update www/sthttpd

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

update www/sthttpd

Michael McConville-3
Most or all of the changes were already included in patches. I'm not
sure whether the minor PLIST changes make sense - couldn't find anything
in the cvs logs.


Index: Makefile
===================================================================
RCS file: /cvs/ports/www/sthttpd/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile 22 Jan 2016 17:07:41 -0000 1.5
+++ Makefile 7 Apr 2016 17:35:03 -0000
@@ -2,8 +2,7 @@
 
 COMMENT= tiny/turbo/throttling HTTP server
 
-DISTNAME= sthttpd-2.26.4
-REVISION= 2
+DISTNAME= sthttpd-2.27.0
 CATEGORIES= www
 MASTER_SITES= http://opensource.dyc.edu/pub/sthttpd/
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/www/sthttpd/distinfo,v
retrieving revision 1.2
diff -u -p -r1.2 distinfo
--- distinfo 6 May 2014 09:00:37 -0000 1.2
+++ distinfo 7 Apr 2016 17:35:03 -0000
@@ -1,2 +1,2 @@
-SHA256 (sthttpd-2.26.4.tar.gz) = eOh5eRQMvaEjyBtAUVUiQtu/+13sGhfl+V7Egmserds=
-SIZE (sthttpd-2.26.4.tar.gz) = 194544
+SHA256 (sthttpd-2.27.0.tar.gz) = l9ZgqIEzHpOBjocs4RU29GEQXXChjfxd5YlYUcSyr9s=
+SIZE (sthttpd-2.27.0.tar.gz) = 206781
Index: patches/patch-extras_th_htpasswd_c
===================================================================
RCS file: patches/patch-extras_th_htpasswd_c
diff -N patches/patch-extras_th_htpasswd_c
--- patches/patch-extras_th_htpasswd_c 6 May 2014 09:00:37 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,20 +0,0 @@
-$OpenBSD: patch-extras_th_htpasswd_c,v 1.1 2014/05/06 09:00:37 jasper Exp $
-
-A local attacker with the ability to alter .htpasswd files could
-cause a Denial of Service in thttpd by specially-crafting them.
-CVE-2012-5640
-
---- extras/th_htpasswd.c.orig Thu May  1 10:49:44 2014
-+++ extras/th_htpasswd.c Thu May  1 10:50:16 2014
-@@ -140,7 +140,10 @@ add_password( char* user, FILE* f )
-     (void) srandom( (int) time( (time_t*) 0 ) );
-     to64( &salt[0], random(), 2 );
-     cpw = crypt( pw, salt );
--    (void) fprintf( f, "%s:%s\n", user, cpw );
-+    if (cpw)
-+       (void) fprintf( f, "%s:%s\n", user, cpw );
-+     else
-+       (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
-     }
-
- static void usage(void) {
Index: patches/patch-src_libhttpd_c
===================================================================
RCS file: patches/patch-src_libhttpd_c
diff -N patches/patch-src_libhttpd_c
--- patches/patch-src_libhttpd_c 10 Aug 2013 02:48:26 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,40 +0,0 @@
-$OpenBSD: patch-src_libhttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
-
-A local attacker with the ability to alter .htpasswd files could
-cause a Denial of Service in thttpd by specially-crafting them.
-CVE-2012-5640
-
---- src/libhttpd.c.orig Thu Mar 14 04:11:40 2013
-+++ src/libhttpd.c Thu Mar 14 04:13:02 2013
-@@ -1017,6 +1017,7 @@ auth_check2( httpd_conn* hc, char* dirname  )
-     static size_t maxprevuser = 0;
-     static char* prevcryp;
-     static size_t maxprevcryp = 0;
-+    char *crypt_result;
-
-     /* Construct auth filename. */
-     httpd_realloc_str(
-@@ -1063,7 +1064,10 @@ auth_check2( httpd_conn* hc, char* dirname  )
- strcmp( authinfo, prevuser ) == 0 )
- {
- /* Yes.  Check against the cached encrypted password. */
-- if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 )
-+        crypt_result = crypt( authpass, prevcryp );
-+        if ( ! crypt_result )
-+            return -1;
-+ if ( strcmp( crypt_result, prevcryp ) == 0 )
-    {
-    /* Ok! */
-    httpd_realloc_str(
-@@ -1112,7 +1116,10 @@ auth_check2( httpd_conn* hc, char* dirname  )
-    /* Yes. */
-    (void) fclose( fp );
-    /* So is the password right? */
--    if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
-+            crypt_result = crypt( authpass, cryp );
-+            if ( ! crypt_result )
-+                return -1;
-+    if ( strcmp( crypt_result, cryp ) == 0 )
- {
- /* Ok! */
- httpd_realloc_str(
Index: patches/patch-src_thttpd_c
===================================================================
RCS file: patches/patch-src_thttpd_c
diff -N patches/patch-src_thttpd_c
--- patches/patch-src_thttpd_c 10 Aug 2013 02:48:26 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,43 +0,0 @@
-$OpenBSD: patch-src_thttpd_c,v 1.1.1.1 2013/08/10 02:48:26 brad Exp $
-
-Make sure that the logfile is created or reopened as read/write
-by thttpd user only. CVE-2013-0348
-
---- src/thttpd.c.orig Thu Mar 14 04:08:35 2013
-+++ src/thttpd.c Thu Mar 14 04:10:23 2013
-@@ -326,6 +326,7 @@ static void
- re_open_logfile( void )
-     {
-     FILE* logfp;
-+    int retchmod;
-
-     if ( no_log || hs == (httpd_server*) 0 )
- return;
-@@ -335,7 +336,8 @@ re_open_logfile( void )
- {
- syslog( LOG_NOTICE, "re-opening logfile" );
- logfp = fopen( logfile, "a" );
-- if ( logfp == (FILE*) 0 )
-+ retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
-+ if ( logfp == (FILE*) 0 || retchmod != 0 )
-    {
-    syslog( LOG_CRIT, "re-opening %.80s - %m", logfile );
-    return;
-@@ -355,6 +357,7 @@ main( int argc, char** argv )
-     gid_t gid = 32767;
-     char cwd[MAXPATHLEN+1];
-     FILE* logfp;
-+    int retchmod;
-     int num_ready;
-     int cnum;
-     connecttab* c;
-@@ -424,7 +427,8 @@ main( int argc, char** argv )
- else
-    {
-    logfp = fopen( logfile, "a" );
--    if ( logfp == (FILE*) 0 )
-+    retchmod = chmod( logfile, S_IRUSR|S_IWUSR );
-+    if ( logfp == (FILE*) 0 || retchmod != 0 )
- {
- syslog( LOG_CRIT, "%.80s - %m", logfile );
- perror( logfile );
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/www/sthttpd/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -r1.3 PLIST
--- pkg/PLIST 22 Jan 2016 17:07:41 -0000 1.3
+++ pkg/PLIST 7 Apr 2016 17:35:03 -0000
@@ -2,14 +2,14 @@
 @conflict thttpd-*
 @pkgpath www/thttpd
 libexec/sthttpd/
+@bin libexec/sthttpd/phf
+libexec/sthttpd/printenv
 @bin libexec/sthttpd/redirect
 @bin libexec/sthttpd/ssi
-@man man/man1/th_htpasswd.1
 @man man/man8/redirect.8
 @man man/man8/ssi.8
 @man man/man8/syslogtocern.8
 @man man/man8/thttpd.8
 sbin/syslogtocern
-@bin sbin/th_htpasswd
 @bin sbin/thttpd
 @rcscript ${RCDIR}/thttpd