[update] net/sniproxy -> 0.6.2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[update] net/sniproxy -> 0.6.2

Renaud Allard-2
Hello,

net/sniproxy has numerous fixes that have been committed to the original
project but never included in a release. Amongst them, an fd leak, an
use after free, etc. The original developer doesn't seem very interested
in making releases anymore. Therefore, I forked the project and made a
release which includes all the patches. This also allows to remove all
the local OpenBSD patches within that port. I might also add some
features which are currently in the proposed pull requests.
Here is the diff, what do you think?

Thank you

sniproxy-0.6.2.diff (5K) Download Attachment
smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [update] net/sniproxy -> 0.6.2

Solene Rapenne
On Sat, 20 Feb 2021 10:40:30 +0100
Renaud Allard <[hidden email]>:

> Hello,
>
> net/sniproxy has numerous fixes that have been committed to the original
> project but never included in a release. Amongst them, an fd leak, an
> use after free, etc. The original developer doesn't seem very interested
> in making releases anymore. Therefore, I forked the project and made a
> release which includes all the patches. This also allows to remove all
> the local OpenBSD patches within that port. I might also add some
> features which are currently in the proposed pull requests.
> Here is the diff, what do you think?
>
> Thank you

This is fine to me, it's not possible to use the
current project with latest commit because of many
pull requests that are left abandoned and unmerged...

If no one has objection for this, I'll commit this soon.

Renaud, you better have to keep it updated as you
will be upstream now :)

Reply | Threaded
Open this post in threaded view
|

Re: [update] net/sniproxy -> 0.6.2

Renaud Allard-2

On 2/23/21 1:20 PM, Solene Rapenne wrote:

> On Sat, 20 Feb 2021 10:40:30 +0100
> Renaud Allard <[hidden email]>:
>
>> Hello,
>>
>> net/sniproxy has numerous fixes that have been committed to the original
>> project but never included in a release. Amongst them, an fd leak, an
>> use after free, etc. The original developer doesn't seem very interested
>> in making releases anymore. Therefore, I forked the project and made a
>> release which includes all the patches. This also allows to remove all
>> the local OpenBSD patches within that port. I might also add some
>> features which are currently in the proposed pull requests.
>> Here is the diff, what do you think?
>>
>> Thank you
> This is fine to me, it's not possible to use the
> current project with latest commit because of many
> pull requests that are left abandoned and unmerged...
>
> If no one has objection for this, I'll commit this soon.
>
> Renaud, you better have to keep it updated as you
> will be upstream now :)
>
Thank you solene.

Please find attached the 0.6.3 diff, which adds pledge and fixes a
buffer overflow.


sniproxy-0.6.3.diff (4K) Download Attachment
smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [update] net/sniproxy -> 0.6.2

Stuart Henderson
The pledge isn't ready yet, it has "stdio getpw inet dns rpath proc
id" but from a quick glance at docs, it writes files if configured
(access_log, error_log, pidfile), and there are some things using unix
sockets.

Typically with a configurable program, pledge would be done (or
ratcheted down) after parsing config and figuring out what is needed
(I guess it can get rid of rpath in some cases too if you do that;
one of the really big wins from pledge is denying file access to
processes that also have internet access).



On 2021/02/24 13:58, Renaud Allard wrote:

>
> On 2/23/21 1:20 PM, Solene Rapenne wrote:
> > On Sat, 20 Feb 2021 10:40:30 +0100
> > Renaud Allard <[hidden email]>:
> >
> > > Hello,
> > >
> > > net/sniproxy has numerous fixes that have been committed to the original
> > > project but never included in a release. Amongst them, an fd leak, an
> > > use after free, etc. The original developer doesn't seem very interested
> > > in making releases anymore. Therefore, I forked the project and made a
> > > release which includes all the patches. This also allows to remove all
> > > the local OpenBSD patches within that port. I might also add some
> > > features which are currently in the proposed pull requests.
> > > Here is the diff, what do you think?
> > >
> > > Thank you
> > This is fine to me, it's not possible to use the
> > current project with latest commit because of many
> > pull requests that are left abandoned and unmerged...
> >
> > If no one has objection for this, I'll commit this soon.
> >
> > Renaud, you better have to keep it updated as you
> > will be upstream now :)
> >
> Thank you solene.
>
> Please find attached the 0.6.3 diff, which adds pledge and fixes a buffer
> overflow.
>

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/sniproxy/Makefile,v
> retrieving revision 1.2
> diff -u -p -r1.2 Makefile
> --- Makefile 9 Feb 2021 15:06:50 -0000 1.2
> +++ Makefile 24 Feb 2021 12:56:27 -0000
> @@ -2,15 +2,13 @@
>  
>  COMMENT = name-based proxying of HTTPS without decrypting traffic
>  
> -GH_ACCOUNT = dlundquist
> +GH_ACCOUNT = renaudallard
>  GH_PROJECT = sniproxy
> -GH_TAGNAME = 0.6.0
> -
> -REVISION = 0
> +GH_TAGNAME = 0.6.3
>  
>  CATEGORIES = net
>  
> -HOMEPAGE = https://github.com/dlundquist/sniproxy
> +HOMEPAGE = https://github.com/renaudallard/sniproxy
>  
>  MAINTAINER = Renaud Allard <[hidden email]>
>  
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/sniproxy/distinfo,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 distinfo
> --- distinfo 8 Apr 2020 04:56:52 -0000 1.1.1.1
> +++ distinfo 24 Feb 2021 12:56:27 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (sniproxy-0.6.0.tar.gz) = 1zx3qfqBma56xVHAMy0+Cj/yNGI/U9ZTaaj6Vg2YgOI=
> -SIZE (sniproxy-0.6.0.tar.gz) = 78515
> +SHA256 (sniproxy-0.6.3.tar.gz) = 7q6Q1NdZNWQMDPJjZc/pyVzKydKOeVoc0yfDTaFaytE=
> +SIZE (sniproxy-0.6.3.tar.gz) = 79108
> Index: patches/patch-sniproxy_conf
> ===================================================================
> RCS file: patches/patch-sniproxy_conf
> diff -N patches/patch-sniproxy_conf
> --- patches/patch-sniproxy_conf 8 Apr 2020 04:56:52 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,16 +0,0 @@
> -$OpenBSD: patch-sniproxy_conf,v 1.1.1.1 2020/04/08 04:56:52 bket Exp $
> -
> -Index: sniproxy.conf
> ---- sniproxy.conf.orig
> -+++ sniproxy.conf
> -@@ -2,8 +2,8 @@
> - # lines that start with # are comments
> - # lines with only white space are ignored
> -
> --user nobody
> --group nogroup
> -+user _sniproxy
> -+group _sniproxy
> -
> - # PID file, needs to be placed in directory writable by user
> - pidfile /var/run/sniproxy.pid
> Index: patches/patch-src_config_c
> ===================================================================
> RCS file: patches/patch-src_config_c
> diff -N patches/patch-src_config_c
> --- patches/patch-src_config_c 9 Feb 2021 15:06:50 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,16 +0,0 @@
> -$OpenBSD: patch-src_config_c,v 1.1 2021/02/09 15:06:50 tb Exp $
> -
> -Fix incorrect format string
> -
> -Index: src/config.c
> ---- src/config.c.orig
> -+++ src/config.c
> -@@ -234,7 +234,7 @@ init_config(const char *filename, struct ev_loop *loop
> -         err("error parsing %s at %jd near:", filename, whence);
> -         fseek(file, -20, SEEK_CUR);
> -         for (int i = 0; i < 5; i++)
> --            err(" %jd\t%s", ftell(file), fgets(line, sizeof(line), file));
> -+            err(" %ld\t%s", ftell(file), fgets(line, sizeof(line), file));
> -
> -         free_config(config, loop);
> -         config = NULL;
> Index: patches/patch-src_http_h
> ===================================================================
> RCS file: patches/patch-src_http_h
> diff -N patches/patch-src_http_h
> --- patches/patch-src_http_h 9 Feb 2021 15:06:50 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_http_h,v 1.1 2021/02/09 15:06:50 tb Exp $
> -
> -https://github.com/dlundquist/sniproxy/pull/349
> -
> -Index: src/http.h
> ---- src/http.h.orig
> -+++ src/http.h
> -@@ -29,6 +29,6 @@
> - #include <stdio.h>
> - #include "protocol.h"
> -
> --const struct Protocol *const http_protocol;
> -+extern const struct Protocol *const http_protocol;
> -
> - #endif
> Index: patches/patch-src_tls_h
> ===================================================================
> RCS file: patches/patch-src_tls_h
> diff -N patches/patch-src_tls_h
> --- patches/patch-src_tls_h 9 Feb 2021 15:06:50 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_tls_h,v 1.1 2021/02/09 15:06:50 tb Exp $
> -
> -https://github.com/dlundquist/sniproxy/pull/349
> -
> -Index: src/tls.h
> ---- src/tls.h.orig
> -+++ src/tls.h
> -@@ -28,6 +28,6 @@
> -
> - #include "protocol.h"
> -
> --const struct Protocol *const tls_protocol;
> -+extern const struct Protocol *const tls_protocol;
> -
> - #endif



Reply | Threaded
Open this post in threaded view
|

Re: [update] net/sniproxy -> 0.6.2

Renaud Allard-2


On 2/24/21 2:44 PM, Stuart Henderson wrote:

> The pledge isn't ready yet, it has "stdio getpw inet dns rpath proc
> id" but from a quick glance at docs, it writes files if configured
> (access_log, error_log, pidfile), and there are some things using unix
> sockets.
>
> Typically with a configurable program, pledge would be done (or
> ratcheted down) after parsing config and figuring out what is needed
> (I guess it can get rid of rpath in some cases too if you do that;
> one of the really big wins from pledge is denying file access to
> processes that also have internet access).
>
Would you suggest adding "wpath, unix", so we have a basic pledge rule
(better than nothing), then try to see how they can be removed with a
config parser? At the moment, I don't think the current config parser
can do that.


smime.p7s (6K) Download Attachment