Below there's a diff that updates websockify to latest release 0.8.0 and adds a patch that fix a SECURITY issue related at: http://marc.info/?l=full-disclosure&m=146469562404285&w=2
patch comes from upstream https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9.patch only the port net/noVNC depends on websockify library, builds fine... (not tested though). OK? Index: Makefile =================================================================== RCS file: /cvs/ports/net/websockify/Makefile,v retrieving revision 1.2 diff -u -p -r1.2 Makefile --- Makefile 22 Dec 2015 14:41:52 -0000 1.2 +++ Makefile 3 Jun 2016 03:21:02 -0000 @@ -2,8 +2,7 @@ COMMENT= WebSocket to TCP proxy -MODPY_EGG_VERSION= 0.7.0 -REVISION= 0 +MODPY_EGG_VERSION= 0.8.0 DISTNAME= websockify-${MODPY_EGG_VERSION} CATEGORIES= net @@ -28,7 +27,7 @@ post-build: cd ${WRKSRC}; env ${MAKE_ENV} ${MAKE_PROGRAM} ${MAKE_FLAGS} post-install: - ${INSTALL_DATA} ${WRKSRC}/docs/websockify.1 ${PREFIX}/man/man1/ + ${INSTALL_MAN} ${WRKSRC}/docs/websockify.1 ${PREFIX}/man/man1/ ${INSTALL_DATA_DIR} ${PREFIX}/lib/websockify ${INSTALL_DATA} ${WRKSRC}/rebind.so ${PREFIX}/lib/websockify/ Index: distinfo =================================================================== RCS file: /cvs/ports/net/websockify/distinfo,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 distinfo --- distinfo 18 Dec 2015 13:18:39 -0000 1.1.1.1 +++ distinfo 3 Jun 2016 03:21:02 -0000 @@ -1,2 +1,2 @@ -SHA256 (websockify-0.7.0.tar.gz) = imOOkKGm3+CGI0XQadkx3x1JatsV2ylL/HB3pd8t7Ms= -SIZE (websockify-0.7.0.tar.gz) = 286470 +SHA256 (websockify-0.8.0.tar.gz) = 8IDkCz9CnzncVXxixtcVpoMQDnwQxVf6N2ttveIzWM4= +SIZE (websockify-0.8.0.tar.gz) = 288359 cvs server: Diffing patches Index: patches/patch-other_websocket_c =================================================================== RCS file: patches/patch-other_websocket_c diff -N patches/patch-other_websocket_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-other_websocket_c 3 Jun 2016 03:21:02 -0000 @@ -0,0 +1,48 @@ +$OpenBSD$ + +fix SECURITY issue: +http://marc.info/?l=full-disclosure&m=146469562404285&w=2 +upstream patch: +https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9.patch + +--- other/websocket.c.orig Thu Feb 18 16:11:15 2016 ++++ other/websocket.c Fri Jun 3 00:17:08 2016 +@@ -612,15 +612,28 @@ ws_ctx_t *do_handshake(int sock) { + } + offset = 0; + for (i = 0; i < 10; i++) { +- len = ws_recv(ws_ctx, handshake+offset, 4096); +- if (len == 0) { ++ /* (offset + 1): reserve one byte for the trailing '' */ ++ if (0 > (len = ws_recv(ws_ctx, handshake + offset, sizeof(handshake) - (offset + 1)))) { ++ handler_emsg("Read error during handshake: %m "); ++ free_ws_ctx(ws_ctx); ++ return NULL; ++ } else if (0 == len) { + handler_emsg("Client closed during handshake "); ++ free_ws_ctx(ws_ctx); + return NULL; + } + offset += len; + handshake[offset] = 0; + if (strstr(handshake, " ")) { + break; ++ } else if (sizeof(handshake) <= (size_t)(offset + 1)) { ++ handler_emsg("Oversized handshake "); ++ free_ws_ctx(ws_ctx); ++ return NULL; ++ } else if (9 == i) { ++ handler_emsg("Incomplete handshake "); ++ free_ws_ctx(ws_ctx); ++ return NULL; + } + usleep(10); + } +@@ -628,6 +641,7 @@ ws_ctx_t *do_handshake(int sock) { + //handler_msg("handshake: %s ", handshake); + if (!parse_handshake(ws_ctx, handshake)) { + handler_emsg("Invalid WS request "); ++ free_ws_ctx(ws_ctx); + return NULL; + } + Index: patches/patch-websockify_websocket_py =================================================================== RCS file: /cvs/ports/net/websockify/patches/patch-websockify_websocket_py,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-websockify_websocket_py --- patches/patch-websockify_websocket_py 18 Dec 2015 13:18:39 -0000 1.1.1.1 +++ patches/patch-websockify_websocket_py 3 Jun 2016 03:21:02 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-websockify_websocket_py,v 1.1.1.1 2015/12/18 13:18:39 sthen Exp $ ---- websockify/websocket.py.orig Fri Dec 18 12:31:42 2015 -+++ websockify/websocket.py Fri Dec 18 12:34:27 2015 -@@ -711,15 +711,6 @@ class WebSocketServer(object): +--- websockify/websocket.py.orig Thu Feb 18 16:11:15 2016 ++++ websockify/websocket.py Thu Jun 2 23:57:19 2016 +@@ -722,15 +722,6 @@ class WebSocketServer(object): if tcp_keepalive: sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
