Bug#928389: unblock: libhtp/1:0.5.30-1

[Sascha Steinbiss <satta@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libhtp. The debdiff is attached.

The actual change is very small and does not affect the API/ABI.
This update is meant to go hand-in-hand with the new version of Suricata
(4.1.4) for which we have also asked for an unblock in #928294.
Again, with libhtp as the HTTP parsing component of a security-relevant
software tool exposed to potentially malicious traffic we should aim for
the latest version available in buster.

Here's the full changelog since the version in buster:

0.5.30 (07 March 2019)
----------------------
- array/list handing optimization by Philippe Antoine for an issue found
  be oss-fuzz
- improved Windows support
- fuzz targets improvements by Philippe Antoine
- packaging improvements by Fabrice Fontaine
- install doc improved by Wenhui Zhang

unblock libhtp/1:0.5.30-1

Best regards
Sascha

diff -Nru libhtp-0.5.29/appveyor.yml libhtp-0.5.30/appveyor.yml
--- libhtp-0.5.29/appveyor.yml	1970-01-01 01:00:00.000000000 +0100
+++ libhtp-0.5.30/appveyor.yml	2019-03-07 08:35:13.000000000 +0100
@@ -0,0 +1,18 @@
+environment:
+  matrix:
+    - COMPILER: mingw-w64
+      MINGW_DIR: c:\msys64\mingw64
+      MINGW_ARCH: x86_64
+
+    - COMPILER: mingw
+      MINGW_DIR: c:\msys64\mingw32
+      MINGW_ARCH: i686
+
+build_script:
+  - set Path=%MINGW_DIR%\bin;c:\msys64\usr\bin;%Path%
+  - bash autogen.sh
+  - bash configure
+  - make distcheck
+
+#on_finish:
+#  - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
diff -Nru libhtp-0.5.29/ChangeLog libhtp-0.5.30/ChangeLog
--- libhtp-0.5.29/ChangeLog	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/ChangeLog	2019-03-07 08:35:13.000000000 +0100
@@ -1,3 +1,16 @@
+0.5.30 (07 March 2019)
+----------------------
+
+- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz
+
+- improved Windows support
+
+- fuzz targets improvements by Philippe Antoine
+
+- packaging improvements by Fabrice Fontaine
+
+- install doc improved by Wenhui Zhang
+
 0.5.29 (21 December 2018)
 -------------------------
 
diff -Nru libhtp-0.5.29/configure.ac libhtp-0.5.30/configure.ac
--- libhtp-0.5.29/configure.ac	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/configure.ac	2019-03-07 08:35:13.000000000 +0100
@@ -118,6 +118,11 @@
                 OS_WINDOWS="true"
                 NO_STACK_PROTECTOR="true"
         ;;
+        MSYS*)
+                AC_MSG_RESULT(MSYS)
+                OS_WINDOWS="true"
+                NO_STACK_PROTECTOR="true"
+        ;;
         CYGWIN*)
                 AC_MSG_RESULT(Cygwin)
                 OS_CYGWIN="true"
diff -Nru libhtp-0.5.29/debian/changelog libhtp-0.5.30/debian/changelog
--- libhtp-0.5.29/debian/changelog	2018-12-27 12:23:45.000000000 +0100
+++ libhtp-0.5.30/debian/changelog	2019-05-02 16:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+libhtp (1:0.5.30-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org>  Thu, 02 May 2019 16:38:21 +0200
+
 libhtp (1:0.5.29-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.29/htp/htp_list.c libhtp-0.5.30/htp/htp_list.c
--- libhtp-0.5.29/htp/htp_list.c	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp/htp_list.c	2019-03-07 08:35:13.000000000 +0100
@@ -172,15 +172,7 @@
 
     if (idx + 1 > l->current_size) return HTP_DECLINED;
 
-    size_t i = l->first;
-
-    while (idx--) {
-        if (++i == l->max_size) {
-            i = 0;
-        }
-    }
-
-    l->elements[i] = e;
+    l->elements[(l->first + idx) % l->max_size] = e;
 
     return HTP_OK;
 }
diff -Nru libhtp-0.5.29/htp.pc.in libhtp-0.5.30/htp.pc.in
--- libhtp-0.5.29/htp.pc.in	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp.pc.in	2019-03-07 08:35:13.000000000 +0100
@@ -7,5 +7,6 @@
 Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products.
 Version: @PACKAGE_VERSION@
 Libs: -L${libdir} -lhtp
+Libs.private: @LIBICONV@
 Cflags: -I${includedir} -I${libdir}/htp/include
 
diff -Nru libhtp-0.5.29/README libhtp-0.5.30/README
--- libhtp-0.5.29/README	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/README	2019-03-07 08:35:13.000000000 +0100
@@ -43,6 +43,8 @@
 Assuming you're using an already packaged version of LibHTP, the installation
 process should be as simple as:
 
+  $ sudo chmod u+x autogen.sh
+  $ ./autogen.sh
   $ ./configure
   $ make
   $ sudo make install
diff -Nru libhtp-0.5.29/test/fuzz/fuzz_htp.c libhtp-0.5.30/test/fuzz/fuzz_htp.c
--- libhtp-0.5.29/test/fuzz/fuzz_htp.c	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/test/fuzz/fuzz_htp.c	2019-03-07 08:35:13.000000000 +0100
@@ -10,7 +10,7 @@
 #include <sys/types.h>
 #include <string.h>
 #include <stdio.h>
-
+#include <inttypes.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
@@ -26,22 +26,82 @@
  *
  * @param[in] connp
  */
-static int callback_response(htp_tx_t *out_tx) {
+static int HTPCallbackResponse(htp_tx_t *out_tx) {
     if (out_tx != NULL) {
         char *x = bstr_util_strdup_to_c(out_tx->request_line);
-        fprintf(logfile, "%s\n", x);
+        fprintf(logfile, "HTPCallbackResponse %s\n", x);
         free(x);
     }
     return 0;
 }
 
+static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackRequestHasTrailer(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestHasTrailer\n");
+    return 0;
+}
+
+static int HTPCallbackResponseHasTrailer(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackResponseHasTrailer\n");
+    return 0;
+}
+
+static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackRequestStart(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestStart\n");
+    return 0;
+}
+
+static int HTPCallbackRequest(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequest\n");
+    return 0;
+}
+
+static int HTPCallbackResponseStart(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackResponseStart\n");
+    return 0;
+}
+
+static int HTPCallbackRequestLine(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestLine\n");
+    return 0;
+}
+
 /**
  * Invoked every time LibHTP wants to log. 
  *
  * @param[in] log
  */
-static int callback_log(htp_log_t *log) {
-    fprintf(logfile, "[%d][code %d][file %s][line %d] %s\n",
+static int HTPCallbackLog(htp_log_t *log) {
+    fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n",
         log->level, log->code, log->file, log->line, log->msg);
     return 0;
 }
@@ -73,8 +133,20 @@
         htp_config_destroy(cfg);
         return 0;
     }
-    htp_config_register_response_complete(cfg, callback_response);
-    htp_config_register_log(cfg, callback_log);
+    htp_config_register_log(cfg, HTPCallbackLog);
+    htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData);
+    htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData);
+    htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData);
+    htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData);
+    htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer);
+    htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer);
+    htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
+    htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData);
+    htp_config_register_request_start(cfg, HTPCallbackRequestStart);
+    htp_config_register_request_complete(cfg, HTPCallbackRequest);
+    htp_config_register_response_start(cfg, HTPCallbackResponseStart);
+    htp_config_register_response_complete(cfg, HTPCallbackResponse);
+    htp_config_register_request_line(cfg, HTPCallbackRequestLine);
 
     connp = htp_connp_create(cfg);
     htp_connp_set_user_data(connp, (void *) 0x02);
diff -Nru libhtp-0.5.29/.travis.yml libhtp-0.5.30/.travis.yml
--- libhtp-0.5.29/.travis.yml	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/.travis.yml	2019-03-07 08:35:13.000000000 +0100
@@ -8,3 +8,17 @@
   - sudo apt-get update -qq
   - sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make 
 
+matrix:
+    include:
+        - name: fuzza
+          env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address"
+          compiler: clang
+          os: linux
+        - name: fuzzm
+          env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory"
+          compiler: clang
+          os: linux
+        - name: fuzzu
+          env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined"
+          compiler: clang
+          os: linux
diff -Nru libhtp-0.5.29/VERSION libhtp-0.5.30/VERSION
--- libhtp-0.5.29/VERSION	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/VERSION	2019-03-07 08:35:13.000000000 +0100
@@ -1,2 +1,2 @@
 # This file is intended to be sourced by sh
-PKG_VERSION=0.5.28
+PKG_VERSION=0.5.30

Attachment: signature.asc
Description: OpenPGP digital signature