Hello community, here is the log from the commit of package thttpd for openSUSE:Factory checked in at 2018-10-23 20:41:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/thttpd (Old) and /work/SRC/openSUSE:Factory/.thttpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "thttpd" Tue Oct 23 20:41:52 2018 rev:40 rq:643958 version:2.29 Changes: -------- --- /work/SRC/openSUSE:Factory/thttpd/thttpd.changes 2017-11-11 14:20:22.121523022 +0100 +++ /work/SRC/openSUSE:Factory/.thttpd.new/thttpd.changes 2018-10-23 20:42:42.504378151 +0200 @@ -1,0 +2,10 @@ +Mon Oct 22 08:44:39 UTC 2018 - Vítězslav Čížek <[email protected]> + +- Update to 2.29 (bsc#1112629) + Allow CGI to handle HTTP methods besides GET/HEAD/POST. + Improvements to the FreeBSD startup script. (Craig Leres) + Minor portability tweak in mmc.c. + Fix to buffer overrun bug in htpasswd. Reported by Alessio Santoru as CVE-2017-17663. +- update thttpd-2.25b-overflow.diff + +------------------------------------------------------------------- Old: ---- thttpd-2.27.tar.gz New: ---- thttpd-2.29.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ thttpd.spec ++++++ --- /var/tmp/diff_new_pack.BZyLwF/_old 2018-10-23 20:42:43.360377128 +0200 +++ /var/tmp/diff_new_pack.BZyLwF/_new 2018-10-23 20:42:43.360377128 +0200 @@ -1,7 +1,7 @@ # # spec file for package thttpd # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -23,13 +23,13 @@ %define with_systemd 0 %endif Name: thttpd -Version: 2.27 +Version: 2.29 Release: 0 Summary: Small and simple webserver License: BSD-3-Clause Group: Productivity/Networking/Web/Servers Url: http://www.acme.com/software/thttpd/ -Source: %{name}-%{version}.tar.gz +Source: http://www.acme.com/software/thttpd/%{name}-%{version}.tar.gz Source1: %{name}-initd.script Source2: %{name}.service Source3: %{name}.logrotate ++++++ thttpd-2.25b-overflow.diff ++++++ --- /var/tmp/diff_new_pack.BZyLwF/_old 2018-10-23 20:42:43.388377095 +0200 +++ /var/tmp/diff_new_pack.BZyLwF/_new 2018-10-23 20:42:43.388377095 +0200 @@ -1,18 +1,8 @@ Index: extras/htpasswd.c =================================================================== ---- extras/htpasswd.c.orig 2014-09-03 09:40:24.741007309 +0200 -+++ extras/htpasswd.c 2014-09-03 09:42:47.188597773 +0200 -@@ -184,15 +184,17 @@ int main(int argc, char *argv[]) { - fprintf(stderr,"Use -c option to create new one.\n"); - exit(1); - } -- strcpy(user,argv[2]); - -+ strncpy(user,argv[2],MAX_STRING_LEN); -+ user[MAX_STRING_LEN-1]='\0'; - found = 0; - while(!(my_getline(line,MAX_STRING_LEN,f))) { - if(found || (line[0] == '#') || (!line[0])) { +--- extras/htpasswd.c.orig 2018-10-22 10:48:47.811465609 +0200 ++++ extras/htpasswd.c 2018-10-22 10:52:45.008744706 +0200 +@@ -193,7 +193,8 @@ int main(int argc, char *argv[]) { putline(tfp,line); continue; } @@ -22,7 +12,7 @@ getword(w,l,':'); if(strcmp(user,w)) { putline(tfp,line); -@@ -210,7 +212,8 @@ int main(int argc, char *argv[]) { +@@ -211,7 +212,8 @@ int main(int argc, char *argv[]) { } fclose(f); fclose(tfp); ++++++ thttpd-2.27.tar.gz -> thttpd-2.29.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/INSTALL new/thttpd-2.29/INSTALL --- old/thttpd-2.27/INSTALL 2003-12-29 18:14:43.000000000 +0100 +++ new/thttpd-2.29/INSTALL 2018-05-24 01:31:09.000000000 +0200 @@ -20,9 +20,9 @@ On Red Hat Linux systems you can use RPM to install thttpd, like so: cd /usr/src/redhat/SOURCES - wget http://www.acme.com/software/thttpd/thttpd-2.26.tar.gz - rpm -ta thttpd-2.26.tar.gz - rpm -i /usr/src/redhat/RPMS/i386/thttpd-2.26-1.i386.rpm + wget http://www.acme.com/software/thttpd/thttpd-2.29.tar.gz + rpm -ta thttpd-2.29.tar.gz + rpm -i /usr/src/redhat/RPMS/i386/thttpd-2.29-1.i386.rpm Solaris: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/README new/thttpd-2.29/README --- old/thttpd-2.27/README 2015-10-20 01:38:08.000000000 +0200 +++ new/thttpd-2.29/README 2018-05-24 01:31:02.000000000 +0200 @@ -1,5 +1,5 @@ thttpd - tiny/turbo/throttling HTTP server - version 2.27 of 19Oct2015 + version 2.29 of 23May2018 thttpd is a simple, small, portable, fast, and secure HTTP server. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/contrib/redhat-rpm/thttpd.spec new/thttpd-2.29/contrib/redhat-rpm/thttpd.spec --- old/thttpd-2.27/contrib/redhat-rpm/thttpd.spec 2015-10-20 01:38:13.000000000 +0200 +++ new/thttpd-2.29/contrib/redhat-rpm/thttpd.spec 2018-05-24 01:31:15.000000000 +0200 @@ -1,6 +1,6 @@ Summary: Throttleable lightweight httpd server Name: thttpd -Version: 2.27 +Version: 2.29 Release: 1 Group: Networking URL: http://www.acme.com/software/thttpd diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/extras/htpasswd.c new/thttpd-2.29/extras/htpasswd.c --- old/thttpd-2.27/extras/htpasswd.c 2014-08-05 00:34:56.000000000 +0200 +++ new/thttpd-2.29/extras/htpasswd.c 2017-12-13 17:35:28.000000000 +0100 @@ -48,7 +48,7 @@ } static int my_getline(char *s, int n, FILE *f) { - register int i=0; + int i=0; while(1) { s[i] = (char)fgetc(f); @@ -76,7 +76,7 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; -static void to64(register char *s, register long v, register int n) { +static void to64(char *s, long v, int n) { while (--n >= 0) { *s++ = itoa64[v&0x3f]; v >>= 6; @@ -184,7 +184,8 @@ fprintf(stderr,"Use -c option to create new one.\n"); exit(1); } - strcpy(user,argv[2]); + strncpy(user,argv[2],sizeof(user)-1); + user[sizeof(user)-1] = '\0'; found = 0; while(!(my_getline(line,MAX_STRING_LEN,f))) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/libhttpd.c new/thttpd-2.29/libhttpd.c --- old/thttpd-2.27/libhttpd.c 2015-10-20 01:40:27.000000000 +0200 +++ new/thttpd-2.29/libhttpd.c 2018-05-23 21:23:06.000000000 +0200 @@ -1210,6 +1210,9 @@ case METHOD_GET: return "GET"; case METHOD_HEAD: return "HEAD"; case METHOD_POST: return "POST"; + case METHOD_PUT: return "PUT"; + case METHOD_DELETE: return "DELETE"; + case METHOD_TRACE: return "TRACE"; default: return "UNKNOWN"; } } @@ -2028,6 +2031,12 @@ hc->method = METHOD_HEAD; else if ( strcasecmp( method_str, httpd_method_str( METHOD_POST ) ) == 0 ) hc->method = METHOD_POST; + else if ( strcasecmp( method_str, httpd_method_str( METHOD_PUT ) ) == 0 ) + hc->method = METHOD_PUT; + else if ( strcasecmp( method_str, httpd_method_str( METHOD_DELETE ) ) == 0 ) + hc->method = METHOD_DELETE; + else if ( strcasecmp( method_str, httpd_method_str( METHOD_TRACE ) ) == 0 ) + hc->method = METHOD_TRACE; else { httpd_send_err( hc, 501, err501title, "", err501form, method_str ); @@ -3567,54 +3576,45 @@ int r; ClientData client_data; - if ( hc->method == METHOD_GET || hc->method == METHOD_POST ) + if ( hc->hs->cgi_limit != 0 && hc->hs->cgi_count >= hc->hs->cgi_limit ) { - if ( hc->hs->cgi_limit != 0 && hc->hs->cgi_count >= hc->hs->cgi_limit ) - { - httpd_send_err( - hc, 503, httpd_err503title, "", httpd_err503form, - hc->encodedurl ); - return -1; - } - ++hc->hs->cgi_count; - httpd_clear_ndelay( hc->conn_fd ); - r = fork( ); - if ( r < 0 ) - { - syslog( LOG_ERR, "fork - %m" ); - httpd_send_err( - hc, 500, err500title, "", err500form, hc->encodedurl ); - return -1; - } - if ( r == 0 ) - { - /* Child process. */ - sub_process = 1; - httpd_unlisten( hc->hs ); - cgi_child( hc ); - } - - /* Parent process. */ - syslog( LOG_DEBUG, "spawned CGI process %d for file '%.200s'", r, hc->expnfilename ); -#ifdef CGI_TIMELIMIT - /* Schedule a kill for the child process, in case it runs too long */ - client_data.i = r; - if ( tmr_create( (struct timeval*) 0, cgi_kill, client_data, CGI_TIMELIMIT * 1000L, 0 ) == (Timer*) 0 ) - { - syslog( LOG_CRIT, "tmr_create(cgi_kill child) failed" ); - exit( 1 ); - } -#endif /* CGI_TIMELIMIT */ - hc->status = 200; - hc->bytes_sent = CGI_BYTECOUNT; - hc->should_linger = 0; + httpd_send_err( + hc, 503, httpd_err503title, "", httpd_err503form, + hc->encodedurl ); + return -1; } - else + ++hc->hs->cgi_count; + httpd_clear_ndelay( hc->conn_fd ); + r = fork( ); + if ( r < 0 ) { + syslog( LOG_ERR, "fork - %m" ); httpd_send_err( - hc, 501, err501title, "", err501form, httpd_method_str( hc->method ) ); + hc, 500, err500title, "", err500form, hc->encodedurl ); return -1; } + if ( r == 0 ) + { + /* Child process. */ + sub_process = 1; + httpd_unlisten( hc->hs ); + cgi_child( hc ); + } + + /* Parent process. */ + syslog( LOG_DEBUG, "spawned CGI process %d for file '%.200s'", r, hc->expnfilename ); +#ifdef CGI_TIMELIMIT + /* Schedule a kill for the child process, in case it runs too long */ + client_data.i = r; + if ( tmr_create( (struct timeval*) 0, cgi_kill, client_data, CGI_TIMELIMIT * 1000L, 0 ) == (Timer*) 0 ) + { + syslog( LOG_CRIT, "tmr_create(cgi_kill child) failed" ); + exit( 1 ); + } +#endif /* CGI_TIMELIMIT */ + hc->status = 200; + hc->bytes_sent = CGI_BYTECOUNT; + hc->should_linger = 0; return 0; } @@ -3637,14 +3637,6 @@ expnlen = strlen( hc->expnfilename ); - if ( hc->method != METHOD_GET && hc->method != METHOD_HEAD && - hc->method != METHOD_POST ) - { - httpd_send_err( - hc, 501, err501title, "", err501form, httpd_method_str( hc->method ) ); - return -1; - } - /* Stat the file. */ if ( stat( hc->expnfilename, &hc->sb ) < 0 ) { @@ -3855,6 +3847,13 @@ return -1; } + if ( hc->method != METHOD_GET && hc->method != METHOD_HEAD ) + { + httpd_send_err( + hc, 501, err501title, "", err501form, httpd_method_str( hc->method ) ); + return -1; + } + /* Fill in last_byte_index, if necessary. */ if ( hc->got_range && ( hc->last_byte_index == -1 || hc->last_byte_index >= hc->sb.st_size ) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/libhttpd.h new/thttpd-2.29/libhttpd.h --- old/thttpd-2.27/libhttpd.h 2015-10-19 23:30:43.000000000 +0200 +++ new/thttpd-2.29/libhttpd.h 2018-05-23 20:46:35.000000000 +0200 @@ -152,6 +152,9 @@ #define METHOD_GET 1 #define METHOD_HEAD 2 #define METHOD_POST 3 +#define METHOD_PUT 4 +#define METHOD_DELETE 5 +#define METHOD_TRACE 6 /* States for checked_state. */ #define CHST_FIRSTWORD 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/mmc.c new/thttpd-2.29/mmc.c --- old/thttpd-2.27/mmc.c 2014-12-10 21:53:22.000000000 +0100 +++ new/thttpd-2.29/mmc.c 2015-11-05 19:13:49.000000000 +0100 @@ -523,9 +523,9 @@ mmc_logstats( long secs ) { syslog( - LOG_NOTICE, " map cache - %d allocated, %d active (%lld bytes), %d free; hash size: %d; expire age: %ld", + LOG_NOTICE, " map cache - %d allocated, %d active (%lld bytes), %d free; hash size: %d; expire age: %lld", alloc_count, map_count, (long long) mapped_bytes, free_count, hash_size, - expire_age ); + (long long) expire_age ); if ( map_count + free_count != alloc_count ) syslog( LOG_ERR, "map counts don't add up!" ); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/scripts/thttpd.sh new/thttpd-2.29/scripts/thttpd.sh --- old/thttpd-2.27/scripts/thttpd.sh 2015-02-04 15:30:36.000000000 +0100 +++ new/thttpd-2.29/scripts/thttpd.sh 2016-06-18 22:06:08.000000000 +0200 @@ -2,13 +2,16 @@ # # thttpd.sh - startup script for thttpd on FreeBSD # -# This goes in /usr/local/etc/rc.d and gets run at boot-time. +# This should be manually installed as: +# /usr/local/etc/rc.d/thttpd +# It gets run at boot-time. # # Variables available: -# thttpd_enable='YES/NO' -# thttpd_program='path' -# thttpd_pidfile='path' -# thttpd_devfs='path' +# thttpd_enable='YES' +# thttpd_program='/usr/local/sbin/thttpd' +# thttpd_pidfile='/var/run/thttpd.pid' +# thttpd_devfs=... +# thttpd_flags=... # # PROVIDE: thttpd # REQUIRE: LOGIN FILESYSTEMS @@ -18,31 +21,27 @@ name='thttpd' rcvar='thttpd_enable' +start_precmd='thttpd_precmd' +stop_cmd='thttpd_stop' +thttpd_enable_defval='NO' load_rc_config "$name" - -# Defaults. -thttpd_enable="${thttpd_enable:-'NO'}" -thttpd_program="${thttpd_program:-'/usr/local/sbin/thttpd'}" -thttpd_pidfile="${thttpd_pidfile:-'/var/run/thttpd.pid'}" +command="${thttpd_program:-/usr/local/sbin/${name}}" +pidfile="${thttpd_pidfile:-/var/run/${name}.pid}" +command_args="-i ${pidfile}" thttpd_precmd () - { - if [ '' != "$thttpd_devfs" ] ; then - mount -t devfs devfs "$thttpd_devfs" - devfs -m "$thttpd_devfs" rule -s 1 applyset - devfs -m "$thttpd_devfs" rule -s 2 applyset - fi - } +{ + if [ -n "$thttpd_devfs" ] ; then + mount -t devfs devfs "$thttpd_devfs" + devfs -m "$thttpd_devfs" rule -s 1 applyset + devfs -m "$thttpd_devfs" rule -s 2 applyset + fi +} thttpd_stop () - { - kill -USR1 `cat "$pidfile"` - } - -command="$thttpd_program" -pidfile="$thttpd_pidfile" -start_precmd='thttpd_precmd' -stop_cmd='thttpd_stop' +{ + kill -USR1 `cat "$pidfile"` +} run_rc_command "$1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/thttpd-2.27/version.h new/thttpd-2.29/version.h --- old/thttpd-2.27/version.h 2015-10-20 01:37:56.000000000 +0200 +++ new/thttpd-2.29/version.h 2018-05-24 01:30:54.000000000 +0200 @@ -3,7 +3,7 @@ #ifndef _VERSION_H_ #define _VERSION_H_ -#define SERVER_SOFTWARE "thttpd/2.27 19Oct2015" +#define SERVER_SOFTWARE "thttpd/2.29 23May2018" #define SERVER_ADDRESS "http://www.acme.com/software/thttpd/"; #endif /* _VERSION_H_ */
