[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928389: marked as done (unblock: libhtp/1:0.5.30-1)

Your message dated Sun, 05 May 2019 14:19:00 +0000
with message-id <d17f95a3-f1cf-9210-98f5-ff374af644df@thykier.net>
and subject line Re: Bug#928389: unblock: libhtp/1:0.5.30-1
has caused the Debian Bug report #928389,
regarding unblock: libhtp/1:0.5.30-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928389
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libhtp. The debdiff is attached.

The actual change is very small and does not affect the API/ABI.
This update is meant to go hand-in-hand with the new version of Suricata
(4.1.4) for which we have also asked for an unblock in #928294.
Again, with libhtp as the HTTP parsing component of a security-relevant
software tool exposed to potentially malicious traffic we should aim for
the latest version available in buster.

Here's the full changelog since the version in buster:

0.5.30 (07 March 2019)
----------------------
- array/list handing optimization by Philippe Antoine for an issue found
  be oss-fuzz
- improved Windows support
- fuzz targets improvements by Philippe Antoine
- packaging improvements by Fabrice Fontaine
- install doc improved by Wenhui Zhang

unblock libhtp/1:0.5.30-1

Best regards
Sascha

diff -Nru libhtp-0.5.29/appveyor.yml libhtp-0.5.30/appveyor.yml
--- libhtp-0.5.29/appveyor.yml	1970-01-01 01:00:00.000000000 +0100
+++ libhtp-0.5.30/appveyor.yml	2019-03-07 08:35:13.000000000 +0100
@@ -0,0 +1,18 @@
+environment:
+  matrix:
+    - COMPILER: mingw-w64
+      MINGW_DIR: c:\msys64\mingw64
+      MINGW_ARCH: x86_64
+
+    - COMPILER: mingw
+      MINGW_DIR: c:\msys64\mingw32
+      MINGW_ARCH: i686
+
+build_script:
+  - set Path=%MINGW_DIR%\bin;c:\msys64\usr\bin;%Path%
+  - bash autogen.sh
+  - bash configure
+  - make distcheck
+
+#on_finish:
+#  - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
diff -Nru libhtp-0.5.29/ChangeLog libhtp-0.5.30/ChangeLog
--- libhtp-0.5.29/ChangeLog	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/ChangeLog	2019-03-07 08:35:13.000000000 +0100
@@ -1,3 +1,16 @@
+0.5.30 (07 March 2019)
+----------------------
+
+- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz
+
+- improved Windows support
+
+- fuzz targets improvements by Philippe Antoine
+
+- packaging improvements by Fabrice Fontaine
+
+- install doc improved by Wenhui Zhang
+
 0.5.29 (21 December 2018)
 -------------------------
 
diff -Nru libhtp-0.5.29/configure.ac libhtp-0.5.30/configure.ac
--- libhtp-0.5.29/configure.ac	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/configure.ac	2019-03-07 08:35:13.000000000 +0100
@@ -118,6 +118,11 @@
                 OS_WINDOWS="true"
                 NO_STACK_PROTECTOR="true"
         ;;
+        MSYS*)
+                AC_MSG_RESULT(MSYS)
+                OS_WINDOWS="true"
+                NO_STACK_PROTECTOR="true"
+        ;;
         CYGWIN*)
                 AC_MSG_RESULT(Cygwin)
                 OS_CYGWIN="true"
diff -Nru libhtp-0.5.29/debian/changelog libhtp-0.5.30/debian/changelog
--- libhtp-0.5.29/debian/changelog	2018-12-27 12:23:45.000000000 +0100
+++ libhtp-0.5.30/debian/changelog	2019-05-02 16:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+libhtp (1:0.5.30-1) unstable; urgency=medium
+
+  * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org>  Thu, 02 May 2019 16:38:21 +0200
+
 libhtp (1:0.5.29-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libhtp-0.5.29/htp/htp_list.c libhtp-0.5.30/htp/htp_list.c
--- libhtp-0.5.29/htp/htp_list.c	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp/htp_list.c	2019-03-07 08:35:13.000000000 +0100
@@ -172,15 +172,7 @@
 
     if (idx + 1 > l->current_size) return HTP_DECLINED;
 
-    size_t i = l->first;
-
-    while (idx--) {
-        if (++i == l->max_size) {
-            i = 0;
-        }
-    }
-
-    l->elements[i] = e;
+    l->elements[(l->first + idx) % l->max_size] = e;
 
     return HTP_OK;
 }
diff -Nru libhtp-0.5.29/htp.pc.in libhtp-0.5.30/htp.pc.in
--- libhtp-0.5.29/htp.pc.in	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/htp.pc.in	2019-03-07 08:35:13.000000000 +0100
@@ -7,5 +7,6 @@
 Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products.
 Version: @PACKAGE_VERSION@
 Libs: -L${libdir} -lhtp
+Libs.private: @LIBICONV@
 Cflags: -I${includedir} -I${libdir}/htp/include
 
diff -Nru libhtp-0.5.29/README libhtp-0.5.30/README
--- libhtp-0.5.29/README	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/README	2019-03-07 08:35:13.000000000 +0100
@@ -43,6 +43,8 @@
 Assuming you're using an already packaged version of LibHTP, the installation
 process should be as simple as:
 
+  $ sudo chmod u+x autogen.sh
+  $ ./autogen.sh
   $ ./configure
   $ make
   $ sudo make install
diff -Nru libhtp-0.5.29/test/fuzz/fuzz_htp.c libhtp-0.5.30/test/fuzz/fuzz_htp.c
--- libhtp-0.5.29/test/fuzz/fuzz_htp.c	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/test/fuzz/fuzz_htp.c	2019-03-07 08:35:13.000000000 +0100
@@ -10,7 +10,7 @@
 #include <sys/types.h>
 #include <string.h>
 #include <stdio.h>
-
+#include <inttypes.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
@@ -26,22 +26,82 @@
  *
  * @param[in] connp
  */
-static int callback_response(htp_tx_t *out_tx) {
+static int HTPCallbackResponse(htp_tx_t *out_tx) {
     if (out_tx != NULL) {
         char *x = bstr_util_strdup_to_c(out_tx->request_line);
-        fprintf(logfile, "%s\n", x);
+        fprintf(logfile, "HTPCallbackResponse %s\n", x);
         free(x);
     }
     return 0;
 }
 
+static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackRequestHasTrailer(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestHasTrailer\n");
+    return 0;
+}
+
+static int HTPCallbackResponseHasTrailer(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackResponseHasTrailer\n");
+    return 0;
+}
+
+static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data)
+{
+    fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len);
+    return 0;
+}
+
+static int HTPCallbackRequestStart(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestStart\n");
+    return 0;
+}
+
+static int HTPCallbackRequest(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequest\n");
+    return 0;
+}
+
+static int HTPCallbackResponseStart(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackResponseStart\n");
+    return 0;
+}
+
+static int HTPCallbackRequestLine(htp_tx_t *tx)
+{
+    fprintf(logfile, "HTPCallbackRequestLine\n");
+    return 0;
+}
+
 /**
  * Invoked every time LibHTP wants to log. 
  *
  * @param[in] log
  */
-static int callback_log(htp_log_t *log) {
-    fprintf(logfile, "[%d][code %d][file %s][line %d] %s\n",
+static int HTPCallbackLog(htp_log_t *log) {
+    fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n",
         log->level, log->code, log->file, log->line, log->msg);
     return 0;
 }
@@ -73,8 +133,20 @@
         htp_config_destroy(cfg);
         return 0;
     }
-    htp_config_register_response_complete(cfg, callback_response);
-    htp_config_register_log(cfg, callback_log);
+    htp_config_register_log(cfg, HTPCallbackLog);
+    htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData);
+    htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData);
+    htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData);
+    htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData);
+    htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer);
+    htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer);
+    htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData);
+    htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData);
+    htp_config_register_request_start(cfg, HTPCallbackRequestStart);
+    htp_config_register_request_complete(cfg, HTPCallbackRequest);
+    htp_config_register_response_start(cfg, HTPCallbackResponseStart);
+    htp_config_register_response_complete(cfg, HTPCallbackResponse);
+    htp_config_register_request_line(cfg, HTPCallbackRequestLine);
 
     connp = htp_connp_create(cfg);
     htp_connp_set_user_data(connp, (void *) 0x02);
diff -Nru libhtp-0.5.29/.travis.yml libhtp-0.5.30/.travis.yml
--- libhtp-0.5.29/.travis.yml	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/.travis.yml	2019-03-07 08:35:13.000000000 +0100
@@ -8,3 +8,17 @@
   - sudo apt-get update -qq
   - sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make 
 
+matrix:
+    include:
+        - name: fuzza
+          env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address"
+          compiler: clang
+          os: linux
+        - name: fuzzm
+          env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory"
+          compiler: clang
+          os: linux
+        - name: fuzzu
+          env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined"
+          compiler: clang
+          os: linux
diff -Nru libhtp-0.5.29/VERSION libhtp-0.5.30/VERSION
--- libhtp-0.5.29/VERSION	2018-12-20 18:55:58.000000000 +0100
+++ libhtp-0.5.30/VERSION	2019-03-07 08:35:13.000000000 +0100
@@ -1,2 +1,2 @@
 # This file is intended to be sourced by sh
-PKG_VERSION=0.5.28
+PKG_VERSION=0.5.30

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Sascha Steinbiss:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libhtp. The debdiff is attached.
> 
> The actual change is very small and does not affect the API/ABI.
> This update is meant to go hand-in-hand with the new version of Suricata
> (4.1.4) for which we have also asked for an unblock in #928294.
> Again, with libhtp as the HTTP parsing component of a security-relevant
> software tool exposed to potentially malicious traffic we should aim for
> the latest version available in buster.
> 
> Here's the full changelog since the version in buster:
> 
> 0.5.30 (07 March 2019)
> ----------------------
> - array/list handing optimization by Philippe Antoine for an issue found
>   be oss-fuzz
> - improved Windows support
> - fuzz targets improvements by Philippe Antoine
> - packaging improvements by Fabrice Fontaine
> - install doc improved by Wenhui Zhang
> 
> unblock libhtp/1:0.5.30-1
> 
> Best regards
> Sascha
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: