Your message dated Sun, 05 May 2019 14:19:00 +0000 with message-id <d17f95a3-f1cf-9210-98f5-ff374af644df@thykier.net> and subject line Re: Bug#928389: unblock: libhtp/1:0.5.30-1 has caused the Debian Bug report #928389, regarding unblock: libhtp/1:0.5.30-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928389 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: libhtp/1:0.5.30-1
- From: Sascha Steinbiss <satta@debian.org>
- Date: Fri, 3 May 2019 15:48:14 +0200
- Message-id: <[🔎] 517adfb6-5b33-191b-c845-18233b231b0a@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package libhtp. The debdiff is attached. The actual change is very small and does not affect the API/ABI. This update is meant to go hand-in-hand with the new version of Suricata (4.1.4) for which we have also asked for an unblock in #928294. Again, with libhtp as the HTTP parsing component of a security-relevant software tool exposed to potentially malicious traffic we should aim for the latest version available in buster. Here's the full changelog since the version in buster: 0.5.30 (07 March 2019) ---------------------- - array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz - improved Windows support - fuzz targets improvements by Philippe Antoine - packaging improvements by Fabrice Fontaine - install doc improved by Wenhui Zhang unblock libhtp/1:0.5.30-1 Best regards Saschadiff -Nru libhtp-0.5.29/appveyor.yml libhtp-0.5.30/appveyor.yml --- libhtp-0.5.29/appveyor.yml 1970-01-01 01:00:00.000000000 +0100 +++ libhtp-0.5.30/appveyor.yml 2019-03-07 08:35:13.000000000 +0100 @@ -0,0 +1,18 @@ +environment: + matrix: + - COMPILER: mingw-w64 + MINGW_DIR: c:\msys64\mingw64 + MINGW_ARCH: x86_64 + + - COMPILER: mingw + MINGW_DIR: c:\msys64\mingw32 + MINGW_ARCH: i686 + +build_script: + - set Path=%MINGW_DIR%\bin;c:\msys64\usr\bin;%Path% + - bash autogen.sh + - bash configure + - make distcheck + +#on_finish: +# - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) diff -Nru libhtp-0.5.29/ChangeLog libhtp-0.5.30/ChangeLog --- libhtp-0.5.29/ChangeLog 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/ChangeLog 2019-03-07 08:35:13.000000000 +0100 @@ -1,3 +1,16 @@ +0.5.30 (07 March 2019) +---------------------- + +- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz + +- improved Windows support + +- fuzz targets improvements by Philippe Antoine + +- packaging improvements by Fabrice Fontaine + +- install doc improved by Wenhui Zhang + 0.5.29 (21 December 2018) ------------------------- diff -Nru libhtp-0.5.29/configure.ac libhtp-0.5.30/configure.ac --- libhtp-0.5.29/configure.ac 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/configure.ac 2019-03-07 08:35:13.000000000 +0100 @@ -118,6 +118,11 @@ OS_WINDOWS="true" NO_STACK_PROTECTOR="true" ;; + MSYS*) + AC_MSG_RESULT(MSYS) + OS_WINDOWS="true" + NO_STACK_PROTECTOR="true" + ;; CYGWIN*) AC_MSG_RESULT(Cygwin) OS_CYGWIN="true" diff -Nru libhtp-0.5.29/debian/changelog libhtp-0.5.30/debian/changelog --- libhtp-0.5.29/debian/changelog 2018-12-27 12:23:45.000000000 +0100 +++ libhtp-0.5.30/debian/changelog 2019-05-02 16:38:21.000000000 +0200 @@ -1,3 +1,9 @@ +libhtp (1:0.5.30-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss <satta@debian.org> Thu, 02 May 2019 16:38:21 +0200 + libhtp (1:0.5.29-1) unstable; urgency=medium * New upstream release. diff -Nru libhtp-0.5.29/htp/htp_list.c libhtp-0.5.30/htp/htp_list.c --- libhtp-0.5.29/htp/htp_list.c 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/htp/htp_list.c 2019-03-07 08:35:13.000000000 +0100 @@ -172,15 +172,7 @@ if (idx + 1 > l->current_size) return HTP_DECLINED; - size_t i = l->first; - - while (idx--) { - if (++i == l->max_size) { - i = 0; - } - } - - l->elements[i] = e; + l->elements[(l->first + idx) % l->max_size] = e; return HTP_OK; } diff -Nru libhtp-0.5.29/htp.pc.in libhtp-0.5.30/htp.pc.in --- libhtp-0.5.29/htp.pc.in 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/htp.pc.in 2019-03-07 08:35:13.000000000 +0100 @@ -7,5 +7,6 @@ Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products. Version: @PACKAGE_VERSION@ Libs: -L${libdir} -lhtp +Libs.private: @LIBICONV@ Cflags: -I${includedir} -I${libdir}/htp/include diff -Nru libhtp-0.5.29/README libhtp-0.5.30/README --- libhtp-0.5.29/README 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/README 2019-03-07 08:35:13.000000000 +0100 @@ -43,6 +43,8 @@ Assuming you're using an already packaged version of LibHTP, the installation process should be as simple as: + $ sudo chmod u+x autogen.sh + $ ./autogen.sh $ ./configure $ make $ sudo make install diff -Nru libhtp-0.5.29/test/fuzz/fuzz_htp.c libhtp-0.5.30/test/fuzz/fuzz_htp.c --- libhtp-0.5.29/test/fuzz/fuzz_htp.c 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/test/fuzz/fuzz_htp.c 2019-03-07 08:35:13.000000000 +0100 @@ -10,7 +10,7 @@ #include <sys/types.h> #include <string.h> #include <stdio.h> - +#include <inttypes.h> #include <sys/stat.h> #include <fcntl.h> @@ -26,22 +26,82 @@ * * @param[in] connp */ -static int callback_response(htp_tx_t *out_tx) { +static int HTPCallbackResponse(htp_tx_t *out_tx) { if (out_tx != NULL) { char *x = bstr_util_strdup_to_c(out_tx->request_line); - fprintf(logfile, "%s\n", x); + fprintf(logfile, "HTPCallbackResponse %s\n", x); free(x); } return 0; } +static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackRequestHasTrailer(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestHasTrailer\n"); + return 0; +} + +static int HTPCallbackResponseHasTrailer(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackResponseHasTrailer\n"); + return 0; +} + +static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackRequestStart(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestStart\n"); + return 0; +} + +static int HTPCallbackRequest(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequest\n"); + return 0; +} + +static int HTPCallbackResponseStart(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackResponseStart\n"); + return 0; +} + +static int HTPCallbackRequestLine(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestLine\n"); + return 0; +} + /** * Invoked every time LibHTP wants to log. * * @param[in] log */ -static int callback_log(htp_log_t *log) { - fprintf(logfile, "[%d][code %d][file %s][line %d] %s\n", +static int HTPCallbackLog(htp_log_t *log) { + fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n", log->level, log->code, log->file, log->line, log->msg); return 0; } @@ -73,8 +133,20 @@ htp_config_destroy(cfg); return 0; } - htp_config_register_response_complete(cfg, callback_response); - htp_config_register_log(cfg, callback_log); + htp_config_register_log(cfg, HTPCallbackLog); + htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData); + htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData); + htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData); + htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData); + htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer); + htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer); + htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData); + htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData); + htp_config_register_request_start(cfg, HTPCallbackRequestStart); + htp_config_register_request_complete(cfg, HTPCallbackRequest); + htp_config_register_response_start(cfg, HTPCallbackResponseStart); + htp_config_register_response_complete(cfg, HTPCallbackResponse); + htp_config_register_request_line(cfg, HTPCallbackRequestLine); connp = htp_connp_create(cfg); htp_connp_set_user_data(connp, (void *) 0x02); diff -Nru libhtp-0.5.29/.travis.yml libhtp-0.5.30/.travis.yml --- libhtp-0.5.29/.travis.yml 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/.travis.yml 2019-03-07 08:35:13.000000000 +0100 @@ -8,3 +8,17 @@ - sudo apt-get update -qq - sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make +matrix: + include: + - name: fuzza + env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address" + compiler: clang + os: linux + - name: fuzzm + env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory" + compiler: clang + os: linux + - name: fuzzu + env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined" + compiler: clang + os: linux diff -Nru libhtp-0.5.29/VERSION libhtp-0.5.30/VERSION --- libhtp-0.5.29/VERSION 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/VERSION 2019-03-07 08:35:13.000000000 +0100 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.28 +PKG_VERSION=0.5.30Attachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Sascha Steinbiss <satta@debian.org>, 928389-done@bugs.debian.org
- Subject: Re: Bug#928389: unblock: libhtp/1:0.5.30-1
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 05 May 2019 14:19:00 +0000
- Message-id: <d17f95a3-f1cf-9210-98f5-ff374af644df@thykier.net>
- In-reply-to: <[🔎] 517adfb6-5b33-191b-c845-18233b231b0a@debian.org>
- References: <[🔎] 517adfb6-5b33-191b-c845-18233b231b0a@debian.org>
Sascha Steinbiss: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package libhtp. The debdiff is attached. > > The actual change is very small and does not affect the API/ABI. > This update is meant to go hand-in-hand with the new version of Suricata > (4.1.4) for which we have also asked for an unblock in #928294. > Again, with libhtp as the HTTP parsing component of a security-relevant > software tool exposed to potentially malicious traffic we should aim for > the latest version available in buster. > > Here's the full changelog since the version in buster: > > 0.5.30 (07 March 2019) > ---------------------- > - array/list handing optimization by Philippe Antoine for an issue found > be oss-fuzz > - improved Windows support > - fuzz targets improvements by Philippe Antoine > - packaging improvements by Fabrice Fontaine > - install doc improved by Wenhui Zhang > > unblock libhtp/1:0.5.30-1 > > Best regards > Sascha > Unblocked, thanks. ~Niels
--- End Message ---