Your message dated Tue, 17 Feb 2015 19:38:39 +0100
with message-id <[email protected]>
and subject line Re: The libhtp SONAME mismatch *is* a policy violation.
has caused the Debian Bug report #777040,
regarding unblock: libhtp/0.5.16-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
777040: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777040
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package libhtp
(explain the reason for the unblock here)
Dear release team,
We were contacted privately regarding this release of libhtp/suricata
which include important security updates (no CVE asigned thought).
We considered backporting just the important patches, but the changelog is
rather small and we decided to package the new version directly.
Before we upload 0.5.16-1 to unstable we would like to make sure that this is
OK for you.
This is the debdiff, which was generated using this cmdline:
debdiff --diffstat libhtp_0.5.15-1.dsc libhtp_0.5.16-1.dsc | filterdiff -i
'*.[ch]'
--- libhtp-0.5.15/htp/htp_config.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_config.c 2015-01-27 07:08:27.000000000 +0100
@@ -559,6 +559,7 @@
htp_config_set_convert_lowercase(cfg, HTP_DECODER_URL_PATH, 1);
htp_config_set_utf8_convert_bestfit(cfg, HTP_DECODER_URL_PATH, 1);
htp_config_set_u_encoding_decode(cfg, HTP_DECODER_URL_PATH, 1);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg,
HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_APACHE_2:
@@ -575,6 +576,7 @@
htp_config_set_url_encoding_invalid_handling(cfg,
HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_url_encoding_invalid_unwanted(cfg,
HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH,
HTP_UNWANTED_IGNORE);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg,
HTP_DECODER_DEFAULTS, HTP_UNWANTED_400);
break;
case HTP_SERVER_IIS_5_1:
@@ -590,6 +592,7 @@
htp_config_set_url_encoding_invalid_handling(cfg,
HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH,
HTP_UNWANTED_IGNORE);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg,
HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_IIS_6_0:
@@ -606,6 +609,7 @@
htp_config_set_url_encoding_invalid_handling(cfg,
HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_u_encoding_unwanted(cfg, HTP_DECODER_URL_PATH,
HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH,
HTP_UNWANTED_400);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg,
HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_IIS_7_0:
@@ -623,6 +627,7 @@
htp_config_set_url_encoding_invalid_handling(cfg,
HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_url_encoding_invalid_unwanted(cfg,
HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH,
HTP_UNWANTED_400);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg,
HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
default:
@@ -883,3 +888,9 @@
}
}
}
+
+void htp_config_set_requestline_leading_whitespace_unwanted(htp_cfg_t *cfg,
enum htp_decoder_ctx_t ctx, enum htp_unwanted_t unwanted) {
+ if (ctx >= HTP_DECODER_CONTEXTS_MAX) return;
+
+ cfg->requestline_leading_whitespace_unwanted = unwanted;
+}
--- libhtp-0.5.15/htp/htp_connection_parser.c 2014-10-16 14:03:28.000000000
+0200
+++ libhtp-0.5.16/htp/htp_connection_parser.c 2015-01-27 07:08:27.000000000
+0100
@@ -49,8 +49,10 @@
htp_conn_close(connp->conn, timestamp);
// Update internal flags
- connp->in_status = HTP_STREAM_CLOSED;
- connp->out_status = HTP_STREAM_CLOSED;
+ if (connp->in_status != HTP_STREAM_ERROR)
+ connp->in_status = HTP_STREAM_CLOSED;
+ if (connp->out_status != HTP_STREAM_ERROR)
+ connp->out_status = HTP_STREAM_CLOSED;
// Call the parsers one last time, which will allow them
// to process the events that depend on stream closure
--- libhtp-0.5.15/htp/htp_request_generic.c 2014-10-16 14:03:28.000000000
+0200
+++ libhtp-0.5.16/htp/htp_request_generic.c 2015-01-27 07:08:27.000000000
+0100
@@ -251,6 +251,7 @@
unsigned char *data = bstr_ptr(tx->request_line);
size_t len = bstr_len(tx->request_line);
size_t pos = 0;
+ size_t mstart = 0;
if (nul_terminates) {
// The line ends with the first NUL byte.
@@ -266,13 +267,27 @@
pos = 0;
}
+ // skip past leading whitespace. IIS allows this
+ while ((pos < len) && htp_is_space(data[pos])) pos++;
+ if (pos) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line:
leading whitespace");
+ mstart = pos;
+
+ if (connp->cfg->requestline_leading_whitespace_unwanted !=
HTP_UNWANTED_IGNORE) {
+ // reset mstart so that we copy the whitespace into the method
+ mstart = 0;
+ // set expected response code to this anomaly
+ tx->response_status_expected_number =
connp->cfg->requestline_leading_whitespace_unwanted;
+ }
+ }
+
// The request method starts at the beginning of the
// line and ends with the first whitespace character.
while ((pos < len) && (!htp_is_space(data[pos]))) pos++;
// No, we don't care if the method is empty.
- tx->request_method = bstr_dup_mem(data, pos);
+ tx->request_method = bstr_dup_mem(data + mstart, pos - mstart);
if (tx->request_method == NULL) return HTP_ERROR;
#ifdef HTP_DEBUG
--- libhtp-0.5.15/htp/htp_transaction.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_transaction.c 2015-01-27 07:08:27.000000000 +0100
@@ -792,6 +792,10 @@
switch (tx->response_content_encoding_processing) {
case HTP_COMPRESSION_GZIP:
case HTP_COMPRESSION_DEFLATE:
+ // In severe memory stress these could be NULL
+ if (tx->connp->out_decompressor == NULL ||
tx->connp->out_decompressor->decompress == NULL)
+ return HTP_ERROR;
+
// Send data buffer to the decompressor.
tx->connp->out_decompressor->decompress(tx->connp->out_decompressor, &d);
unblock libhtp/0.5.16-1
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Le 2015-02-16 23:09, Hilko Bengen a écrit :
* Julien Cristau:
1. Override upstream's decision to change the SONAME with every
release.
I am not entirelysure how stable libhtp's API/ABI should be
considered -- looking at changes and deciding on compatibility
issues
making those decisions would certainly put a burden on the
maintainer
in the future (although the .symbols mechanism helps for obvious
cases such as removed APIs.)
I am attaching a patch to drop the -release parameter from the
libtool call, libhtp.so.1.0.0 (instead of libhtp-0.5.15.so.1.0.0)
is
generated. The .symbols file would need to be updated to reflect
that
change, too, of course.
2. Since suricata is the only reverse dependency of libhtp and
contains
a copy of libhtp within its source tarball, so we could drop the
libhtp package altogether and use that embedded copy instead, at
least for the jessie release.
3. Change the binary package name to reflect the SONAME -- for
instance
libhtp-0.5.15. I believe that we are too late in the freeze to be
adding new binary package names.
For jessie, 2 sounds like the best way to go IMO.
Removal hint added for libhtp.
Thank you. Could somebody please decide about #777042 ("unblock:
suricata/2.0.6-1")?
It was unblocked.
Regards,
--
Mehdi
--- End Message ---
