Hello community, here is the log from the commit of package openwsman for openSUSE:Factory checked in at 2019-08-15 12:28:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openwsman (Old) and /work/SRC/openSUSE:Factory/.openwsman.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openwsman" Thu Aug 15 12:28:52 2019 rev:68 rq:723295 version:2.6.10 Changes: -------- --- /work/SRC/openSUSE:Factory/openwsman/openwsman.changes 2019-06-13 23:06:19.939194843 +0200 +++ /work/SRC/openSUSE:Factory/.openwsman.new.9556/openwsman.changes 2019-08-15 12:28:54.078520149 +0200 @@ -1,0 +2,11 @@ +Wed Aug 7 11:44:15 UTC 2019 - Klaus Kämpf <kkae...@suse.com> + +- Update to 2.6.10 + * install firewalld configuration (Leap/SLE 15+, Fedora 15+) + * Fix possible denial of service (bsc#1122623, CVE-2019-3816, CVE-2019-3833) + * Pthread usage fixes (Alexander Usyskin) + * Convert sprintf to snprintf and strcpy to strncpy (Tomas Winkler) + +- drop bsc1122623.patch and debug_fix.patch, upstreamed + +------------------------------------------------------------------- @@ -39,0 +51,3 @@ + +- Switch license to BSD-3-Clause AND GPL-2.0-only, since redirect + plugin is under GPL 2.0 only license. Old: ---- bsc1122623.patch debug_fix.patch openwsman-2.6.9.tar.bz2 New: ---- openwsman-2.6.10.tar.bz2 openwsman.firewalld ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openwsman.spec ++++++ --- /var/tmp/diff_new_pack.KS7JJK/_old 2019-08-15 12:28:55.342518977 +0200 +++ /var/tmp/diff_new_pack.KS7JJK/_new 2019-08-15 12:28:55.346518974 +0200 @@ -22,6 +22,12 @@ %define has_systemd 0 %endif +%if 0%{?suse_version} > 1500 || 0%{?fedora_version} > 14 +%define has_firewalld 1 +%else +%define has_firewalld 0 +%endif + %if 0%{?suse_version} >= 1500 %define want_python3 1 %else @@ -131,8 +137,12 @@ %{?systemd_requires} %endif +%if 0%{?has_firewalld} +BuildRequires: firewall-macros +%endif + Requires(pre): sed coreutils grep /bin/hostname -Version: 2.6.9 +Version: 2.6.10 Release: 0 # Mandriva: # Release %%mkrel 1 @@ -153,8 +163,7 @@ Source3: %{name}.SuSEfirewall2 BuildRoot: %{_tmppath}/%{name}-%{version}-build Source4: %{name}.service -Patch2: bsc1122623.patch -Patch3: debug_fix.patch +Source5: %{name}.firewalld %description OpenWSMAN is an implementation of the WS-Management protocol stack. @@ -365,8 +374,6 @@ %if 0%{?fedora_version} || 0%{?centos_version} || 0%{?rhel_version} || 0%{?fedora} || 0%{?rhel} %patch1 -p1 %endif -%patch2 -p1 -%patch3 -p1 %build rm -rf build @@ -412,7 +419,7 @@ %install cd build -DESTDIR=%{buildroot} make install +%make_install mkdir -p %{buildroot}/%{_docdir} # don't copy ruby docs if they don't exist [ -d bindings/ruby/html ] && cp -a bindings/ruby/html %{buildroot}/%{_docdir}/openwsman-ruby-docs @@ -431,13 +438,16 @@ install -m 755 build/etc/init/openwsmand.sh %{buildroot}/%{_sysconfdir}/init.d/openwsmand ln -sf %{_sysconfdir}/init.d/openwsmand %{buildroot}/%{_sbindir}/rcopenwsmand %endif +%if 0%{?has_firewalld} +mkdir -p %{buildroot}/%{_libexecdir}/firewalld/services +install -D -m 644 %{S:5} %{buildroot}/%{_libexecdir}/firewalld/services/%{name}.xml +%else +install -D -m 644 %{S:3} %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman +%endif install -m 644 etc/openwsman.conf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 etc/openwsman_client.conf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 etc/ssleay.cnf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 %{pamfile} %{buildroot}/%{_sysconfdir}/pam.d/openwsman -%if 0%{?suse_version} > 1010 -install -D -m 644 %{S:3} %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman -%endif %if 0%{?rhel_version} == 700 rm -f %{buildroot}/%{_bindir}/winrs %endif @@ -463,6 +473,9 @@ # FIXME: chkconfig?! %endif %endif +%if 0%{?has_firewalld} +%firewalld_reload +%endif %preun server %if 0%{?has_systemd} @@ -562,7 +575,11 @@ %config(noreplace) %{_sysconfdir}/openwsman/ssleay.cnf %attr(0755,root,root) %{_sysconfdir}/openwsman/owsmangencert.sh %config %{_sysconfdir}/pam.d/openwsman -%if 0%{?suse_version} > 1010 +%if 0%{?has_firewalld} +%dir %{_libexecdir}/firewalld +%dir %{_libexecdir}/firewalld/services +%{_libexecdir}/firewalld/services/%{name}.xml +%else %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman %endif %if 0%{?has_systemd} ++++++ openwsman-2.6.9.tar.bz2 -> openwsman-2.6.10.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/CMakeLists.txt new/openwsman-2.6.10/CMakeLists.txt --- old/openwsman-2.6.9/CMakeLists.txt 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/CMakeLists.txt 2019-08-07 13:43:36.000000000 +0200 @@ -19,7 +19,7 @@ cmake_policy(SET CMP0042 NEW) endif ( POLICY CMP0042 ) if ( POLICY CMP0046 ) - cmake_policy(SET CMP0046 OLD) + cmake_policy(SET CMP0046 NEW) endif ( POLICY CMP0046 ) endif(COMMAND cmake_policy) @@ -251,18 +251,20 @@ # curl -INCLUDE(FindCURL) -IF ( NOT CURL_FOUND) - MESSAGE( FATAL_ERROR " curl not found" ) -ELSE ( NOT CURL_FOUND) - INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIR}) - IF(CURL_VERSION_STRING) - STRING(COMPARE LESS ${CURL_VERSION_STRING} "7.12.0" result) - IF(result LESS 0) - MESSAGE( FATAL_ERROR " curl version ${CURL_VERSION_STRING} is too low, need 7.12.0 or greater" ) - ENDIF(result LESS 0) - ENDIF(CURL_VERSION_STRING) -ENDIF( NOT CURL_FOUND) +IF(UNIX) + INCLUDE(FindCURL) + IF ( NOT CURL_FOUND) + MESSAGE( FATAL_ERROR " curl not found" ) + ELSE ( NOT CURL_FOUND) + INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIR}) + IF(CURL_VERSION_STRING) + STRING(COMPARE LESS ${CURL_VERSION_STRING} "7.12.0" result) + IF(result LESS 0) + MESSAGE( FATAL_ERROR " curl version ${CURL_VERSION_STRING} is too low, need 7.12.0 or greater" ) + ENDIF(result LESS 0) + ENDIF(CURL_VERSION_STRING) + ENDIF( NOT CURL_FOUND) +ENDIF(UNIX) # xml2 @@ -275,12 +277,14 @@ # pthreads -INCLUDE(FindThreads) -IF( NOT CMAKE_USE_PTHREADS_INIT ) - MESSAGE( FATAL_ERROR " openwsman needs pthread" ) -ELSE( NOT CMAKE_USE_PTHREADS_INIT ) - SET(USE_PTHREAD TRUE) -ENDIF( NOT CMAKE_USE_PTHREADS_INIT ) +IF(UNIX) + INCLUDE(FindThreads) + IF( NOT CMAKE_USE_PTHREADS_INIT ) + MESSAGE( FATAL_ERROR " openwsman needs pthread" ) + ELSE( NOT CMAKE_USE_PTHREADS_INIT ) + SET(USE_PTHREAD TRUE) + ENDIF( NOT CMAKE_USE_PTHREADS_INIT ) +ENDIF(UNIX) # dl @@ -328,6 +332,18 @@ # Various include files INCLUDE(CheckIncludeFile) +INCLUDE(CheckFunctionExists) + +CHECK_FUNCTION_EXISTS( "alloca" HAVE_ALLOCA ) +IF (NOT HAVE_ALLOCA) + SET(HAVE_ALLOCA 0) + SET(C_ALLOCA 0) + CHECK_INCLUDE_FILE( "alloca.h" HAVE_ALLOCA_H ) +ELSE (NOT HAVE_ALLOCA) + SET(HAVE_ALLOCA 1) + SET(C_ALLOCA 1) + SET(HAVE_ALLOCA_H 0) +ENDIF (NOT HAVE_ALLOCA) # # The wsman_config file checks include file existance via "#if", @@ -337,8 +353,7 @@ # The code below ensures that "HAVE_xxx" is set to "0" or "1" # -SET (FILES_TO_TEST "crypt.h" "ctype.h" "CUnit/Basic.h" "dirent.h" "dlfcn.h" "ifaddrs.h" "inttypes.h" "memory.h" "netinet/in.h" "net/if_dl.h" "net/if.h" "pam/pam_appl.h" "pam/pam_misc.h" "pthread.h" "security/pam_appl.h" "security/pam_misc.h" "stdarg.h" "stdint.h" "stdlib.h" "strings.h" "string.h" "sys/ioctl.h" "sys/resource.h" "sys/select.h" "sys/sendfile.h" "sys/signal.h" "sys/socket.h" "sys/sockio.h" "sys/stat.h" "sys/types.h" "unistd.h" "vararg.h" ) -#SET(FILES_TO_TEST "crypt.h") +SET (FILES_TO_TEST "alloca.h" "crypt.h" "ctype.h" "CUnit/Basic.h" "dirent.h" "dlfcn.h" "ifaddrs.h" "inttypes.h" "memory.h" "netinet/in.h" "net/if_dl.h" "net/if.h" "pam/pam_appl.h" "pam/pam_misc.h" "pthread.h" "security/pam_appl.h" "security/pam_misc.h" "stdarg.h" "stdint.h" "stdlib.h" "strings.h" "string.h" "sys/ioctl.h" "sys/resource.h" "sys/select.h" "sys/sendfile.h" "sys/signal.h" "sys/socket.h" "sys/sockio.h" "sys/stat.h" "sys/types.h" "unistd.h" "vararg.h" ) FOREACH( FILE ${FILES_TO_TEST}) STRING(REGEX REPLACE "\\." "_" FILEDOT ${FILE}) STRING(REGEX REPLACE "/" "_" FILESLASH ${FILEDOT}) @@ -364,24 +379,12 @@ # library functions -INCLUDE(CheckFunctionExists) CHECK_FUNCTION_EXISTS("getifaddrs" HAVE_GETIFADDRS) #SIOCGIFHWADDR #SIOCGARP SET( CRAY_STACKSEG_END 0 ) -CHECK_FUNCTION_EXISTS( "alloca" HAVE_ALLOCA ) -IF (NOT HAVE_ALLOCA) - SET(HAVE_ALLOCA 0) - SET(C_ALLOCA 0) - CHECK_INCLUDE_FILE( "alloca.h" HAVE_ALLOCA_H ) -ELSE (NOT HAVE_ALLOCA) - SET(HAVE_ALLOCA 1) - SET(C_ALLOCA 1) - SET(HAVE_ALLOCA_H 0) -ENDIF (NOT HAVE_ALLOCA) - # # The wsman_config file checks functions existance via "#if", # requiring a 0/1 argument @@ -390,7 +393,7 @@ # The code below ensures that "HAVE_xxx" is set to "0" or "1" # -SET (FUNCS_TO_TEST "bcopy" "crypt" "daemon" "fnmatch" "getaddrinfo" "getnameinfo" "getpid" "gettimeofday" "gmtime_r" "inet_aton" "inet_ntop" "inet_pton" "sleep" "srandom" "strsep" "strtok_r" "syslog" "timegm" "memmove" "unlink" "va_copy" ) +SET (FUNCS_TO_TEST "bcopy" "crypt" "daemon" "fnmatch" "getaddrinfo" "getnameinfo" "getpid" "gettimeofday" "gmtime_r" "inet_aton" "inet_ntop" "inet_pton" "sleep" "srandom" "ssl" "strsep" "strtok_r" "syslog" "timegm" "memmove" "unlink" "va_copy" ) FOREACH( FUNC ${FUNCS_TO_TEST}) STRING(TOUPPER ${FUNC} UPNAME) SET(HAVENAME "HAVE_${UPNAME}") @@ -441,15 +444,17 @@ ENDIF(HAVE_SA_LEN) IF (ENABLE_IPV6) - # Check if struct sockaddr_in6 contains sin6 - CHECK_STRUCT_HAS_MEMBER("struct sockaddr_in6" sin6_addr netinet/in.h HAVE_IPV6) - - IF (HAVE_IPV6) - SET(ENABLE_IPV6 1) - ELSE (HAVE_IPV6) - MESSAGE( SEND_ERROR " IPv6 not supported by system, disabling" ) - SET(ENABLE_IPV6 0) - ENDIF (HAVE_IPV6) + IF(NOT WIN32) + # Check if struct sockaddr_in6 contains sin6 + CHECK_STRUCT_HAS_MEMBER("struct sockaddr_in6" sin6_addr netinet/in.h HAVE_IPV6) + + IF (HAVE_IPV6) + SET(ENABLE_IPV6 1) + ELSE (HAVE_IPV6) + MESSAGE( SEND_ERROR " IPv6 not supported by system, disabling" ) + SET(ENABLE_IPV6 0) + ENDIF (HAVE_IPV6) + ENDIF(NOT WIN32) ELSE (ENABLE_IPV6) SET(ENABLE_IPV6 0) ENDIF (ENABLE_IPV6) @@ -479,7 +484,11 @@ SET(WSMAN_SERVER_PKG wsman_server) SET(WSMAN_CLIENT_PKG wsman_client) SET(WSMAN_CLIENTPP_PKG wsman_clientpp) -SET(WSMAN_CLIENT_TRANSPORT_PKG wsman_curl_client_transport) +IF(UNIX) + SET(WSMAN_CLIENT_TRANSPORT_PKG wsman_curl_client_transport) +ELSE(UNIX) + SET(WSMAN_CLIENT_TRANSPORT_PKG wsman_win_client_transport) +ENDIF(UNIX) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/wsman_config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/wsman_config.h) configure_file(${CMAKE_CURRENT_SOURCE_DIR}/Doxyfile.in ${CMAKE_CURRENT_BINARY_DIR}/Doxyfile) @@ -609,6 +618,7 @@ COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/package/openwsman.pam.rh" "${CMAKE_BINARY_DIR}/package" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/package/openwsman.rpmlintrc" "${CMAKE_BINARY_DIR}/package" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/package/openwsman.SuSEfirewall2" "${CMAKE_BINARY_DIR}/package" + COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/package/openwsman.firewalld" "${CMAKE_BINARY_DIR}/package" ) ADD_CUSTOM_TARGET( srcpackage_local diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/ChangeLog new/openwsman-2.6.10/ChangeLog --- old/openwsman-2.6.9/ChangeLog 2018-11-19 13:27:21.000000000 +0100 +++ new/openwsman-2.6.10/ChangeLog 2019-08-07 13:42:23.000000000 +0200 @@ -1,3 +1,18 @@ +2.6.10 +- Features + - rpm installs firewalld configuration +- Bugfixes + - Pthread usage fixes (Alexander Usyskin) + - Convert sprintf to snprintf and strcpy to strncpy (Tomas Winkler) + - Fix configure for Windows (Alexander Usyskin) + - Fix possible denial of service (Adam Majer, Klaus Kaempf) + CVE-2019-3833: + "Openwsman, versions up to and including 2.6.9, are vulnerable to + infinite loop in process_connection() when parsing specially crafted + HTTP requests. A remote, unauthenticated attacker can exploit this + vulnerability by sending malicious HTTP request to cause denial of + service to openwsman server." + 2.6.9 - Features - Build with CURL 7.62 (vcrho...@redhat.com) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/VERSION.cmake new/openwsman-2.6.10/VERSION.cmake --- old/openwsman-2.6.9/VERSION.cmake 2018-11-19 13:23:26.000000000 +0100 +++ new/openwsman-2.6.10/VERSION.cmake 2019-08-07 12:57:22.000000000 +0200 @@ -44,10 +44,10 @@ # set COMPATMINOR to MINOR. (binary incompatible change) # -# Package version 2.6.9 +# Package version 2.6.10 SET(OPENWSMAN_MAJOR "2") SET(OPENWSMAN_MINOR "6") -SET(OPENWSMAN_PATCH "9") +SET(OPENWSMAN_PATCH "10") # Plugin API 2.2 SET(OPENWSMAN_PLUGIN_API_MAJOR "2") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/bindings/ruby/CMakeLists.txt new/openwsman-2.6.10/bindings/ruby/CMakeLists.txt --- old/openwsman-2.6.9/bindings/ruby/CMakeLists.txt 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/bindings/ruby/CMakeLists.txt 2019-08-07 13:24:26.000000000 +0200 @@ -92,8 +92,8 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/openwsman.gemspec.in ${CMAKE_CURRENT_BINARY_DIR}/openwsman.gemspec) SET(GEM_NAME "openwsman-${VERSION}.gem") -ADD_CUSTOM_TARGET(ruby_gem ALL DEPENDS ${GEM_NAME}) -ADD_DEPENDENCIES(ruby_gem ${SWIG_OUTPUT}) +ADD_CUSTOM_TARGET(ruby_gem ALL DEPENDS ${GEM_NAME} ${SWIG_OUTPUT}) +#ADD_DEPENDENCIES(ruby_gem ) ADD_CUSTOM_COMMAND ( OUTPUT ${GEM_NAME} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/include/u/carpal.h new/openwsman-2.6.10/include/u/carpal.h --- old/openwsman-2.6.9/include/u/carpal.h 2014-07-25 17:08:56.000000000 +0200 +++ new/openwsman-2.6.10/include/u/carpal.h 2019-08-07 12:57:23.000000000 +0200 @@ -16,6 +16,7 @@ #include <u/log.h> +#include "./debug_internal.h" #ifdef __cplusplus extern "C" { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/include/u/debug_internal.h new/openwsman-2.6.10/include/u/debug_internal.h --- old/openwsman-2.6.9/include/u/debug_internal.h 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/include/u/debug_internal.h 2019-08-07 12:57:23.000000000 +0200 @@ -52,8 +52,8 @@ }; typedef struct _debug_handler_t debug_handler_t; -void debug_full(debug_level_e level, const char *format, ...); -void debug_full_verbose(debug_level_e level, char *file, +int debug_full(debug_level_e level, const char *format, ...); +int debug_full_verbose(debug_level_e level, char *file, int line, const char *proc, const char *format, ...); // #define ENABLE_TRACING diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/include/u/libu.h new/openwsman-2.6.10/include/u/libu.h --- old/openwsman-2.6.9/include/u/libu.h 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/include/u/libu.h 2019-08-07 12:57:22.000000000 +0200 @@ -40,6 +40,9 @@ #define strnicmp _strnicmp #define fileno _fileno #define cputs _cputs +#if _MSC_VER < 1900 + #define snprintf _snprintf +#endif /* _MSC_VER < 1900 */ #endif #ifndef TRUE #define TRUE 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/include/u/os.h new/openwsman-2.6.10/include/u/os.h --- old/openwsman-2.6.9/include/u/os.h 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/include/u/os.h 2019-08-07 12:57:22.000000000 +0200 @@ -41,7 +41,9 @@ #define strtoull(nptr, endptr, base) _strtoul_l(nptr, endptr, base, NULL) #define strtoll(nptr, endptr, base) _strtol_l(nptr, endptr, base, NULL) #define sleep(secs) Sleep( (secs) * 1000 ) -#define snprintf _snprintf /*!< The snprintf is called _snprintf() in Win32 */ +#if _MSC_VER < 1900 + #define snprintf _snprintf /*!< The snprintf is called _snprintf() in Win32 */ +#endif /* _MSC_VER < 1900 */ #define popen _popen #define getpid GetCurrentProcessId #define pclose _pclose diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/package/openwsman.firewalld new/openwsman-2.6.10/package/openwsman.firewalld --- old/openwsman-2.6.9/package/openwsman.firewalld 1970-01-01 01:00:00.000000000 +0100 +++ new/openwsman-2.6.10/package/openwsman.firewalld 2019-08-07 13:31:08.000000000 +0200 @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>Openwsman</short> + <description>Openwsman is a project intended to provide an open-source implementation of the Web Services Management specification (WS-Management) and to expose system management information on the Linux operating system using the WS-Management protocol.</description> + <port protocol="tcp" port="5985"/> + <port protocol="tcp" port="5986"/> +</service> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/package/openwsman.spec.in new/openwsman-2.6.10/package/openwsman.spec.in --- old/openwsman-2.6.9/package/openwsman.spec.in 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/package/openwsman.spec.in 2019-08-07 13:41:47.000000000 +0200 @@ -22,6 +22,12 @@ %define has_systemd 0 %endif +%if 0%{?suse_version} > 1500 || 0%{?fedora_version} > 14 +%define has_firewalld 1 +%else +%define has_firewalld 0 +%endif + %if 0%{?suse_version} >= 1500 %define want_python3 1 %else @@ -131,6 +137,10 @@ %{?systemd_requires} %endif +%if 0%{?has_firewalld} +BuildRequires: firewall-macros +%endif + Requires(pre): sed coreutils grep /bin/hostname Version: @VERSION@ Release: 0 @@ -153,6 +163,7 @@ Source3: %{name}.SuSEfirewall2 BuildRoot: %{_tmppath}/%{name}-%{version}-build Source4: %{name}.service +Source5: %{name}.firewalld %description OpenWSMAN is an implementation of the WS-Management protocol stack. @@ -427,13 +438,16 @@ install -m 755 build/etc/init/openwsmand.sh %{buildroot}/%{_sysconfdir}/init.d/openwsmand ln -sf %{_sysconfdir}/init.d/openwsmand %{buildroot}/%{_sbindir}/rcopenwsmand %endif +%if 0%{?has_firewalld} +mkdir -p %{buildroot}/%{_libexecdir}/firewalld/services +install -D -m 644 %{S:5} %{buildroot}/%{_libexecdir}/firewalld/services/%{name}.xml +%else +install -D -m 644 %{S:3} %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman +%endif install -m 644 etc/openwsman.conf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 etc/openwsman_client.conf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 etc/ssleay.cnf %{buildroot}/%{_sysconfdir}/openwsman install -m 644 %{pamfile} %{buildroot}/%{_sysconfdir}/pam.d/openwsman -%if 0%{?suse_version} > 1010 -install -D -m 644 %{S:3} %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman -%endif %if 0%{?rhel_version} == 700 rm -f %{buildroot}/%{_bindir}/winrs %endif @@ -460,6 +474,9 @@ # FIXME: chkconfig?! %endif %endif +%if 0%{?has_firewalld} +%firewalld_reload +%endif %preun server %if 0%{?has_systemd} @@ -559,7 +576,11 @@ %config(noreplace) %{_sysconfdir}/openwsman/ssleay.cnf %attr(0755,root,root) %{_sysconfdir}/openwsman/owsmangencert.sh %config %{_sysconfdir}/pam.d/openwsman -%if 0%{?suse_version} > 1010 +%if 0%{?has_firewalld} +%dir %{_libexecdir}/firewalld +%dir %{_libexecdir}/firewalld/services +%{_libexecdir}/firewalld/services/%{name}.xml +#else %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/openwsman %endif %if 0%{?has_systemd} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/cpp/OpenWsmanClient.cpp new/openwsman-2.6.10/src/cpp/OpenWsmanClient.cpp --- old/openwsman-2.6.9/src/cpp/OpenWsmanClient.cpp 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/cpp/OpenWsmanClient.cpp 2019-08-07 12:57:23.000000000 +0200 @@ -11,6 +11,7 @@ #include "OpenWsmanClient.h" +#include <sstream> extern "C" { #include "u/libu.h" @@ -408,15 +409,12 @@ bool CheckWsmanResponse(WsManClient* cl, WsXmlDocH& doc) { long lastError = wsmc_get_last_error(cl); - string error; if(lastError) { - char tmp[11]; - error = "Failed to establish a connection with the server.\n"; - sprintf(tmp, "%ld", lastError); - error.append("Openwsman last error = ").append(tmp); + std::stringstream ss1; + ss1 << "Failed to establish a connection with the server." << std::endl << "Openwsman last error = " << lastError; ws_xml_destroy_doc(doc); - throw WsmanClientException(error.c_str(), WSMAN_CONNECT_ERROR); + throw WsmanClientException(ss1.str().c_str(), WSMAN_CONNECT_ERROR); } long responseCode = wsmc_get_response_code(cl); @@ -424,19 +422,16 @@ responseCode != 400 && responseCode != 500) { - char tmp[11]; - error = "An HTTP error occurred.\n"; - sprintf(tmp, "%ld", responseCode); - error.append("HTTP Error = ").append(tmp); + std::stringstream ss2; + ss2 << "An HTTP error occurred." << std::endl << "HTTP Error = " << responseCode; ws_xml_destroy_doc(doc); - throw WsmanClientException(error.c_str(), WSMAN_HTTP_ERROR); + throw WsmanClientException(ss2.str().c_str(), WSMAN_HTTP_ERROR); } if(!doc) throw WsmanClientException("The Wsman response was NULL."); if (wsmc_check_for_fault(doc)) { - char tmp[11]; WsManFault *fault = wsmc_fault_new(); wsmc_get_fault_data(doc, fault); string subcode_s = fault->subcode ? string(fault->subcode) : ""; @@ -445,14 +440,14 @@ string detail_s = fault->fault_detail ? string(fault->fault_detail) : ""; ws_xml_destroy_doc(doc); wsmc_fault_destroy(fault); - error = "A Soap Fault was received:"; - error.append("\nFaultCode: " + code_s); - error.append("\nFaultSubCode: " + subcode_s); - error.append("\nFaultReason: " + reason_s); - error.append("\nFaultDetail: " + detail_s); - sprintf(tmp, "%ld", responseCode); - error.append("\nHttpCode: = ").append(tmp); - throw WsmanSoapFault(error.c_str(), code_s, subcode_s, reason_s, detail_s); + + std::stringstream ss3; + ss3 << "FaultCode: " << code_s << std::endl; + ss3 << "FaultSubCode: " + subcode_s << std::endl; + ss3 << "FaultReason: " + reason_s<< std::endl; + ss3 << "FaultDetail: " + detail_s<< std::endl; + ss3 << "HttpCode: = " << responseCode; + throw WsmanSoapFault(ss3.str().c_str(), code_s, subcode_s, reason_s, detail_s); } return true; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/CMakeLists.txt new/openwsman-2.6.10/src/lib/CMakeLists.txt --- old/openwsman-2.6.9/src/lib/CMakeLists.txt 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/CMakeLists.txt 2019-08-07 12:57:23.000000000 +0200 @@ -49,10 +49,14 @@ ENDIF ( NOT DISABLE_SERVER ) ########## wsman_curl_client_transport ############### - -SET( wsman_curl_client_transport_SOURCES wsman-client-transport.c wsman-curl-client-transport.c ) -ADD_LIBRARY( ${WSMAN_CLIENT_TRANSPORT_PKG} ${wsman_curl_client_transport_SOURCES} ) -TARGET_LINK_LIBRARIES( ${WSMAN_CLIENT_TRANSPORT_PKG} ${CURL_LIBRARIES} ) +IF(UNIX) + SET( wsman_curl_client_transport_SOURCES wsman-client-transport.c wsman-curl-client-transport.c ) + ADD_LIBRARY( ${WSMAN_CLIENT_TRANSPORT_PKG} ${wsman_curl_client_transport_SOURCES} ) + TARGET_LINK_LIBRARIES( ${WSMAN_CLIENT_TRANSPORT_PKG} ${CURL_LIBRARIES} ) +ELSE(UNIX) + SET( wsman_win_client_transport_SOURCES wsman-client-transport.c wsman-win-client-transport.c ) + ADD_LIBRARY( ${WSMAN_CLIENT_TRANSPORT_PKG} ${wsman_win_client_transport_SOURCES} ) +ENDIF(UNIX) IF( ENABLE_EVENTING_SUPPORT ) TARGET_LINK_LIBRARIES( ${WSMAN_CLIENT_TRANSPORT_PKG} ${OPENSSL_LIBRARIES} ) ENDIF( ENABLE_EVENTING_SUPPORT ) @@ -64,7 +68,7 @@ SET( wsman_client_SOURCES wsman-client.c ) ADD_LIBRARY( ${WSMAN_CLIENT_PKG} ${wsman_client_SOURCES} ) -TARGET_LINK_LIBRARIES( ${WSMAN_CLIENT_PKG} wsman_curl_client_transport ) +TARGET_LINK_LIBRARIES( ${WSMAN_CLIENT_PKG} ${WSMAN_CLIENT_TRANSPORT_PKG} ) SET_TARGET_PROPERTIES( ${WSMAN_CLIENT_PKG} PROPERTIES VERSION 4.0.0 SOVERSION 4) INSTALL(TARGETS ${WSMAN_CLIENT_PKG} DESTINATION ${LIB_INSTALL_DIR}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/debug.c new/openwsman-2.6.10/src/lib/u/debug.c --- old/openwsman-2.6.9/src/lib/u/debug.c 2014-07-25 17:08:56.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/debug.c 2019-08-07 12:57:23.000000000 +0200 @@ -106,13 +106,14 @@ } -void debug_full(debug_level_e level, const char *format, ...) +int debug_full(debug_level_e level, const char *format, ...) { va_list args; char *str; + int ret = 0; if (handlers == NULL) { - return; + return -1; } va_start(args, format); @@ -120,13 +121,15 @@ va_end(args); call_handlers(level, str); + ret = strlen(str); u_free(str); + return ret; } -void +int debug_full_verbose(debug_level_e level, char *file, int line, const char *proc, const char *format, ...) @@ -134,9 +137,10 @@ va_list args; char *str; char *body; + int ret = 0; if (handlers == NULL) { - return; + return -1; } va_start(args, format); @@ -147,6 +151,8 @@ u_free(body); call_handlers(level, str); + ret = strlen(str); u_free(str); + return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/iniparser.c new/openwsman-2.6.10/src/lib/u/iniparser.c --- old/openwsman-2.6.9/src/lib/u/iniparser.c 2018-07-04 15:05:17.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/iniparser.c 2019-08-07 12:57:23.000000000 +0200 @@ -117,7 +117,8 @@ if ((s==NULL) || (l==NULL)) return NULL ; memset(l, 0, ASCIILINESZ+1); - strcpy(l, s); + strncpy(l, s, ASCIILINESZ + 1); + l[ASCIILINESZ] = '\0'; last = l + strlen(l); while (last > l) { if (!isspace((int)*(last-1))) @@ -490,18 +491,19 @@ */ static int iniparser_add_entry( dictionary * d, - char * sec, - char * key, + const char * sec, + const char * key, char * val) { char longkey[2*ASCIILINESZ+1]; /* Make a key as section:keyword */ if (key!=NULL) { - sprintf(longkey, "%s:%s", sec, key); + snprintf(longkey, sizeof(longkey), "%s:%s", sec, key); } else { - strcpy(longkey, sec); + strncpy(longkey, sec, sizeof(longkey)); } + longkey[sizeof(longkey)-1] = 0; /* Add (key,val) to dictionary */ return dictionary_set(d, longkey, val); @@ -624,6 +626,7 @@ int nsec ; char * secname ; int seclen ; + int ret ; if (d==NULL || f==NULL) return ; @@ -641,8 +644,10 @@ secname = iniparser_getsecname(d, i) ; seclen = (int)strlen(secname); fprintf(f, "\n[%s]\n", secname); - sprintf(keym, "%s:", secname); - for (j=0 ; j<d->size ; j++) { + ret = snprintf(keym, sizeof(keym), "%s:", secname); + if (ret < 0 || ret >= sizeof(keym)) + return; + for (j = 0 ; j < d->size ; j++) { if (d->key[j]==NULL) continue ; if (!strncmp(d->key[j], keym, seclen+1)) { @@ -922,7 +927,8 @@ if (sscanf(where, "[%[^]]", sec)==1) { /* Valid section name */ - strcpy(sec, strlwc(sec, lc_key)); + strncpy(sec, strlwc(sec, lc_key), sizeof(sec)); + sec[sizeof(sec)-1] = 0; if (iniparser_add_entry(d, sec, NULL, NULL) != 0) { dictionary_del(d); fclose(ini); @@ -933,7 +939,8 @@ || sscanf (where, "%[^=] = %[^;#]", key, val) == 2) { char crop_key[ASCIILINESZ+1]; - strcpy(key, strlwc(strcrop(key, crop_key), lc_key)); + strncpy(key, strlwc(strcrop(key, crop_key), lc_key), sizeof(key)); + key[sizeof(key)-1] = 0; /* * sscanf cannot handle "" or '' as empty value, * this is done here @@ -941,7 +948,8 @@ if (!strcmp(val, "\"\"") || !strcmp(val, "''")) { val[0] = (char)0; } else { - strcpy(val, strcrop(val, crop_key)); + strncpy(val, strcrop(val, crop_key), sizeof(val)); + val[sizeof(val)-1] = 0; } if (iniparser_add_entry(d, sec, key, val) != 0) { dictionary_del(d); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/lock.c new/openwsman-2.6.10/src/lib/u/lock.c --- old/openwsman-2.6.9/src/lib/u/lock.c 2014-07-25 17:08:56.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/lock.c 2019-08-07 13:06:36.000000000 +0200 @@ -61,6 +61,7 @@ pthread_mutexattr_settype( &attr, PTHREAD_MUTEX_RECURSIVE_NP ); if ( data != NULL ) pthread_mutex_init((pthread_mutex_t*)data, &attr); + pthread_mutexattr_destroy(&attr); } int u_try_lock(void* data) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/pthreadx_win32.c new/openwsman-2.6.10/src/lib/u/pthreadx_win32.c --- old/openwsman-2.6.9/src/lib/u/pthreadx_win32.c 2014-07-25 17:08:56.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/pthreadx_win32.c 2019-08-07 13:06:36.000000000 +0200 @@ -107,6 +107,13 @@ return 0; } +int +pthread_mutexattr_destroy(pthread_mutexattr_t *attr) +{ + memset(attr, 0, sizeof(*attr)); + return 0; +} + int pthread_mutex_lock(pthread_mutex_t *mp) { EnterCriticalSection(mp); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/uri.c new/openwsman-2.6.10/src/lib/u/uri.c --- old/openwsman-2.6.9/src/lib/u/uri.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/uri.c 2019-08-07 12:57:23.000000000 +0200 @@ -7,6 +7,7 @@ #ifdef HAVE_CONFIG_H #include <wsman_config.h> #endif +#include <ctype.h> #include <stdlib.h> #include <string.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/u/uuid.c new/openwsman-2.6.10/src/lib/u/uuid.c --- old/openwsman-2.6.9/src/lib/u/uuid.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/u/uuid.c 2019-08-07 12:57:22.000000000 +0200 @@ -191,14 +191,23 @@ if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) return FALSE; - sprintf(ifr.ifr_name, "eth0"); + + i = snprintf(ifr.ifr_name, IFNAMSIZ, "eth0"); + if (i != strlen("eth0")) { + close(s) + return 0; + } + if (ioctl(s, SIOCGIFHWADDR, &ifr) < 0) { close(s); return 0; } + sa = (struct sockaddr *)&ifr.ifr_addr; - for (i = 0; i < MAC_LEN; i++) + for (i = 0; i < MAC_LEN; i++) { data_ptr[i] = (unsigned char)(sa->sa_data[i] & 0xff); + } + close(s); return 1; } @@ -348,20 +357,25 @@ *(short int*)(uuid+10) = (short int)timeMid; *(int*)(uuid+12) = timeLow; + i = 0; if ( !no_prefix ) { - sprintf( ptr, "uuid:" ); - ptr += 5; + i = snprintf( ptr, size, "uuid:" ); + if ( i != strlen("uuid:") ) + return 0; } - sprintf( ptr, "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x", + i = snprintf( &ptr[i], size - i, + "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x", uuid[15], uuid[14], uuid[13], uuid[12], uuid[11], uuid[10], uuid[9], uuid[8], uuid[7], uuid[6], uuid[5], uuid[4], uuid[3], uuid[2], uuid[1], uuid[0] ); - return 1; + if ( i != SIZE_OF_UUID_STRING) + return 0; + return 1; } #else /* Solaris */ @@ -372,8 +386,9 @@ { int max_length = SIZE_OF_UUID_STRING; char* ptr = buf; - char uuid_str[UUID_PRINTABLE_STRING_LENGTH]; - uuid_t uuid; + char uuid_str[UUID_PRINTABLE_STRING_LENGTH]; + uuid_t uuid; + int i; if ( !no_prefix ) max_length += 5; // space for "uuid:" if ( size < max_length ) @@ -382,23 +397,25 @@ if ( buf == NULL ) return 0; + i = 0; if ( !no_prefix ) { - sprintf( ptr, "uuid:" ); - ptr += 5; + i = snprintf( ptr, size, "uuid:" ); + if ( i != strlen("uuid:") ) + return 0; } + ptr += i; - uuid_generate(uuid); - uuid_unparse(uuid, uuid_str); - - int uuidlen = strlen(uuid_str); - if (((ptr - buf) + uuidlen) < size) { - strlcpy(ptr, uuid_str, uuidlen); - return 1; - } - else - return 0; + uuid_generate(uuid); + uuid_unparse(uuid, uuid_str); + int uuidlen = strlen(uuid_str); + if (((ptr - buf) + uuidlen) < size) { + strlcpy(ptr, uuid_str, uuidlen); + return 1; + } + else + return 0; } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-client.c new/openwsman-2.6.10/src/lib/wsman-client.c --- old/openwsman-2.6.9/src/lib/wsman-client.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/wsman-client.c 2019-08-07 13:06:36.000000000 +0200 @@ -83,13 +83,18 @@ static char* -wsman_make_action(char *uri, char *op_name) +wsman_make_action(const char *uri, const char *op_name) { if (uri && op_name) { size_t len = strlen(uri) + strlen(op_name) + 2; - char *ptr = (char *) malloc(len); + char *ptr = (char *)u_malloc(len); if (ptr) { - sprintf(ptr, "%s/%s", uri, op_name); + int ret = snprintf(ptr, len, "%s/%s", uri, op_name); + if (ret < 0 || ret >= len) { + error("Error: formating action"); + u_free(ptr); + return NULL; + } return ptr; } } @@ -155,9 +160,15 @@ } if (options->timeout) { /* FIXME: see wsman-xml-serialize.c */ - char buf[20]; - sprintf(buf, "PT%u.%uS", (unsigned int) options->timeout / 1000, + char buf[20]; + int ret; + ret = snprintf(buf, sizeof(buf), "PT%u.%uS", + (unsigned int) options->timeout / 1000, (unsigned int) options->timeout % 1000); + if (ret < 0 || ret >= sizeof(buf)) { + error("Error: formating time"); + return NULL; + } ws_serialize_str(serctx, header, buf, XML_NS_WS_MAN, WSM_OPERATION_TIMEOUT, 0); } @@ -880,16 +891,18 @@ XML_NS_EVENTING, WSEVENT_SUBSCRIBE,NULL); temp = ws_xml_add_child(node, XML_NS_EVENTING, WSEVENT_DELIVERY, NULL); if(temp) { - ws_xml_add_node_attr(temp, NULL, WSEVENT_DELIVERY_MODE, - wsmc_create_delivery_mode_str(options->delivery_mode)); + char *mode = wsmc_create_delivery_mode_str(options->delivery_mode); + ws_xml_add_node_attr(temp, NULL, WSEVENT_DELIVERY_MODE, mode); + u_free(mode); if(options->delivery_uri) { node2 = ws_xml_add_child(temp, XML_NS_EVENTING, WSEVENT_NOTIFY_TO, NULL); ws_xml_add_child(node2, XML_NS_ADDRESSING, WSA_ADDRESS, options->delivery_uri); } if(options->delivery_sec_mode) { temp = ws_xml_add_child(temp, XML_NS_WS_MAN, WSM_AUTH, NULL); - ws_xml_add_node_attr(temp, NULL, WSM_PROFILE, - wsmc_create_delivery_sec_mode_str(options->delivery_sec_mode)); + char *mode = wsmc_create_delivery_sec_mode_str(options->delivery_sec_mode); + ws_xml_add_node_attr(temp, NULL, WSM_PROFILE, mode); + u_free(mode); } if(options->heartbeat_interval) { snprintf(buf, 32, "PT%fS", options->heartbeat_interval); @@ -2151,7 +2164,9 @@ int wsmc_lock(WsManClient * cl) { - pthread_mutex_lock(&cl->mutex); + if (pthread_mutex_lock(&cl->mutex)) + return 1; + if (cl->flags & WSMAN_CLIENT_BUSY) { pthread_mutex_unlock(&cl->mutex); return 1; @@ -2165,7 +2180,9 @@ void wsmc_unlock(WsManClient * cl) { - pthread_mutex_lock(&cl->mutex); + if (pthread_mutex_lock(&cl->mutex)) + return; + cl->flags &= ~WSMAN_CLIENT_BUSY; pthread_mutex_unlock(&cl->mutex); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-curl-client-transport.c new/openwsman-2.6.10/src/lib/wsman-curl-client-transport.c --- old/openwsman-2.6.9/src/lib/wsman-curl-client-transport.c 2018-11-19 13:21:23.000000000 +0100 +++ new/openwsman-2.6.10/src/lib/wsman-curl-client-transport.c 2019-08-07 13:06:36.000000000 +0200 @@ -448,6 +448,7 @@ CURLcode r; char *upwd = NULL; char *usag = NULL; + size_t usag_len = 0; struct curl_slist *headers=NULL; char *buf = NULL; int len; @@ -495,7 +496,8 @@ snprintf(content_type, 64, "Content-Type: application/soap+xml;charset=%s", cl->content_encoding); headers = curl_slist_append(headers, content_type); tmp_str = wsman_transport_get_agent(cl); - usag = malloc(12 + strlen(tmp_str) + 1); + usag_len = strlen("User-Agent: ") + strlen(tmp_str) + 1; + usag = u_malloc(usag_len); if (usag == NULL) { r = CURLE_OUT_OF_MEMORY; cl->fault_string = u_strdup("Could not malloc memory"); @@ -503,14 +505,14 @@ goto DONE; } - sprintf(usag, "User-Agent: %s", tmp_str); + snprintf(usag, usag_len, "User-Agent: %s", tmp_str); free(tmp_str); headers = curl_slist_append(headers, usag); #if 0 soapaction = ws_xml_get_xpath_value(rqstDoc, "/s:Envelope/s:Header/wsa:Action"); if (soapaction) { - soapact_header = malloc(12 + strlen(soapaction) + 1); + soapact_header = u_malloc(12 + strlen(soapaction) + 1); if (soapact_header) { sprintf(soapact_header, "SOAPAction: %s", soapaction); headers = curl_slist_append(headers, soapact_header); @@ -701,16 +703,23 @@ { CURLcode r; - pthread_mutex_lock(&curl_mutex); + if (pthread_mutex_lock(&curl_mutex)) { + error("Error: Can't lock curl_mutex\n"); + return 1; + } if (cl->initialized) { - pthread_mutex_unlock(&curl_mutex); + if (pthread_mutex_unlock(&curl_mutex)) { + error("Error: Can't unlock curl_mutex\n"); + } return 0; } r = curl_global_init(CURL_GLOBAL_SSL | CURL_GLOBAL_WIN32); if (r == CURLE_OK) { cl->initialized = 1; } - pthread_mutex_unlock(&curl_mutex); + if (pthread_mutex_unlock(&curl_mutex)) { + error("Error: Can't unlock curl_mutex\n"); + } if (r != CURLE_OK) { debug("Error = %d (%s); Could not initialize curl globals", r, curl_easy_strerror(r)); @@ -720,14 +729,21 @@ void wsmc_transport_fini(WsManClient *cl) { - pthread_mutex_lock(&curl_mutex); + if (pthread_mutex_lock(&curl_mutex)) { + error("Error: Can't lock curl_mutex\n"); + return; + } if (cl->initialized == 0 ) { - pthread_mutex_unlock(&curl_mutex); + if (pthread_mutex_unlock(&curl_mutex)) { + error("Error: Can't unlock curl_mutex\n"); + } return; } curl_global_cleanup(); cl->initialized = 0; - pthread_mutex_unlock(&curl_mutex); + if (pthread_mutex_unlock(&curl_mutex)) { + error("Error: Can't unlock curl_mutex\n"); + } return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-soap-envelope.c new/openwsman-2.6.10/src/lib/wsman-soap-envelope.c --- old/openwsman-2.6.9/src/lib/wsman-soap-envelope.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/wsman-soap-envelope.c 2019-08-07 13:02:18.000000000 +0200 @@ -126,7 +126,12 @@ size_t len = strlen(action) + sizeof(WSFW_RESPONSE_STR) + 2; char *tmp = (char *) u_malloc(sizeof(char) * len); if (tmp && action) { - sprintf(tmp, "%s%s", action, WSFW_RESPONSE_STR); + int ret; + ret = snprintf(tmp, len, "%s%s", action, WSFW_RESPONSE_STR); + if (ret < 0 || ret >= len) { + u_free(tmp); + return NULL; + } ws_xml_add_child(dstHeader, XML_NS_ADDRESSING, WSA_ACTION, tmp); u_free(tmp); @@ -666,11 +671,17 @@ node = ws_xml_get_child(node, 0, XML_NS_SE, WSSE_USERNAMETOKEN); if(node) { temp = ws_xml_get_child(node, 0, XML_NS_SE, WSSE_USERNAME); - if(temp) + if(temp) { + if (subsInfo->username) + u_free(subsInfo->username); subsInfo->username = u_strdup(ws_xml_get_node_text(temp)); + } temp = ws_xml_get_child(node, 0, XML_NS_SE, WSSE_PASSWORD); - if(temp) + if(temp) { + if (subsInfo->password) + u_free(subsInfo->password); subsInfo->password = u_strdup(ws_xml_get_node_text(temp)); + } } } debug("subsInfo->username = %s, subsInfo->password = %s", subsInfo->username, \ @@ -680,8 +691,11 @@ node = ws_xml_get_child(tnode, 0, XML_NS_TRUST, WST_REQUESTEDSECURITYTOKEN); if(node) { node = ws_xml_get_child(node, 0, XML_NS_WS_MAN, WSM_CERTIFICATETHUMBPRINT); - if(node) + if(node) { + if (subsInfo->certificate_thumbprint) + u_free(subsInfo->certificate_thumbprint); subsInfo->certificate_thumbprint = u_strdup(ws_xml_get_node_text(node)); + } } } else { @@ -700,7 +714,7 @@ WsmanFaultDetailType *detailcode) { WsXmlNodeH node; - filter_t *wsman_f = NULL; + filter_t *wsman_f = NULL; filter_t *wse_f = NULL; if (!doc) return 0; @@ -716,11 +730,13 @@ wsman_f = filter_deserialize(node, XML_NS_WS_MAN); wse_f = filter_deserialize(node, XML_NS_EVENTING); - if (wsman_f && wse_f) { - /* return wse:InvalidMessage if wsman:Filter and wse:Filter are given + if (wsman_f && wse_f) { + /* return wse:InvalidMessage if wsman:Filter and wse:Filter are given * see R10.2.2-52 of DSP0226 */ - *faultcode = WSE_INVALID_MESSAGE; - return -1; + *faultcode = WSE_INVALID_MESSAGE; + filter_destroy(wsman_f); + filter_destroy(wse_f); + return -1; } /* use the wse:Filter variant if wsman:Filter not given */ if (!wsman_f) @@ -734,16 +750,19 @@ subsInfo->flags |= WSMAN_SUBSCRIPTION_WQL; else { *faultcode = WSE_FILTERING_NOT_SUPPORTED; + filter_destroy(wsman_f); return -1; } } else { if (is_existing_filter_epr(ws_xml_get_soap_header(doc), &wsman_f)) { *faultcode = WSE_FILTERING_NOT_SUPPORTED; + filter_destroy(wsman_f); return -1; } else { subsInfo->flags |= WSMAN_SUBSCRIPTION_SELECTORSET; } } + filter_destroy(wsman_f); } return 0; @@ -1080,7 +1099,6 @@ WSM_NAME); if (attrVal && !hash_lookup(h, attrVal)) { - sentry = u_malloc(sizeof(*sentry)); epr = ws_xml_get_child(selector, 0, XML_NS_ADDRESSING, WSA_EPR); if (epr) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-soap.c new/openwsman-2.6.10/src/lib/wsman-soap.c --- old/openwsman-2.6.9/src/lib/wsman-soap.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/wsman-soap.c 2019-08-07 13:06:36.000000000 +0200 @@ -154,7 +154,7 @@ return; } hash_delete_free(cntx->enuminfos, - hash_lookup(cntx->enuminfos, enumInfo->enumId)); + hash_lookup(cntx->enuminfos, enumInfo->enumId)); u_unlock(cntx->soap); } @@ -198,14 +198,22 @@ uuid = ws_xml_get_node_text(node); } if(uuid == NULL) return subsInfo; - pthread_mutex_lock(&soap->lockSubs); + if (pthread_mutex_lock(&soap->lockSubs)) + { + error("Error: Can't lock soap->lockSubs"); + return NULL; + } lnode = list_first(soapCntx->subscriptionMemList); while(lnode) { subsInfo = (WsSubscribeInfo *)lnode->list_data; if(!strcmp(subsInfo->subsId, uuid+5)) break; lnode = list_next(soapCntx->subscriptionMemList, lnode); } - pthread_mutex_unlock(&soap->lockSubs); + if (pthread_mutex_unlock(&soap->lockSubs)) + { + error("Error: Can't unlock soap->lockSubs"); + return NULL; + } if(lnode == NULL) return NULL; return subsInfo; } @@ -546,7 +554,7 @@ dispInfo = (WsManDispatcherInfo *) u_zalloc(size); if (dispInfo == NULL) { error("Could not allocate memory"); - u_free(soap); + soap_destroy(soap); return NULL; } debug("Registering %d plugins", (int) list_count(interfaces)); @@ -1049,6 +1057,7 @@ ws_serialize_str(epcntx->serializercntx, resp_node, enumInfo->enumId, XML_NS_ENUMERATION, WSENUM_ENUMERATION_CONTEXT, 0); insert_enum_info(soapCntx, enumInfo); + enumInfo = NULL; } DONE: @@ -1057,6 +1066,9 @@ } ws_destroy_context(epcntx); u_free(status.fault_msg); + if (enumInfo) { + destroy_enuminfo(enumInfo); + } return retVal; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-win-client-transport.c new/openwsman-2.6.10/src/lib/wsman-win-client-transport.c --- old/openwsman-2.6.9/src/lib/wsman-win-client-transport.c 2014-07-25 17:08:56.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/wsman-win-client-transport.c 2019-08-07 13:02:18.000000000 +0200 @@ -168,6 +168,7 @@ } if (cl->session_handle == NULL) { error("could not initialize session"); + u_free(host); return NULL; } @@ -499,6 +500,12 @@ pwd = convert_to_unicode(cl->data.pwd); usr = convert_to_unicode(cl->data.user); if ((pwd == NULL) || (usr == NULL)) { + if (pwd != NULL) { + u_free(pwd); + } + if (usr != NULL) { + u_free(usr); + } bDone = TRUE; bResults = 0; break; @@ -598,6 +605,12 @@ pwd = convert_to_unicode(cl->data.pwd); usr = convert_to_unicode(cl->data.user); if ((pwd == NULL) || (usr == NULL)) { + if (pwd != NULL) { + u_free(pwd); + } + if (usr != NULL) { + u_free(usr); + } bDone = TRUE; bResults = 0; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/lib/wsman-xml.c new/openwsman-2.6.10/src/lib/wsman-xml.c --- old/openwsman-2.6.9/src/lib/wsman-xml.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/lib/wsman-xml.c 2019-08-07 12:57:22.000000000 +0200 @@ -158,17 +158,23 @@ if (name && uri && name) { size_t len = 1 + strlen(name); WsXmlNsH ns = xml_parser_ns_find(node, uri, NULL, 1, 1); - const char *prefix = - (!ns) ? NULL : ws_xml_get_ns_prefix(ns); + const char *prefix = (!ns) ? NULL : ws_xml_get_ns_prefix(ns); if (prefix != NULL) len += 1 + strlen(prefix); - if ((buf = u_malloc(len)) != NULL) { - if (prefix != NULL && name != NULL) - sprintf(buf, "%s:%s", prefix, name); - else - strcpy(buf, name); + buf = u_malloc(len); + if (!buf) + return buf; + + if (prefix != NULL && name != NULL) { + int ret = snprintf(buf, len, "%s:%s", prefix, name); + if (ret < 0 || ret >= len) { + u_free(buf); + return NULL; + } + } else { + strncpy(buf, name, len); } } return buf; @@ -1263,7 +1269,9 @@ int retVal = -1; if (node) { char buf[12]; - sprintf(buf, "%lu", uVal); + int ret = snprintf(buf, sizeof(buf), "%lu", uVal); + if (ret < 0 || ret >= sizeof(buf)) + return -1; retVal = ws_xml_set_node_text(node, buf); } return retVal; @@ -1274,7 +1282,9 @@ int retVal = -1; if (node) { char buf[12]; - sprintf(buf, "%ld", Val); + int ret = snprintf(buf, sizeof(buf), "%ld", Val); + if (ret < 0 || ret >= sizeof(buf)) + return -1; retVal = ws_xml_set_node_text(node, buf); } return retVal; @@ -1286,7 +1296,9 @@ if (node) { /* __builtin___sprintf_chk' output between 13 and 15 bytes */ char buf[15]; - sprintf(buf, "%E", Val); + int ret = snprintf(buf, sizeof(buf), "%E", Val); + if (ret < 0 || ret >= sizeof(buf)) + return -1; retVal = ws_xml_set_node_text(node, buf); } return retVal; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/server/shttpd/shttpd.c new/openwsman-2.6.10/src/server/shttpd/shttpd.c --- old/openwsman-2.6.9/src/server/shttpd/shttpd.c 2018-11-20 09:04:10.000000000 +0100 +++ new/openwsman-2.6.10/src/server/shttpd/shttpd.c 2019-08-07 12:57:23.000000000 +0200 @@ -21,11 +21,7 @@ int _shttpd_exit_flag; /* Program exit flag */ const struct vec _shttpd_known_http_methods[] = { - {"GET", 3}, {"POST", 4}, - {"PUT", 3}, - {"DELETE", 6}, - {"HEAD", 4}, {NULL, 0} }; @@ -336,10 +332,12 @@ } static void -remove_double_dots(char *s) +remove_all_leading_and_double_dots(char *s) { char *p = s; + while (*s != '\0' && *s == '.') s++; + while (*s != '\0') { *p++ = *s++; if (s[-1] == '/' || s[-1] == '\\') @@ -546,7 +544,7 @@ *c->query++ = '\0'; _shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1); - remove_double_dots(c->uri); + remove_all_leading_and_double_dots(c->uri); root = c->ctx->options[OPT_ROOT]; if (strlen(c->uri) + strlen(root) >= sizeof(path)) { @@ -556,6 +554,7 @@ (void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri); + DBG(("decide_what_to_do -> processed path: [%s]", path)); /* User may use the aliases - check URI for mount point */ if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) { (void) _shttpd_snprintf(path, sizeof(path), "%.*s%s", @@ -572,7 +571,10 @@ if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) { _shttpd_setup_embedded_stream(c, ruri->callback, ruri->callback_data); - } else + } else { + _shttpd_send_server_error(c, 403, "Forbidden"); + } +#if 0 if (strstr(path, HTPASSWD)) { /* Do not allow to view passwords files */ _shttpd_send_server_error(c, 403, "Forbidden"); @@ -656,6 +658,8 @@ } else { _shttpd_send_server_error(c, 500, "Internal Error"); } +#endif //0 + return; } static int @@ -698,11 +702,11 @@ _shttpd_send_server_error(c, 500, "Cannot allocate request"); } + io_inc_tail(&c->rem.io, req_len); + if (c->loc.flags & FLAG_CLOSED) return; - io_inc_tail(&c->rem.io, req_len); - DBG(("Conn %d: parsing request: [%.*s]", c->rem.chan.sock, req_len, s)); c->rem.flags |= FLAG_HEADERS_PARSED; @@ -968,7 +972,7 @@ } -static void +static int connection_desctructor(struct llhead *lp) { struct conn *c = LL_ENTRY(lp, struct conn, link); @@ -992,7 +996,8 @@ * Check the "Connection: " header before we free c->request * If it its 'keep-alive', then do not close the connection */ - do_close = (c->ch.connection.v_vec.len >= vec.len && + do_close = c->rem.flags & FLAG_CLOSED || + (c->ch.connection.v_vec.len >= vec.len && !_shttpd_strncasecmp(vec.ptr,c->ch.connection.v_vec.ptr,vec.len)) || (c->major_version < 1 || (c->major_version >= 1 && c->minor_version < 1)); @@ -1014,7 +1019,7 @@ io_clear(&c->loc.io); c->birth_time = _shttpd_current_time; if (io_data_len(&c->rem.io) > 0) - process_connection(c, 0, 0); + return 1; } else { if (c->rem.io_class != NULL) c->rem.io_class->close(&c->rem); @@ -1025,6 +1030,8 @@ free(c); } + + return 0; } static void @@ -1032,7 +1039,7 @@ { struct worker *worker = LL_ENTRY(lp, struct worker, link); - free_list(&worker->connections, connection_desctructor); + free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor); free(worker); } @@ -1065,6 +1072,7 @@ static void process_connection(struct conn *c, int remote_ready, int local_ready) { +again: /* Read from remote end if it is ready */ if (remote_ready && io_space_len(&c->rem.io)) read_stream(&c->rem); @@ -1093,7 +1101,12 @@ if ((_shttpd_current_time > c->expire_time) || (c->rem.flags & FLAG_CLOSED) || ((c->loc.flags & FLAG_CLOSED) && !io_data_len(&c->loc.io))) - connection_desctructor(&c->link); + if (connection_desctructor(&c->link)) { + // More data to read and process ... + remote_ready = 0; + local_ready = 0; + goto again; + } } static int @@ -1650,7 +1663,7 @@ while (worker->exit_flag == 0) poll_worker(worker, 1000 * 10); - free_list(&worker->connections, connection_desctructor); + free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor); free(worker); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/src/server/wsmand.c new/openwsman-2.6.10/src/server/wsmand.c --- old/openwsman-2.6.9/src/server/wsmand.c 2018-10-12 11:58:29.000000000 +0200 +++ new/openwsman-2.6.10/src/server/wsmand.c 2019-08-07 12:57:23.000000000 +0200 @@ -198,6 +198,10 @@ int fd; char *pid; + /* Change our CWD to / */ + i=chdir("/"); + assert(i == 0); + if (wsmand_options_get_foreground_debug() > 0) { return; } @@ -214,10 +218,6 @@ log_pid = 0; setsid(); - /* Change our CWD to / */ - i=chdir("/"); - assert(i == 0); - /* Close all file descriptors. */ for (i = getdtablesize(); i >= 0; --i) close(i); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openwsman-2.6.9/tests/cve new/openwsman-2.6.10/tests/cve --- old/openwsman-2.6.9/tests/cve 1970-01-01 01:00:00.000000000 +0100 +++ new/openwsman-2.6.10/tests/cve 2019-03-08 11:38:03.000000000 +0100 @@ -0,0 +1,3 @@ +echo -e "POST /../../../../../etc/shadow HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 6\r\nHello\r\n\r\n" | openssl s_client -connect localhost:5986 -quiet + +# echo -e "POST /../../../../../etc/shadow HTTP/1.1\r\nContent-Type: text/plain\r\nContent-Length: 6\r\n\r\nHello\r\n\r\n" | openssl s_client -connect localhost:5986 -quiet \ No newline at end of file ++++++ openwsman.firewalld ++++++ <?xml version="1.0" encoding="utf-8"?> <service> <short>Openwsman</short> <description>Openwsman is a project intended to provide an open-source implementation of the Web Services Management specification (WS-Management) and to expose system management information on the Linux operating system using the WS-Management protocol.</description> <port protocol="tcp" port="5985"/> <port protocol="tcp" port="5986"/> </service>