Here is an update to sthttpd 2.27.1.
Which adds a fix for CVE-2017-10671. Heap-based buffer overflow in the de_dotdot function.
Index: Makefile
===================================================================
RCS file: /home/cvs/ports/www/sthttpd/Makefile,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 Makefile
--- Makefile 11 Mar 2022 20:11:02 -0000 1.10
+++ Makefile 8 Apr 2022 01:39:32 -0000
@@ -1,22 +1,29 @@
COMMENT= tiny/turbo/throttling HTTP server
-DISTNAME= sthttpd-2.26.4
-REVISION= 5
+GH_ACCOUNT= blueness
+GH_PROJECT= sthttpd
+GH_TAGNAME= v2.27.1
CATEGORIES= www
-MASTER_SITES= http://opensource.dyc.edu/pub/sthttpd/
-HOMEPAGE= http://opensource.dyc.edu/sthttpd/
+HOMEPAGE= https://github.com/blueness/sthttpd
# BSD
PERMIT_PACKAGE= Yes
WANTLIB= c
-CONFIGURE_STYLE= gnu
+AUTOCONF_VERSION= 2.69
+AUTOMAKE_VERSION= 1.16
+
+CONFIGURE_STYLE= autoreconf
CONFIGURE_ENV+= WEBDIR="/var/www/htdocs" WEBGROUP=www
FAKE_FLAGS= cgidir="${PREFIX}/libexec/sthttpd"
NO_TEST= Yes
+
+post-extract:
+ mv ${WRKSRC}/docs/htpasswd.1 ${WRKSRC}/docs/th_htpasswd.1
+ sed -i -e s#htpasswd#th_htpasswd#g ${WRKSRC}/docs/th_htpasswd.1
.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /home/cvs/ports/www/sthttpd/distinfo,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 distinfo
--- distinfo 6 May 2014 09:00:37 -0000 1.2
+++ distinfo 8 Apr 2022 01:24:37 -0000
@@ -1,2 +1,2 @@
-SHA256 (sthttpd-2.26.4.tar.gz) = eOh5eRQMvaEjyBtAUVUiQtu/+13sGhfl+V7Egmserds=
-SIZE (sthttpd-2.26.4.tar.gz) = 194544
+SHA256 (sthttpd-2.27.1.tar.gz) = oe4oBkMur1td0megUjcB+fH6AP79SZ1b7EIWWkHgWEY=
+SIZE (sthttpd-2.27.1.tar.gz) = 96430
Index: patches/patch-docs_Makefile_am
===================================================================
RCS file: patches/patch-docs_Makefile_am
diff -N patches/patch-docs_Makefile_am
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-docs_Makefile_am 8 Apr 2022 01:34:54 -0000
@@ -0,0 +1,6 @@
+Index: docs/Makefile.am
+--- docs/Makefile.am.orig
++++ docs/Makefile.am
+@@ -1 +1 @@
+-dist_man_MANS = htpasswd.1 makeweb.1 redirect.8 ssi.8 syslogtocern.8 thttpd.8
++dist_man_MANS = th_htpasswd.1 makeweb.1 redirect.8 ssi.8 syslogtocern.8 thttpd.8
Index: patches/patch-extras_Makefile_am
===================================================================
RCS file: patches/patch-extras_Makefile_am
diff -N patches/patch-extras_Makefile_am
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-extras_Makefile_am 8 Apr 2022 01:34:51 -0000
@@ -0,0 +1,14 @@
+Index: extras/Makefile.am
+--- extras/Makefile.am.orig
++++ extras/Makefile.am
+@@ -1,8 +1,8 @@
+ AM_CPPFLAGS = -DWEBDIR='"$(WEBDIR)"'
+
+-sbin_PROGRAMS = makeweb htpasswd
++sbin_PROGRAMS = makeweb th_htpasswd
+ makeweb_SOURCES = makeweb.c
+-htpasswd_SOURCES = htpasswd.c
++th_htpasswd_SOURCES = htpasswd.c
+
+ dist_sbin_SCRIPTS = syslogtocern
+
Index: patches/patch-extras_th_htpasswd_c
===================================================================
RCS file: patches/patch-extras_th_htpasswd_c
diff -N patches/patch-extras_th_htpasswd_c
--- patches/patch-extras_th_htpasswd_c 11 Mar 2022 20:11:02 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,18 +0,0 @@
-A local attacker with the ability to alter .htpasswd files could
-cause a Denial of Service in thttpd by specially-crafting them.
-CVE-2012-5640
-
---- extras/th_htpasswd.c.orig Thu May 1 10:49:44 2014
-+++ extras/th_htpasswd.c Thu May 1 10:50:16 2014
-@@ -140,7 +140,10 @@ add_password( char* user, FILE* f )
- (void) srandom( (int) time( (time_t*) 0 ) );
- to64( &salt[0], random(), 2 );
- cpw = crypt( pw, salt );
-- (void) fprintf( f, "%s:%s\n", user, cpw );
-+ if (cpw)
-+ (void) fprintf( f, "%s:%s\n", user, cpw );
-+ else
-+ (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
- }
-
- static void usage(void) {
Index: patches/patch-src_libhttpd_c
===================================================================
RCS file: patches/patch-src_libhttpd_c
diff -N patches/patch-src_libhttpd_c
--- patches/patch-src_libhttpd_c 11 Mar 2022 20:11:02 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,38 +0,0 @@
-A local attacker with the ability to alter .htpasswd files could
-cause a Denial of Service in thttpd by specially-crafting them.
-CVE-2012-5640
-
---- src/libhttpd.c.orig Thu Mar 14 04:11:40 2013
-+++ src/libhttpd.c Thu Mar 14 04:13:02 2013
-@@ -1017,6 +1017,7 @@ auth_check2( httpd_conn* hc, char* dirname )
- static size_t maxprevuser = 0;
- static char* prevcryp;
- static size_t maxprevcryp = 0;
-+ char *crypt_result;
-
- /* Construct auth filename. */
- httpd_realloc_str(
-@@ -1063,7 +1064,10 @@ auth_check2( httpd_conn* hc, char* dirname )
- strcmp( authinfo, prevuser ) == 0 )
- {
- /* Yes. Check against the cached encrypted password. */
-- if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 )
-+ crypt_result = crypt( authpass, prevcryp );
-+ if ( ! crypt_result )
-+ return -1;
-+ if ( strcmp( crypt_result, prevcryp ) == 0 )
- {
- /* Ok! */
- httpd_realloc_str(
-@@ -1112,7 +1116,10 @@ auth_check2( httpd_conn* hc, char* dirname )
- /* Yes. */
- (void) fclose( fp );
- /* So is the password right? */
-- if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
-+ crypt_result = crypt( authpass, cryp );
-+ if ( ! crypt_result )
-+ return -1;
-+ if ( strcmp( crypt_result, cryp ) == 0 )
- {
- /* Ok! */
- httpd_realloc_str(
Index: patches/patch-src_thttpd_c
===================================================================
RCS file: patches/patch-src_thttpd_c
diff -N patches/patch-src_thttpd_c
--- patches/patch-src_thttpd_c 11 Mar 2022 20:11:02 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,41 +0,0 @@
-Make sure that the logfile is created or reopened as read/write
-by thttpd user only. CVE-2013-0348
-
---- src/thttpd.c.orig Thu Mar 14 04:08:35 2013
-+++ src/thttpd.c Thu Mar 14 04:10:23 2013
-@@ -326,6 +326,7 @@ static void
- re_open_logfile( void )
- {
- FILE* logfp;
-+ int retchmod;
-
- if ( no_log || hs == (httpd_server*) 0 )
- return;
-@@ -335,7 +336,8 @@ re_open_logfile( void )
- {
- syslog( LOG_NOTICE, "re-opening logfile" );
- logfp = fopen( logfile, "a" );
-- if ( logfp == (FILE*) 0 )
-+ retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
-+ if ( logfp == (FILE*) 0 || retchmod != 0 )
- {
- syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );
- return;
-@@ -355,6 +357,7 @@ main( int argc, char** argv )
- gid_t gid = 32767;
- char cwd[MAXPATHLEN+1];
- FILE* logfp;
-+ int retchmod;
- int num_ready;
- int cnum;
- connecttab* c;
-@@ -424,7 +427,8 @@ main( int argc, char** argv )
- else
- {
- logfp = fopen( logfile, "a" );
-- if ( logfp == (FILE*) 0 )
-+ retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
-+ if ( logfp == (FILE*) 0 || retchmod != 0 )
- {
- syslog( LOG_CRIT, "%.80s - %m", logfile );
- perror( logfile );
Index: patches/patch-src_thttpd_h
===================================================================
RCS file: /home/cvs/ports/www/sthttpd/patches/patch-src_thttpd_h,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 patch-src_thttpd_h
--- patches/patch-src_thttpd_h 11 Mar 2022 20:11:02 -0000 1.2
+++ patches/patch-src_thttpd_h 8 Apr 2022 01:27:03 -0000
@@ -1,5 +1,6 @@
---- src/thttpd.h.orig Sun Aug 5 04:59:29 2012
-+++ src/thttpd.h Sun Aug 5 04:59:46 2012
+Index: src/thttpd.h
+--- src/thttpd.h.orig
++++ src/thttpd.h
@@ -237,7 +237,7 @@
** initializing. If this user (or the one specified by the -u flag) does
** not exist, the program will refuse to run.
Index: pkg/PLIST
===================================================================
RCS file: /home/cvs/ports/www/sthttpd/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 PLIST
--- pkg/PLIST 11 Mar 2022 20:11:02 -0000 1.4
+++ pkg/PLIST 8 Apr 2022 01:35:26 -0000
@@ -1,14 +1,18 @@
@conflict thttpd-*
@pkgpath www/thttpd
+@rcscript ${RCDIR}/thttpd
libexec/sthttpd/
+@bin libexec/sthttpd/phf
+libexec/sthttpd/printenv
@bin libexec/sthttpd/redirect
@bin libexec/sthttpd/ssi
+@man man/man1/makeweb.1
@man man/man1/th_htpasswd.1
@man man/man8/redirect.8
@man man/man8/ssi.8
@man man/man8/syslogtocern.8
@man man/man8/thttpd.8
+@bin sbin/makeweb
sbin/syslogtocern
@bin sbin/th_htpasswd
@bin sbin/thttpd
-@rcscript ${RCDIR}/thttpd
No comments:
Post a Comment