp. The debdiff is attached.
The actual change is very small and does not affect the API/ABI.
This update is meant to go hand-in-hand with the new version of Suricata
(4.1.4) for which we have also asked for an unblock in #928294.
Again, with libhtp as the HTTP parsing component of a security-relevant
software tool exposed to potentially malicious traffic we should aim for
the latest version available in buster.
Here's the full changelog since the version in buster:
0.5.30 (07 March 2019)
----------------------
- array/list handing optimization by Philippe Antoine for an issue found
be oss-fuzz
- improved Windows support
- fuzz targets improvements by Philippe Antoine
- packaging improvements by Fabrice Fontaine
- install doc improved by Wenhui Zhang
unblock libhtp/1:0.5.30-1
Best regards
Sascha
diff -Nru libhtp-0.5.29/appveyor.yml libhtp-0.5.30/appveyor.yml
--- libhtp-0.5.29/appveyor.yml 1970-01-01 01:00:00.000000000 +0100
+++ libhtp-0.5.30/appveyor.yml 2019-03-07 08:35:13.000000000 +0100
@@ -0,0 +1,18 @@
+environment:
+ matrix:
+ - COMPILER: mingw-w64
+ MINGW_DIR: c:\msys64\mingw64
+ MINGW_ARCH: x86_64
+
+ - COMPILER: mingw
+ MINGW_DIR: c:\msys64\mingw32
+ MINGW_ARCH: i686
+
+build_script:
+ - set Path=%MINGW_DIR%\bin;c:\msys64\usr\bin;%Path%
+ - bash autogen.sh
+ - bash configure
+ - make distcheck
+
+#on_finish:
+# - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
diff -Nru libhtp-0.5.29/ChangeLog libhtp-0.5.30/ChangeLog
--- libhtp-0.5.29/ChangeLog 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/ChangeLog 2019-03-07 08:35:13.000000000 +0100
@@ -1,3 +1,16 @@
+0.5.30 (07 March 2019)
+----------------------
+
+- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz
+
+- improved Windows support
+
+- fuzz targets improvements by Philippe Antoine
+
+- packaging improvements by Fabrice Fontaine
+
+- install doc improved by Wenhui Zhang
+
0.5.29 (21 December 2018)
-------------------------
diff -Nru libhtp-0.5.29/configure.ac libhtp-0.5.30/configure.ac
--- libhtp-0.5.29/configure.ac 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/configure.ac 2019-03-07 08:35:13.000000000 +0100
@@ -118,6 +118,11 @@
OS_WINDOWS="true"
NO_STACK_PROTECTOR="true"
;;
+ MSYS*)
+ AC_MSG_RESULT(MSYS)
+ OS_WINDOWS="true"
+ NO_STACK_PROTECTOR="true"
+ ;;
CYGWIN*)
AC_MSG_RESULT(Cygwin)
OS_CYGWIN="true"
diff -Nru libhtp-0.5.29/debian/changelog libhtp-0.5.30/debian/changelog
--- libhtp-0.5.29/debian/changelog 2018-12-27 12:23:45.000000000 +0100
+++ libhtp-0.5.30/debian/changelog 2019-05-02 16:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+libhtp (1:0.5.30-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <[email protected]> Thu, 02 May 2019 16:38:21 +0200
+
libhtp (1:0.5.29-1) unstable; urgency=medium
* New upstream release.
diff -Nru libhtp-0.5.29/htp/htp_list.c libhtp-0.5.30/htp/htp_list.c
--- libhtp-0.5.29/htp/htp_list.c 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp/htp_list.c 2019-03-07 08:35:13.000000000 +0100
@@ -172,15 +172,7 @@
if (idx + 1 > l->current_size) return HTP_DECLINED;
- size_t i = l->first;
-
- while (idx--) {
- if (++i == l->max_size) {
- i = 0;
- }
- }
-
- l->elements[i] = e;
+ l->elements[(l->first + idx) % l->max_size] = e;
return HTP_OK;
}
diff -Nru libhtp-0.5.29/htp.pc.in libhtp-0.5.30/htp.pc.in
--- libhtp-0.5.29/htp.pc.in 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp.pc.in 2019-03-07 08:35:13.000000000 +0100
@@ -7,5 +7,6 @@
Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products.
Version: @PACKAGE_VERSION@
Libs: -L${libdir} -lhtp
+Libs.private: @LIBICONV@
Cflags: -I${includedir} -I${libdir}/htp/include
diff -Nru libhtp-0.5.29/README libhtp-0.5.30/README
--- libhtp-0.5.29/README 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/README 2019-03-07 08:35:13.000000000 +0100
@@ -43,6 +43,8 @@
Assuming you're using an already packaged version of LibHTP, the installation
process should be as simple as:
+ $ sudo chmod u+x autogen.sh
+ $ ./autogen.sh
$ ./configure
$ make
$ sudo make install
diff -Nru libhtp-0.5.29/test/fuzz/fuzz_htp.c libhtp-0.5.30/test/fuzz/fuzz_htp.c
--- libhtp-0.5.29/test/fuzz/fuzz_htp.c 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/test/fuzz/fuzz_htp.c 2019-03-07 08:35:13.000000000 +0100
@@ -10,7 +10,7 @@
#include <sys/types.h>
#include <string.h>
#include <stdio.h>
-
+#include <inttypes.h>
#include <sys/stat.h>
#include <fcntl.h>
@@ -26,22 +26,82 @@
*
* @param[in] connp
*/
-static int callback_response(htp_tx_t *out_tx) {
+static int HTPCallbackResponse(htp_tx_t *out_tx) {
if (out_tx != NULL) {
char *x = bstr_util_strdup_to_c(out_tx->request_line);
- fprintf(logfile, "%s\n", x);
+ fprintf(logfile, "HTPCallbackResponse %s\n", x);
free(x);
}
return 0;
}
+static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
+{
+ fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+ return 0;
+}
+
+static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
+{
+ fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+ return 0;
+}
+
+static int HTPCallbackRequestHasTrailer(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackRequestHasTrailer\n");
+ return 0;
+}
+
+static int HTPCallbackResponseHasTrailer(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackResponseHasTrailer\n");
+ return 0;
+}
+
+static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data)
+{
+ fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+ return 0;
+}
+
+static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data)
+{
+ fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+ return 0;
+}
+
+static int HTPCallbackRequestStart(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackRequestStart\n");
+ return 0;
+}
+
+static int HTPCallbackRequest(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackRequest\n");
+ return 0;
+}
+
+static int HTPCallbackResponseStart(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackResponseStart\n");
+ return 0;
+}
+
+static int HTPCallbackRequestLine(htp_tx_t *tx)
+{
+ fprintf(logfile, "HTPCallbackRequestLine\n");
+ return 0;
+}
+
/**
* Invoked every time LibHTP wants to log.
*
* @param[in] log
*/
-static int callback_log(htp_log_t *log) {
- fprintf(logfile, "[%d][code %d][file %s][line %d] %s\n",
+static int HTPCallbackLog(htp_log_t *log) {
+ fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n",
log->level, log->code, log->file, log->line, log->msg);
return 0;
}
@@ -73,8 +133,20 @@
htp_config_destroy(cfg);
return 0;
}
- htp_config_register_response_complete(cfg, callback_response);
- htp_config_register_log(cfg, callback_log);
+ htp_config_register_log(cfg, HTPCallbackLog);
+ htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData);
+ htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData);
+ htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData);
+ htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData);
+ htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer);
+ htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer);
+ htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
+ htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData);
+ htp_config_register_request_start(cfg, HTPCallbackRequestStart);
+ htp_config_register_request_complete(cfg, HTPCallbackRequest);
+ htp_config_register_response_start(cfg, HTPCallbackResponseStart);
+ htp_config_register_response_complete(cfg, HTPCallbackResponse);
+ htp_config_register_request_line(cfg, HTPCallbackRequestLine);
connp = htp_connp_create(cfg);
htp_connp_set_user_data(connp, (void *) 0x02);
diff -Nru libhtp-0.5.29/.travis.yml libhtp-0.5.30/.travis.yml
--- libhtp-0.5.29/.travis.yml 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/.travis.yml 2019-03-07 08:35:13.000000000 +0100
@@ -8,3 +8,17 @@
- sudo apt-get update -qq
- sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make
+matrix:
+ include:
+ - name: fuzza
+ env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address"
+ compiler: clang
+ os: linux
+ - name: fuzzm
+ env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory"
+ compiler: clang
+ os: linux
+ - name: fuzzu
+ env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined"
+ compiler: clang
+ os: linux
diff -Nru libhtp-0.5.29/VERSION libhtp-0.5.30/VERSION
--- libhtp-0.5.29/VERSION 2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/VERSION 2019-03-07 08:35:13.000000000 +0100
@@ -1,2 +1,2 @@
# This file is intended to be sourced by sh
-PKG_VERSION=0.5.28
+PKG_VERSION=0.5.30
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Sascha Steinbiss:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package libhtp. The debdiff is attached.
>
> The actual change is very small and does not affect the API/ABI.
> This update is meant to go hand-in-hand with the new version of Suricata
> (4.1.4) for which we have also asked for an unblock in #928294.
> Again, with libhtp as the HTTP parsing component of a security-relevant
> software tool exposed to potentially malicious traffic we should aim for
> the latest version available in buster.
>
> Here's the full changelog since the version in buster:
>
> 0.5.30 (07 March 2019)
> ----------------------
> - array/list handing optimization by Philippe Antoine for an issue found
> be oss-fuzz
> - improved Windows support
> - fuzz targets improvements by Philippe Antoine
> - packaging improvements by Fabrice Fontaine
> - install doc improved by Wenhui Zhang
>
> unblock libhtp/1:0.5.30-1
>
> Best regards
> Sascha
>
Unblocked, thanks.
~Niels
--- End Message ---
