-
Notifications
You must be signed in to change notification settings - Fork 158
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pullup ticket #6073 - requested by ast
www/nostromo: security fix Revisions pulled up: - www/nostromo/Makefile 1.3 - www/nostromo/PLIST 1.2 - www/nostromo/distinfo 1.2 - www/nostromo/patches/patch-http_header_comp 1.1 - www/nostromo/patches/patch-strcutl 1.1 --- Module Name: pkgsrc Committed By: ast Date: Sun Oct 20 20:02:14 UTC 2019 Modified Files: pkgsrc/www/nostromo: Makefile PLIST distinfo Added Files: pkgsrc/www/nostromo/patches: patch-http_header_comp patch-strcutl Log Message: www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279
- Loading branch information
Showing
5 changed files
with
137 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,12 @@ | ||
@comment $NetBSD: PLIST,v 1.1 2018/02/11 13:56:21 ast Exp $ | ||
@comment $NetBSD: PLIST,v 1.1.14.1 2019/10/22 11:07:29 bsiegert Exp $ | ||
man/man8/nhttpd.8 | ||
sbin/crypt | ||
sbin/nhttpd | ||
man/man8/nhttpd.8 | ||
share/examples/rc.d/nostromo | ||
share/examples/nostromo/conf/mimes | ||
share/examples/nostromo/conf/nhttpd.conf-dist | ||
share/examples/nostromo/htdocs/cgi-bin/printenv | ||
share/examples/nostromo/htdocs/index.html | ||
share/examples/nostromo/htdocs/nostromo.gif | ||
share/examples/nostromo/icons/dir.gif | ||
share/examples/nostromo/icons/file.gif | ||
share/examples/rc.d/nostromo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,8 @@ | ||
$NetBSD: distinfo,v 1.1 2018/02/11 13:56:21 ast Exp $ | ||
$NetBSD: distinfo,v 1.1.14.1 2019/10/22 11:07:29 bsiegert Exp $ | ||
|
||
SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e | ||
RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868 | ||
SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea | ||
Size (nostromo-1.9.6.tar.gz) = 50937 bytes | ||
SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70 | ||
SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
$NetBSD: patch-http_header_comp,v 1.1.2.2 2019/10/22 11:07:30 bsiegert Exp $ | ||
|
||
The function http_header_comp() should return the number of received | ||
headers, not only 0 on fail or 1 on success. | ||
|
||
Without this functionality, one could send more than the default | ||
of 16 headers and overflow the header array to craft a DoS as | ||
shown in nostromo CVE-2019-16279. | ||
|
||
This patch adds the missing header count functionality to the function | ||
http_header_comp(). | ||
|
||
--- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 | ||
+++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 | ||
@@ -1074,21 +1074,21 @@ | ||
* http_header_comp() | ||
* check if received headers arrived complete | ||
* Return: | ||
- * 0 = headers not complete, 1 = headers complete | ||
+ * 0 = headers not complete, <number of headers> = headers complete | ||
*/ | ||
int | ||
http_header_comp(char *header, const int len) | ||
{ | ||
- int r; | ||
- char *p, *end; | ||
+ int i, headers; | ||
+ char *p; | ||
|
||
- r = 0; | ||
+ headers = 0; | ||
|
||
/* check header for minimum size */ | ||
if (len < 4) | ||
return (0); | ||
|
||
- /* post */ | ||
+ /* post header */ | ||
if (!strncasecmp("POST", header, 4)) { | ||
p = header; | ||
if ((p = strstr(p, "\r\n\r\n")) == NULL) | ||
@@ -1097,12 +1097,19 @@ | ||
return (1); | ||
} | ||
|
||
- /* any header */ | ||
- end = header + (len - 4); | ||
- if (!strcmp(end, "\r\n\r\n")) | ||
- r = 1; | ||
+ /* any other header */ | ||
+ for (i = 0; i < len; i++) { | ||
+ if (header[i] == '\r') { | ||
+ if ((len - i) < 4) | ||
+ break; | ||
+ if (!strncmp(&header[i], "\r\n\r\n", 4)) { | ||
+ headers++; | ||
+ i += 3; | ||
+ } | ||
+ } | ||
+ } | ||
|
||
- return (r); | ||
+ return (headers); | ||
} | ||
|
||
/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
$NetBSD: patch-strcutl,v 1.1.2.2 2019/10/22 11:07:30 bsiegert Exp $ | ||
|
||
Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing | ||
execution of /bin/sh with arbitrary arguments). | ||
|
||
Nostromo as such handles encoded URI correctly but the strcutl() | ||
function in the string manipulation library removes 0x0d in the | ||
URI string resulting in a valid path. What should happen instead | ||
is that the decoded 0x0d character remains in the URI, resulting | ||
in an invalid path, giving rise to a 404. | ||
|
||
--- src/libmy/strcutl.c.orig 2005-06-04 10:30:04.000000000 +0200 | ||
+++ src/libmy/strcutl.c 2019-10-20 11:30:29.704645745 +0200 | ||
@@ -26,8 +26,12 @@ | ||
{ | ||
int i = 0, j = 0, cl = 0; | ||
|
||
- /* first count all lines */ | ||
- while (1) { | ||
+ /* requested line must be a positive integer */ | ||
+ if (line <= 0) | ||
+ return -1; | ||
+ | ||
+ /* count lines up to requested line or end of string */ | ||
+ while (line >= cl) { | ||
if (src[i] == '\n' && src[i + 1] == '\0') { | ||
cl++; | ||
break; | ||
@@ -42,24 +46,24 @@ | ||
i++; | ||
} | ||
|
||
- /* do we have the requested line ? */ | ||
- if (line > cl || line == 0) | ||
+ /* did we actually get the requested line ? */ | ||
+ if (line > cl) | ||
return -1; | ||
|
||
- /* go to line start */ | ||
+ /* go to beginning of the requested line */ | ||
for (i = 0, j = 0; j != line - 1; i++) | ||
if (src[i] == '\n') | ||
j++; | ||
|
||
- /* read requested line */ | ||
+ /* copy the requested line to destination buffer */ | ||
for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) { | ||
- if (src[i] != '\r') { | ||
- dst[j] = src[i]; | ||
- j++; | ||
- } | ||
+ if (src[i] == '\r' && src[i + 1] == '\n') | ||
+ continue; | ||
+ dst[j] = src[i]; | ||
+ j++; | ||
} | ||
|
||
- /* terminate string */ | ||
+ /* null terminate destination buffer */ | ||
dst[j] = '\0'; | ||
|
||
return cl; |