Bug#777040: marked as done (unblock: libhtp/0.5.16-1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 17 Feb 2015 19:38:39 +0100
with message-id <[🔎] 293e4f2c60242348285f676d83ea5fb0@dogguy.org>
and subject line Re: The libhtp SONAME mismatch *is* a policy violation.
has caused the Debian Bug report #777040,
regarding unblock: libhtp/0.5.16-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
777040: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777040
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libhtp/0.5.16-1
• From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
• Date: Wed, 04 Feb 2015 10:59:18 +0100
• Message-id: <[🔎] 20150204095918.5401.47336.reportbug@r2d2.cica.es>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libhtp

(explain the reason for the unblock here)
Dear release team,

We were contacted privately regarding this release of libhtp/suricata
which include important security updates (no CVE asigned thought).

We considered backporting just the important patches, but the changelog is
rather small and we decided to package the new version directly.

Before we upload 0.5.16-1 to unstable we would like to make sure that this is OK for you.

This is the debdiff, which was generated using this cmdline:
debdiff --diffstat libhtp_0.5.15-1.dsc libhtp_0.5.16-1.dsc | filterdiff -i '*.[ch]'

--- libhtp-0.5.15/htp/htp_config.c	2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_config.c	2015-01-27 07:08:27.000000000 +0100
@@ -559,6 +559,7 @@
             htp_config_set_convert_lowercase(cfg, HTP_DECODER_URL_PATH, 1);
             htp_config_set_utf8_convert_bestfit(cfg, HTP_DECODER_URL_PATH, 1);
             htp_config_set_u_encoding_decode(cfg, HTP_DECODER_URL_PATH, 1);
+            htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
             break;
 
         case HTP_SERVER_APACHE_2:
@@ -575,6 +576,7 @@
             htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
             htp_config_set_url_encoding_invalid_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
             htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_IGNORE);
+            htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_400);
             break;
 
         case HTP_SERVER_IIS_5_1:
@@ -590,6 +592,7 @@
 
             htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
             htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_IGNORE);
+            htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
             break;
 
         case HTP_SERVER_IIS_6_0:
@@ -606,6 +609,7 @@
             htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
             htp_config_set_u_encoding_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
             htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
+            htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
             break;
 
         case HTP_SERVER_IIS_7_0:
@@ -623,6 +627,7 @@
             htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
             htp_config_set_url_encoding_invalid_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
             htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
+            htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
             break;
 
         default:
@@ -883,3 +888,9 @@
         }
     }
 }
+
+void htp_config_set_requestline_leading_whitespace_unwanted(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, enum htp_unwanted_t unwanted) {
+    if (ctx >= HTP_DECODER_CONTEXTS_MAX) return;
+
+    cfg->requestline_leading_whitespace_unwanted = unwanted;
+}
--- libhtp-0.5.15/htp/htp_connection_parser.c	2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_connection_parser.c	2015-01-27 07:08:27.000000000 +0100
@@ -49,8 +49,10 @@
     htp_conn_close(connp->conn, timestamp);
 
     // Update internal flags
-    connp->in_status = HTP_STREAM_CLOSED;
-    connp->out_status = HTP_STREAM_CLOSED;
+    if (connp->in_status != HTP_STREAM_ERROR)
+        connp->in_status = HTP_STREAM_CLOSED;
+    if (connp->out_status != HTP_STREAM_ERROR)
+        connp->out_status = HTP_STREAM_CLOSED;
 
     // Call the parsers one last time, which will allow them
     // to process the events that depend on stream closure
--- libhtp-0.5.15/htp/htp_request_generic.c	2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_request_generic.c	2015-01-27 07:08:27.000000000 +0100
@@ -251,6 +251,7 @@
     unsigned char *data = bstr_ptr(tx->request_line);
     size_t len = bstr_len(tx->request_line);
     size_t pos = 0;
+    size_t mstart = 0;
 
     if (nul_terminates) {
         // The line ends with the first NUL byte.
@@ -266,13 +267,27 @@
         pos = 0;
     }
 
+    // skip past leading whitespace. IIS allows this
+    while ((pos < len) && htp_is_space(data[pos])) pos++;
+    if (pos) {
+        htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: leading whitespace");
+        mstart = pos;
+
+        if (connp->cfg->requestline_leading_whitespace_unwanted != HTP_UNWANTED_IGNORE) {
+            // reset mstart so that we copy the whitespace into the method
+            mstart = 0;
+            // set expected response code to this anomaly
+            tx->response_status_expected_number = connp->cfg->requestline_leading_whitespace_unwanted;
+        }
+    }
+
     // The request method starts at the beginning of the
     // line and ends with the first whitespace character.
     while ((pos < len) && (!htp_is_space(data[pos]))) pos++;
 
     // No, we don't care if the method is empty.
 
-    tx->request_method = bstr_dup_mem(data, pos);
+    tx->request_method = bstr_dup_mem(data + mstart, pos - mstart);
     if (tx->request_method == NULL) return HTP_ERROR;
 
     #ifdef HTP_DEBUG
--- libhtp-0.5.15/htp/htp_transaction.c	2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_transaction.c	2015-01-27 07:08:27.000000000 +0100
@@ -792,6 +792,10 @@
     switch (tx->response_content_encoding_processing) {
         case HTP_COMPRESSION_GZIP:
         case HTP_COMPRESSION_DEFLATE:
+            // In severe memory stress these could be NULL
+            if (tx->connp->out_decompressor == NULL || tx->connp->out_decompressor->decompress == NULL)
+                return HTP_ERROR;
+
             // Send data buffer to the decompressor.
             tx->connp->out_decompressor->decompress(tx->connp->out_decompressor, &d);
 


unblock libhtp/0.5.16-1

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

• To: Hilko Bengen <bengen@debian.org>
• Cc: Julien Cristau <jcristau@debian.org>, <777540@bugs.debian.org>, <debian-release@lists.debian.org>, Pierre Chifflier <pollux@debian.org>, Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>, <777040-done@bugs.debian.org>
• Subject: Re: The libhtp SONAME mismatch *is* a policy violation.
• From: Mehdi Dogguy <mehdi@dogguy.org>
• Date: Tue, 17 Feb 2015 19:38:39 +0100
• Message-id: <[🔎] 293e4f2c60242348285f676d83ea5fb0@dogguy.org>
• In-reply-to: <[🔎] 87egppqzij.fsf@msgid.hilluzination.de>
• References: <[🔎] 8761b5v7ke.fsf@msgid.hilluzination.de> <[🔎] 20150216194401.GS1940@betterave.cristau.org> <[🔎] 87egppqzij.fsf@msgid.hilluzination.de>

Le 2015-02-16 23:09, Hilko Bengen a écrit :

* Julien Cristau:

1. Override upstream's decision to change the SONAME with every release.

   I am not entirelysure how stable libhtp's API/ABI should be

considered -- looking at changes and deciding on compatibility issues making those decisions would certainly put a burden on the maintainer

   in the future (although the .symbols mechanism helps for obvious
   cases such as removed APIs.)

   I am attaching a patch to drop the -release parameter from the

libtool call, libhtp.so.1.0.0 (instead of libhtp-0.5.15.so.1.0.0) is generated. The .symbols file would need to be updated to reflect that

   change, too, of course.

2. Since suricata is the only reverse dependency of libhtp and contains

   a copy of libhtp within its source tarball, so we could drop the
   libhtp package altogether and use that embedded copy instead, at
   least for the jessie release.

3. Change the binary package name to reflect the SONAME -- for instance

   libhtp-0.5.15. I believe that we are too late in the freeze to be
   adding new binary package names.

For jessie, 2 sounds like the best way to go IMO.

Removal hint added for libhtp.

Thank you. Could somebody please decide about #777042 ("unblock:
suricata/2.0.6-1")?

It was unblocked.

Regards,

--
Mehdi

--- End Message ---