From ec3babe0f83d5957d7ee8c49a53880a3926a6e91 Mon Sep 17 00:00:00 2001 From: ast Date: Sun, 20 Oct 2019 20:02:13 +0000 Subject: www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279 --- doc/CHANGES-2019 | 3 +- www/nostromo/Makefile | 6 +-- www/nostromo/PLIST | 6 +-- www/nostromo/distinfo | 4 +- www/nostromo/patches/patch-http_header_comp | 66 +++++++++++++++++++++++++++++ www/nostromo/patches/patch-strcutl | 62 +++++++++++++++++++++++++++ 6 files changed, 139 insertions(+), 8 deletions(-) create mode 100644 www/nostromo/patches/patch-http_header_comp create mode 100644 www/nostromo/patches/patch-strcutl diff --git a/doc/CHANGES-2019 b/doc/CHANGES-2019 index a5c20d9d98c..b793c17b2c3 100644 --- a/doc/CHANGES-2019 +++ b/doc/CHANGES-2019 @@ -1,4 +1,4 @@ -$NetBSD: CHANGES-2019,v 1.4458 2019/10/20 18:04:41 leot Exp $ +$NetBSD: CHANGES-2019,v 1.4459 2019/10/20 20:08:05 ast Exp $ Changes to the packages collection and infrastructure in 2019: @@ -7167,3 +7167,4 @@ Changes to the packages collection and infrastructure in 2019: Added graphics/faba-icon-theme version 4.3 [nia 2019-10-20] Added graphics/moka-icon-theme version 5.4.0 [nia 2019-10-20] Added textproc/json2tsv version 0.2 [leot 2019-10-20] + Updated www/nostromo to 1.9.6nb2 [ast 2019-10-20] diff --git a/www/nostromo/Makefile b/www/nostromo/Makefile index 0ea92ad74d5..9a3bff611eb 100644 --- a/www/nostromo/Makefile +++ b/www/nostromo/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.2 2019/09/03 12:02:48 nia Exp $ +# $NetBSD: Makefile,v 1.3 2019/10/20 20:02:13 ast Exp $ DISTNAME= nostromo-1.9.6 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= www MASTER_SITES= http://www.nazgul.ch/dev/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} @@ -25,7 +25,7 @@ INSTALLATION_DIRS+= ${EGDIR}/htdocs ${EGDIR}/htdocs/cgi-bin SUBST_CLASSES+= nostromo SUBST_MESSAGE.nostromo= Fixing GNUmakefile src/nhttpd/GNUmakefile -SUBST_STAGE.nostromo= pre-patch +SUBST_STAGE.nostromo= post-extract SUBST_FILES.nostromo= GNUmakefile \ src/nhttpd/GNUmakefile \ src/tools/GNUmakefile \ diff --git a/www/nostromo/PLIST b/www/nostromo/PLIST index 59842b2e0de..8ceba1cafd8 100644 --- a/www/nostromo/PLIST +++ b/www/nostromo/PLIST @@ -1,8 +1,7 @@ -@comment $NetBSD: PLIST,v 1.1 2018/02/11 13:56:21 ast Exp $ +@comment $NetBSD: PLIST,v 1.2 2019/10/20 20:02:13 ast Exp $ +man/man8/nhttpd.8 sbin/crypt sbin/nhttpd -man/man8/nhttpd.8 -share/examples/rc.d/nostromo share/examples/nostromo/conf/mimes share/examples/nostromo/conf/nhttpd.conf-dist share/examples/nostromo/htdocs/cgi-bin/printenv @@ -10,3 +9,4 @@ share/examples/nostromo/htdocs/index.html share/examples/nostromo/htdocs/nostromo.gif share/examples/nostromo/icons/dir.gif share/examples/nostromo/icons/file.gif +share/examples/rc.d/nostromo diff --git a/www/nostromo/distinfo b/www/nostromo/distinfo index 39d12bd06d7..e569106fc4c 100644 --- a/www/nostromo/distinfo +++ b/www/nostromo/distinfo @@ -1,6 +1,8 @@ -$NetBSD: distinfo,v 1.1 2018/02/11 13:56:21 ast Exp $ +$NetBSD: distinfo,v 1.2 2019/10/20 20:02:13 ast Exp $ SHA1 (nostromo-1.9.6.tar.gz) = 6f3d8ebc15486398f819ac55a9d2a9ac14c3b35e RMD160 (nostromo-1.9.6.tar.gz) = 6817ac77c7645ab2bef3e73469d2f376448af868 SHA512 (nostromo-1.9.6.tar.gz) = baf68f492653937b80629f1281a1243026ee2def9f5b092934474148f97306ef0796c4fecffb3d6061907d8fdc1beb0a34333dfe8738dec70acdd3975347d6ea Size (nostromo-1.9.6.tar.gz) = 50937 bytes +SHA1 (patch-http_header_comp) = 71b79682ae110f6a728a09f15d46d41878fb9a70 +SHA1 (patch-strcutl) = e2bd849890eb0c290745d0d9703000b7909b9318 diff --git a/www/nostromo/patches/patch-http_header_comp b/www/nostromo/patches/patch-http_header_comp new file mode 100644 index 00000000000..ed1249a1ed2 --- /dev/null +++ b/www/nostromo/patches/patch-http_header_comp @@ -0,0 +1,66 @@ +$NetBSD: patch-http_header_comp,v 1.1 2019/10/20 20:02:13 ast Exp $ + +The function http_header_comp() should return the number of received +headers, not only 0 on fail or 1 on success. + +Without this functionality, one could send more than the default +of 16 headers and overflow the header array to craft a DoS as +shown in nostromo CVE-2019-16279. + +This patch adds the missing header count functionality to the function +http_header_comp(). + +--- src/nhttpd/http.c.orig 2019-10-20 15:20:47.521119966 +0200 ++++ src/nhttpd/http.c 2019-10-20 15:28:02.327722735 +0200 +@@ -1074,21 +1074,21 @@ + * http_header_comp() + * check if received headers arrived complete + * Return: +- * 0 = headers not complete, 1 = headers complete ++ * 0 = headers not complete, = headers complete + */ + int + http_header_comp(char *header, const int len) + { +- int r; +- char *p, *end; ++ int i, headers; ++ char *p; + +- r = 0; ++ headers = 0; + + /* check header for minimum size */ + if (len < 4) + return (0); + +- /* post */ ++ /* post header */ + if (!strncasecmp("POST", header, 4)) { + p = header; + if ((p = strstr(p, "\r\n\r\n")) == NULL) +@@ -1097,12 +1097,19 @@ + return (1); + } + +- /* any header */ +- end = header + (len - 4); +- if (!strcmp(end, "\r\n\r\n")) +- r = 1; ++ /* any other header */ ++ for (i = 0; i < len; i++) { ++ if (header[i] == '\r') { ++ if ((len - i) < 4) ++ break; ++ if (!strncmp(&header[i], "\r\n\r\n", 4)) { ++ headers++; ++ i += 3; ++ } ++ } ++ } + +- return (r); ++ return (headers); + } + + /* diff --git a/www/nostromo/patches/patch-strcutl b/www/nostromo/patches/patch-strcutl new file mode 100644 index 00000000000..1b9220f014a --- /dev/null +++ b/www/nostromo/patches/patch-strcutl @@ -0,0 +1,62 @@ +$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $ + +Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing +execution of /bin/sh with arbitrary arguments). + +Nostromo as such handles encoded URI correctly but the strcutl() +function in the string manipulation library removes 0x0d in the +URI string resulting in a valid path. What should happen instead +is that the decoded 0x0d character remains in the URI, resulting +in an invalid path, giving rise to a 404. + +--- src/libmy/strcutl.c.orig 2005-06-04 10:30:04.000000000 +0200 ++++ src/libmy/strcutl.c 2019-10-20 11:30:29.704645745 +0200 +@@ -26,8 +26,12 @@ + { + int i = 0, j = 0, cl = 0; + +- /* first count all lines */ +- while (1) { ++ /* requested line must be a positive integer */ ++ if (line <= 0) ++ return -1; ++ ++ /* count lines up to requested line or end of string */ ++ while (line >= cl) { + if (src[i] == '\n' && src[i + 1] == '\0') { + cl++; + break; +@@ -42,24 +46,24 @@ + i++; + } + +- /* do we have the requested line ? */ +- if (line > cl || line == 0) ++ /* did we actually get the requested line ? */ ++ if (line > cl) + return -1; + +- /* go to line start */ ++ /* go to beginning of the requested line */ + for (i = 0, j = 0; j != line - 1; i++) + if (src[i] == '\n') + j++; + +- /* read requested line */ ++ /* copy the requested line to destination buffer */ + for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) { +- if (src[i] != '\r') { +- dst[j] = src[i]; +- j++; +- } ++ if (src[i] == '\r' && src[i + 1] == '\n') ++ continue; ++ dst[j] = src[i]; ++ j++; + } + +- /* terminate string */ ++ /* null terminate destination buffer */ + dst[j] = '\0'; + + return cl; -- cgit v1.2.3