Hello community, here is the log from the commit of package shadowsocks-libev for openSUSE:Factory checked in at 2020-01-16 18:22:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shadowsocks-libev (Old) and /work/SRC/openSUSE:Factory/.shadowsocks-libev.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shadowsocks-libev" Thu Jan 16 18:22:02 2020 rev:13 rq:764828 version:3.3.4 Changes: -------- --- /work/SRC/openSUSE:Factory/shadowsocks-libev/shadowsocks-libev.changes 2019-11-15 00:08:47.044192887 +0100 +++ /work/SRC/openSUSE:Factory/.shadowsocks-libev.new.26092/shadowsocks-libev.changes 2020-01-16 18:22:14.925009020 +0100 @@ -1,0 +2,6 @@ +Wed Jan 15 13:39:42 UTC 2020 - Michael Du <duyizhaozj...@yahoo.com> + +- Update version to 3.3.4 + * Minor bug fixes. (#2539, #2565, #2566, #2577) + +------------------------------------------------------------------- @@ -5,0 +12,4 @@ + * Fix exploitable denial-of-service vulnerability exists in the + UDPRelay functionality (boo#1158251, CVE-2019-5163) + * Fix code execution vulnerability in the ss-manager binary + (boo#1158365, CVE-2019-5164) Old: ---- shadowsocks-libev-3.3.3.tar.gz New: ---- shadowsocks-libev-3.3.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shadowsocks-libev.spec ++++++ --- /var/tmp/diff_new_pack.wbkPWP/_old 2020-01-16 18:22:16.289009792 +0100 +++ /var/tmp/diff_new_pack.wbkPWP/_new 2020-01-16 18:22:16.305009801 +0100 @@ -1,7 +1,7 @@ # # spec file for package shadowsocks-libev # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,12 +19,12 @@ %define libver 2 Name: shadowsocks-libev -Version: 3.3.3 +Version: 3.3.4 Release: 0 Summary: Libev port of Shadowsocks License: GPL-3.0-or-later Group: Productivity/Networking/Web/Proxy -Url: https://github.com/shadowsocks/shadowsocks-libev +URL: https://github.com/shadowsocks/shadowsocks-libev Source0: https://github.com/shadowsocks/shadowsocks-libev/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: %{name}-config.json Source2: %{name}-client.service ++++++ shadowsocks-libev-3.3.3.tar.gz -> shadowsocks-libev-3.3.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/Changes new/shadowsocks-libev-3.3.4/Changes --- old/shadowsocks-libev-3.3.3/Changes 2019-10-31 08:08:13.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/Changes 2020-01-10 02:31:51.000000000 +0100 @@ -1,3 +1,10 @@ +shadowsocks-libev (3.3.4-1) unstable; urgency=medium + + * Minor bug fixes. (#2539, #2565, #2566, #2577) + * Security bug fixes. (CVE-2019-5163, CVE-2019-5164) + + -- Max Lv <max.c...@gmail.com> Fri, 10 Jan 2020 09:28:25 +0800 + shadowsocks-libev (3.3.3-1) unstable; urgency=medium * Refine the handling of suspicious connections. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/README.md new/shadowsocks-libev-3.3.4/README.md --- old/shadowsocks-libev-3.3.3/README.md 2019-10-31 08:08:25.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/README.md 2020-01-10 02:32:19.000000000 +0100 @@ -11,7 +11,7 @@ created by [@clowwindy](https://github.com/clowwindy), and maintained by [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang). -Current version: 3.3.3 | [Changelog](debian/changelog) +Current version: 3.3.4 | [Changelog](debian/changelog) ## Features @@ -81,7 +81,7 @@ Shadowsocks-libev is available in the official repository for following distributions: -* Debian 8 or higher, including oldstable (jessie), stable (stretch), testing (buster) and unstable (sid) +* Debian 8 or higher, including oldoldstable (jessie), old stable (stretch), stable (buster), testing (bullseye) and unstable (sid) * Ubuntu 16.10 or higher ```bash @@ -89,17 +89,6 @@ sudo apt install shadowsocks-libev ``` -For **Debian 8 (Jessie)** users, please install it from `jessie-backports-sloppy`: -We strongly encourage you to install shadowsocks-libev from `jessie-backports-sloppy`. -For more info about backports, you can refer [Debian Backports](https://backports.debian.org). - -```bash -sudo sh -c 'printf "deb http://deb.debian.org/debian jessie-backports main\n" > /etc/apt/sources.list.d/jessie-backports.list' -sudo sh -c 'printf "deb http://deb.debian.org/debian jessie-backports-sloppy main" >> /etc/apt/sources.list.d/jessie-backports.list' -sudo apt update -sudo apt -t jessie-backports-sloppy install shadowsocks-libev -``` - For **Debian 9 (Stretch)** users, please install it from `stretch-backports`: We strongly encourage you to install shadowsocks-libev from `stretch-backports`. For more info about backports, you can refer [Debian Backports](https://backports.debian.org). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/configure new/shadowsocks-libev-3.3.4/configure --- old/shadowsocks-libev-3.3.3/configure 2019-10-31 08:10:38.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/configure 2020-01-10 02:32:05.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for shadowsocks-libev 3.3.3. +# Generated by GNU Autoconf 2.69 for shadowsocks-libev 3.3.4. # # Report bugs to <max.c...@gmail.com>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='shadowsocks-libev' PACKAGE_TARNAME='shadowsocks-libev' -PACKAGE_VERSION='3.3.3' -PACKAGE_STRING='shadowsocks-libev 3.3.3' +PACKAGE_VERSION='3.3.4' +PACKAGE_STRING='shadowsocks-libev 3.3.4' PACKAGE_BUGREPORT='max.c...@gmail.com' PACKAGE_URL='' @@ -1366,7 +1366,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures shadowsocks-libev 3.3.3 to adapt to many kinds of systems. +\`configure' configures shadowsocks-libev 3.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1438,7 +1438,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of shadowsocks-libev 3.3.3:";; + short | recursive ) echo "Configuration of shadowsocks-libev 3.3.4:";; esac cat <<\_ACEOF @@ -1574,7 +1574,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -shadowsocks-libev configure 3.3.3 +shadowsocks-libev configure 3.3.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2097,7 +2097,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by shadowsocks-libev $as_me 3.3.3, which was +It was created by shadowsocks-libev $as_me 3.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4336,7 +4336,7 @@ # Define the identity of the package. PACKAGE='shadowsocks-libev' - VERSION='3.3.3' + VERSION='3.3.4' cat >>confdefs.h <<_ACEOF @@ -16987,7 +16987,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by shadowsocks-libev $as_me 3.3.3, which was +This file was extended by shadowsocks-libev $as_me 3.3.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17053,7 +17053,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -shadowsocks-libev config.status 3.3.3 +shadowsocks-libev config.status 3.3.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/configure.ac new/shadowsocks-libev-3.3.4/configure.ac --- old/shadowsocks-libev-3.3.3/configure.ac 2019-10-31 08:10:07.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/configure.ac 2020-01-10 02:27:34.000000000 +0100 @@ -2,7 +2,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ([2.67]) -AC_INIT([shadowsocks-libev], [3.3.3], [max.c...@gmail.com]) +AC_INIT([shadowsocks-libev], [3.3.4], [max.c...@gmail.com]) AC_CONFIG_SRCDIR([src/crypto.c]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_AUX_DIR(auto) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/debian/changelog new/shadowsocks-libev-3.3.4/debian/changelog --- old/shadowsocks-libev-3.3.3/debian/changelog 2019-10-31 08:08:00.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/debian/changelog 2020-01-10 02:31:47.000000000 +0100 @@ -1,3 +1,10 @@ +shadowsocks-libev (3.3.4-1) unstable; urgency=medium + + * Minor bug fixes. (#2539, #2565, #2566, #2577) + * Security bug fixes. (CVE-2019-5163, CVE-2019-5164) + + -- Max Lv <max.c...@gmail.com> Fri, 10 Jan 2020 09:28:25 +0800 + shadowsocks-libev (3.3.3-1) unstable; urgency=medium * Refine the handling of suspicious connections. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/alpine/Dockerfile new/shadowsocks-libev-3.3.4/docker/alpine/Dockerfile --- old/shadowsocks-libev-3.3.3/docker/alpine/Dockerfile 2019-10-30 02:38:23.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/docker/alpine/Dockerfile 2020-01-10 02:26:42.000000000 +0100 @@ -21,6 +21,7 @@ automake \ build-base \ c-ares-dev \ + libcap \ libev-dev \ libtool \ libsodium-dev \ @@ -32,6 +33,7 @@ && ./autogen.sh \ && ./configure --prefix=/usr --disable-documentation \ && make install \ + && ls /usr/bin/ss-* | xargs -n1 setcap cap_net_bind_service+ep \ && apk del .build-deps \ # Runtime dependencies setup && apk add --no-cache \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/mingw/Dockerfile new/shadowsocks-libev-3.3.4/docker/mingw/Dockerfile --- old/shadowsocks-libev-3.3.3/docker/mingw/Dockerfile 2019-06-21 07:31:02.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/docker/mingw/Dockerfile 2020-01-10 02:26:42.000000000 +0100 @@ -18,18 +18,20 @@ # <http://www.gnu.org/licenses/>. # -FROM debian:testing +FROM debian:stretch ARG REPO=shadowsocks ARG REV=master -ADD docker/mingw/prepare.sh / +ADD docker/mingw/apt.sh / RUN \ - /bin/bash -c "source /prepare.sh && dk_prepare" && \ + /bin/bash -c "source /apt.sh && dk_prepare" && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /build +ADD docker/mingw/prepare.sh / + RUN /bin/bash -c "source /prepare.sh && dk_download" ADD docker/mingw/deps.sh / diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/mingw/apt.sh new/shadowsocks-libev-3.3.4/docker/mingw/apt.sh --- old/shadowsocks-libev-3.3.3/docker/mingw/apt.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/docker/mingw/apt.sh 2020-01-10 02:26:42.000000000 +0100 @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Functions for building MinGW port in Docker +# +# This file is part of the shadowsocks-libev. +# +# shadowsocks-libev is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# shadowsocks-libev is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with shadowsocks-libev; see the file COPYING. If not, see +# <http://www.gnu.org/licenses/>. +# + +# Exit on error +set -e + +# Build steps + +dk_prepare() { + apt-get update -y + apt-get install --no-install-recommends -y \ + mingw-w64 aria2 git make automake autoconf libtool ca-certificates +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/mingw/build.sh new/shadowsocks-libev-3.3.4/docker/mingw/build.sh --- old/shadowsocks-libev-3.3.3/docker/mingw/build.sh 2019-06-21 07:31:02.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/docker/mingw/build.sh 2020-01-10 02:26:42.000000000 +0100 @@ -43,6 +43,7 @@ --with-pcre="$dep" \ --with-cares="$dep" \ CFLAGS="-DCARES_STATICLIB -DPCRE_STATIC" + make clean make -j$cpu LDFLAGS="-all-static -L${dep}/lib" make install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/mingw/deps.sh new/shadowsocks-libev-3.3.4/docker/mingw/deps.sh --- old/shadowsocks-libev-3.3.3/docker/mingw/deps.sh 2019-04-30 02:50:32.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/docker/mingw/deps.sh 2020-01-10 02:26:42.000000000 +0100 @@ -53,6 +53,7 @@ # sodium cd "$SRC/$SODIUM_SRC" + ./autogen.sh ./configure $args make clean make -j$cpu install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/docker/mingw/prepare.sh new/shadowsocks-libev-3.3.4/docker/mingw/prepare.sh --- old/shadowsocks-libev-3.3.3/docker/mingw/prepare.sh 2019-04-30 02:50:32.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/docker/mingw/prepare.sh 2020-01-10 02:26:42.000000000 +0100 @@ -48,9 +48,9 @@ MBEDTLS_URL=https://tls.mbed.org/download/mbedtls-${MBEDTLS_VER}-apache.tgz ## Sodium -SODIUM_VER=1.0.16 -SODIUM_SRC=libsodium-${SODIUM_VER} -SODIUM_URL=https://download.libsodium.org/libsodium/releases/${SODIUM_SRC}.tar.gz +SODIUM_VER=1.0.18 +SODIUM_SRC=libsodium-${SODIUM_VER}-RELEASE +SODIUM_URL=https://github.com/jedisct1/libsodium/archive/${SODIUM_VER}-RELEASE.tar.gz ## PCRE PCRE_VER=8.41 @@ -64,12 +64,6 @@ # Build steps -dk_prepare() { - apt-get update -y - apt-get install --no-install-recommends -y \ - mingw-w64 aria2 git make automake autoconf libtool ca-certificates -} - dk_download() { mkdir -p "${SRC}" cd "${SRC}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/libbloom/Makefile new/shadowsocks-libev-3.3.4/libbloom/Makefile --- old/shadowsocks-libev-3.3.3/libbloom/Makefile 2019-10-31 08:11:15.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/libbloom/Makefile 2020-01-10 02:32:59.000000000 +0100 @@ -239,10 +239,10 @@ PACKAGE = shadowsocks-libev PACKAGE_BUGREPORT = max.c...@gmail.com PACKAGE_NAME = shadowsocks-libev -PACKAGE_STRING = shadowsocks-libev 3.3.3 +PACKAGE_STRING = shadowsocks-libev 3.3.4 PACKAGE_TARNAME = shadowsocks-libev PACKAGE_URL = -PACKAGE_VERSION = 3.3.3 +PACKAGE_VERSION = 3.3.4 PATH_SEPARATOR = : PCRE_CONFIG = pcre-config PTHREAD_CC = gcc @@ -253,7 +253,7 @@ SET_MAKE = SHELL = /bin/bash STRIP = strip -VERSION = 3.3.3 +VERSION = 3.3.4 XMLTO = /usr/bin/xmlto abs_builddir = /home/mlv/workspace/shadowsocks-libev/libbloom abs_srcdir = /home/mlv/workspace/shadowsocks-libev/libbloom diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/shadowsocks-libev.pc.in new/shadowsocks-libev-3.3.4/shadowsocks-libev.pc.in --- old/shadowsocks-libev-3.3.3/shadowsocks-libev.pc.in 2019-04-30 02:50:32.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/shadowsocks-libev.pc.in 2020-01-10 02:26:42.000000000 +0100 @@ -9,4 +9,4 @@ Version: @VERSION@ Requires: Cflags: -I${includedir} -Libs: -L${libdir} -lshadowsocks-libev -lcrypto +Libs: -L${libdir} -lshadowsocks-libev diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/aead.c new/shadowsocks-libev-3.3.4/src/aead.c --- old/shadowsocks-libev-3.3.3/src/aead.c 2019-10-30 02:38:23.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/src/aead.c 2020-01-10 02:26:42.000000000 +0100 @@ -617,9 +617,6 @@ sodium_increment(n, nlen); - if (*clen > chunk_len) - memmove(c, c + chunk_len, *clen - chunk_len); - *clen = *clen - chunk_len; return CRYPTO_OK; @@ -671,22 +668,27 @@ } size_t plen = 0; + size_t cidx = 0; while (cipher_ctx->chunk->len > 0) { size_t chunk_clen = cipher_ctx->chunk->len; size_t chunk_plen = 0; err = aead_chunk_decrypt(cipher_ctx, (uint8_t *)plaintext->data + plen, - (uint8_t *)cipher_ctx->chunk->data, + (uint8_t *)cipher_ctx->chunk->data + cidx, cipher_ctx->nonce, &chunk_plen, &chunk_clen); if (err == CRYPTO_ERROR) { return err; } else if (err == CRYPTO_NEED_MORE) { if (plen == 0) return err; - else + else{ + memmove((uint8_t *)cipher_ctx->chunk->data, + (uint8_t *)cipher_ctx->chunk->data + cidx, chunk_clen); break; + } } cipher_ctx->chunk->len = chunk_clen; + cidx += cipher_ctx->cipher->tag_len * 2 + CHUNK_SIZE_LEN + chunk_plen; plen += chunk_plen; } plaintext->len = plen; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/manager.c new/shadowsocks-libev-3.3.4/src/manager.c --- old/shadowsocks-libev-3.3.3/src/manager.c 2019-10-30 02:38:23.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/src/manager.c 2020-01-10 02:26:42.000000000 +0100 @@ -212,10 +212,6 @@ int len = strlen(cmd); snprintf(cmd + len, BUF_SIZE - len, " -d \"%s\"", manager->nameservers); } - if (manager->workdir) { - int len = strlen(cmd); - snprintf(cmd + len, BUF_SIZE - len, " -D \"%s\"", manager->workdir); - } for (i = 0; i < manager->host_num; i++) { int len = strlen(cmd); snprintf(cmd + len, BUF_SIZE - len, " -s %s", manager->hosts[i]); @@ -1080,12 +1076,7 @@ daemonize(pid_path); } - if (manager_address == NULL) { - manager_address = "127.0.0.1:8839"; - LOGI("using the default manager address: %s", manager_address); - } - - if (server_num == 0 || manager_address == NULL) { + if (server_num == 0) { usage(); exit(EXIT_FAILURE); } @@ -1102,6 +1093,50 @@ LOGI("using tcp no-delay"); } +#ifndef __MINGW32__ + // setuid + if (user != NULL && !run_as(user)) { + FATAL("failed to switch user"); + } + + if (geteuid() == 0) { + LOGI("running from root user"); + } +#endif + + struct passwd *pw = getpwuid(getuid()); + + if (workdir == NULL || strlen(workdir) == 0) { + workdir = pw->pw_dir; + // If home dir is still not defined or set to nologin/nonexistent, fall back to /tmp + if (strstr(workdir, "nologin") || strstr(workdir, "nonexistent") || workdir == NULL || strlen(workdir) == 0) { + workdir = "/tmp"; + } + + working_dir_size = strlen(workdir) + 15; + working_dir = ss_malloc(working_dir_size); + snprintf(working_dir, working_dir_size, "%s/.shadowsocks", workdir); + } else { + working_dir_size = strlen(workdir) + 2; + working_dir = ss_malloc(working_dir_size); + snprintf(working_dir, working_dir_size, "%s", workdir); + } + LOGI("working directory points to %s", working_dir); + + int err = mkdir(working_dir, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); + if (err != 0 && errno != EEXIST) { + ERROR("mkdir"); + ss_free(working_dir); + FATAL("unable to create working directory"); + } + + if (manager_address == NULL) { + size_t manager_address_size = strlen(workdir) + 20; + manager_address = ss_malloc(manager_address_size); + snprintf(manager_address, manager_address_size, "%s/.ss-manager.socks", workdir); + LOGI("using the default manager address: %s", manager_address); + } + // ignore SIGPIPE signal(SIGPIPE, SIG_IGN); signal(SIGCHLD, SIG_IGN); @@ -1144,43 +1179,6 @@ // initialize ev loop struct ev_loop *loop = EV_DEFAULT; -#ifndef __MINGW32__ - // setuid - if (user != NULL && !run_as(user)) { - FATAL("failed to switch user"); - } - - if (geteuid() == 0) { - LOGI("running from root user"); - } -#endif - - struct passwd *pw = getpwuid(getuid()); - - if (workdir == NULL || strlen(workdir) == 0) { - workdir = pw->pw_dir; - // If home dir is still not defined or set to nologin/nonexistent, fall back to /tmp - if (strstr(workdir, "nologin") || strstr(workdir, "nonexistent") || workdir == NULL || strlen(workdir) == 0) { - workdir = "/tmp"; - } - - working_dir_size = strlen(workdir) + 15; - working_dir = ss_malloc(working_dir_size); - snprintf(working_dir, working_dir_size, "%s/.shadowsocks", workdir); - } else { - working_dir_size = strlen(workdir) + 2; - working_dir = ss_malloc(working_dir_size); - snprintf(working_dir, working_dir_size, "%s", workdir); - } - LOGI("working directory points to %s", working_dir); - - int err = mkdir(working_dir, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); - if (err != 0 && errno != EEXIST) { - ERROR("mkdir"); - ss_free(working_dir); - FATAL("unable to create working directory"); - } - // Clean up all existed processes DIR *dp; struct dirent *ep; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/netutils.c new/shadowsocks-libev-3.3.4/src/netutils.c --- old/shadowsocks-libev-3.3.3/src/netutils.c 2019-08-09 08:51:26.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/src/netutils.c 2020-01-10 02:26:42.000000000 +0100 @@ -99,18 +99,18 @@ inet_pton(AF_INET, host, &addr->sin_addr); addr->sin_family = AF_INET; LOGI("binding to outbound IPv4 addr: %s", host); - return 0; + return AF_INET; } else if (ip.version == 6) { memset(storage_v6, 0, sizeof(struct sockaddr_storage)); struct sockaddr_in6 *addr = (struct sockaddr_in6 *)storage_v6; inet_pton(AF_INET6, host, &addr->sin6_addr); addr->sin6_family = AF_INET6; LOGI("binding to outbound IPv6 addr: %s", host); - return 0; + return AF_INET6; } } } - return -1; + return 0; } int diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/redir.c new/shadowsocks-libev-3.3.4/src/redir.c --- old/shadowsocks-libev-3.3.3/src/redir.c 2019-08-09 08:51:26.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/src/redir.c 2020-01-10 02:26:42.000000000 +0100 @@ -1074,7 +1074,7 @@ } if (method == NULL) { - method = "rc4-md5"; + method = "chacha20-ietf-poly1305"; } if (timeout == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/server.c new/shadowsocks-libev-3.3.4/src/server.c --- old/shadowsocks-libev-3.3.3/src/server.c 2019-10-30 02:44:38.000000000 +0100 +++ new/shadowsocks-libev-3.3.4/src/server.c 2020-01-10 02:26:42.000000000 +0100 @@ -478,10 +478,12 @@ if (is_bind_local_addr) { struct sockaddr_storage *local_addr = res->ai_family == AF_INET ? &local_addr_v4 : &local_addr_v6; - if (bind_to_addr(local_addr, sockfd) == -1) { - ERROR("bind_to_addr"); - close(sockfd); - return NULL; + if (res->ai_family == local_addr->ss_family) { + if (bind_to_addr(local_addr, sockfd) == -1) { + ERROR("bind_to_addr"); + FATAL("cannot bind socket"); + return NULL; + } } } @@ -1568,6 +1570,8 @@ int server_num = 0; ss_addr_t server_addr[MAX_REMOTE_NUM]; memset(server_addr, 0, sizeof(ss_addr_t) * MAX_REMOTE_NUM); + memset(&local_addr_v4, 0, sizeof(struct sockaddr_storage)); + memset(&local_addr_v6, 0, sizeof(struct sockaddr_storage)); static struct option long_options[] = { { "fast-open", no_argument, NULL, GETOPT_VAL_FAST_OPEN }, @@ -1635,8 +1639,7 @@ } break; case 'b': - if (parse_local_addr(&local_addr_v4, &local_addr_v6, optarg) == 0) - is_bind_local_addr = 1; + is_bind_local_addr += parse_local_addr(&local_addr_v4, &local_addr_v6, optarg); break; case 'p': server_port = optarg; @@ -1760,12 +1763,11 @@ fast_open = conf->fast_open; } if (is_bind_local_addr == 0) { - if (parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr) == 0) - is_bind_local_addr = 1; - if (parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr_v4) == 0) - is_bind_local_addr = 1; - if (parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr_v6) == 0) - is_bind_local_addr = 1; + is_bind_local_addr += parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr); + } + if (is_bind_local_addr == 0) { + is_bind_local_addr += parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr_v4); + is_bind_local_addr += parse_local_addr(&local_addr_v4, &local_addr_v6, conf->local_addr_v6); } #ifdef HAVE_SETRLIMIT if (nofile == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shadowsocks-libev-3.3.3/src/udprelay.c new/shadowsocks-libev-3.3.4/src/udprelay.c --- old/shadowsocks-libev-3.3.3/src/udprelay.c 2019-08-09 08:51:26.000000000 +0200 +++ new/shadowsocks-libev-3.3.4/src/udprelay.c 2020-01-10 02:26:42.000000000 +0100 @@ -377,15 +377,17 @@ } #ifdef MODULE_REMOTE if (is_bind_local_addr) { - if (bind_to_addr(&local_addr_v6, remote_sock) == -1) { - ERROR("bind_to_addr"); - FATAL("[udp] cannot bind remote"); - return -1; + if (local_addr_v6.ss_family == AF_INET6) { + if (bind_to_addr(&local_addr_v6, remote_sock) == -1) { + ERROR("bind_to_addr"); + FATAL("[udp] cannot bind socket"); + return -1; + } } } else { #endif if (bind(remote_sock, (struct sockaddr *)&addr, sizeof(addr)) != 0) { - FATAL("[udp] cannot bind remote"); + FATAL("[udp] cannot bind socket"); return -1; } #ifdef MODULE_REMOTE @@ -405,10 +407,12 @@ } #ifdef MODULE_REMOTE if (is_bind_local_addr) { - if (bind_to_addr(&local_addr_v4, remote_sock) == -1) { - ERROR("bind_to_addr"); - FATAL("[udp] cannot bind remote"); - return -1; + if (local_addr_v4.ss_family == AF_INET) { + if (bind_to_addr(&local_addr_v4, remote_sock) == -1) { + ERROR("bind_to_addr"); + FATAL("[udp] cannot bind socket"); + return -1; + } } } else { #endif @@ -492,7 +496,7 @@ } #ifdef IP_TOS // Set QoS flag - int tos = 46; + int tos = 46 << 2; int proto = rp->ai_family == AF_INET6 ? IPPROTO_IP : IPPROTO_IPV6; setsockopt(server_sock, proto, IP_TOS, &tos, sizeof(tos)); #endif @@ -654,7 +658,7 @@ #endif #ifdef IP_TOS // Set QoS flag - int tos = 46; + int tos = 46 << 2; int proto = addr->sa_family == AF_INET6 ? IPPROTO_IP : IPPROTO_IPV6; setsockopt(remotefd, proto, IP_TOS, &tos, sizeof(tos)); #endif @@ -842,7 +846,7 @@ } #ifdef IP_TOS // Set QoS flag - int tos = 46; + int tos = 46 << 2; int proto = remote_ctx->src_addr.ss_family == AF_INET6 ? IPPROTO_IP : IPPROTO_IPV6; setsockopt(src_fd, proto, IP_TOS, &tos, sizeof(tos)); #endif @@ -1175,7 +1179,7 @@ #endif #ifdef IP_TOS // Set QoS flag - int tos = 46; + int tos = 46 << 2; setsockopt(remotefd, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)); #endif #ifdef SET_INTERFACE @@ -1264,7 +1268,7 @@ #endif #ifdef IP_TOS // Set QoS flag - int tos = 46; + int tos = 46 << 2; int proto = dst_addr.ss_family == AF_INET6 ? IPPROTO_IP : IPPROTO_IPV6; setsockopt(remotefd, proto, IP_TOS, &tos, sizeof(tos)); #endif