pool/thttpd
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0e01d6d1eb
thttpd/thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch
Adam Majer 0e01d6d1eb - added thttpd-c99.patch 
* keep using the deprecated function sigset
  * patch borrowed from fedora rpm
- Use %patch -P N instead of deprecated %patchN.
- Added hardening to systemd service(s) (bsc#1181400). Modified:
  * thttpd.service
- Allow regular users to execute makeweb (bsc#1171580)
  * Set permissions to 2751
- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
  shortcut through the -mini flavors.
- Update to 2.29 (bsc#1112629)
  Allow CGI to handle HTTP methods besides GET/HEAD/POST.
  Improvements to the FreeBSD startup script. (Craig Leres)
  Minor portability tweak in mmc.c.
  Fix to buffer overrun bug in htpasswd. Reported by Alessio Santoru as CVE-2017-17663.
- update thttpd-2.25b-overflow.diff
- Trim filler wording from description.
- Require group www (bsc#1057985)
- update to 2.27
  Stats syslogs changed from LOG_INFO to LOG_NOTICE.
  Use memmove() for self-overlapping string copies instead of strcpy().
  Couple of subroutine name changes for consistency.
- drop thttpd-2.25b-strcpy.patch (upstream)
- enforce single process build, as parallel does fail sometimes
- added Conflicts: apache2-example-pages
  * both packages provide /srv/www/htdocs/index.html
- build with pie and full relro
- package cleanup (bnc#899218)
  * removed SUSE branding
  * added logrotate support
  * changed note about default codepage
- added Conflicts: apache2-utils
  * both packages provide /usr/bin/htpasswd
  * see comments in https://build.opensuse.org/request/show/310178
- use /usr/sbin path in service to fix start (bnc#906696)
- drop thttpd-2.25b.tar.bz2 (old tarball)
- update to 2.26 (bnc#894285)
  Ignore ECONNABORTED on accept().
  Correctly implemented the config-file option change from "nosymlink"
  to "nosymlinkcheck", which was supposedly done in version 2.24.
  Removed mailto: link from default index page.
  Allow CGIs to provide both Location and Status headers.
  Better logic for figuring out CGI SERVER_NAME environment variable.
  Updated for clang, and general cleanup.
- dropped thttpd-2.25b-getline.patch (upstream)
- added thttpd-crypt_is_in_crypt.h.patch
- Use systemd instead of sysvinit in openSUSE > 12.2
- fix CVE-2013-0348 (bnc#853381)
  * don't create a world readable logfile
- DO not add sample index.html that will conflict with apache 
- added checks for crypt() return value (CVE-2012-5640) (bnc#783165)
  * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch
- use different versions of automake (SLE)
- use %set_permissions instead of %run_permissions (bnc#764110)
- fix build with automake 1.12 
- drop thttpd-2.25b-x86_64_machine_not_recognized.patch but copy
  config.guess from automake to fix ppc64 as well 
- fixed build and added -fpie for makeweb
- add libtool as buildrequire to avoid implicit dependency
- rename getline to my_getline to avoid collision with function
  from glibc 
- add new branding (bnc#492693) 
- fixed another syntax error in config file
- fix syntax error in config file
- use %config(noreplace) for /etc/thttpd.conf
- added Short-Description tag into init script 
- added config file (/etc/thttpd.conf)
- Adding check for zero length
  - from Marcus Meissner
  - zerolen.patch
- Replacing strcpy with memmove when they overlap
  - strcpy.patch
- Both from #230776
- Fix building as non-root.
- fix buffer overflows in htpasswd (#156978) 
- converted neededforbuild to BuildRequires
- fix tmp race in syslogtocern (#131056) 
- use %config(noreplace) for index.html 
- compile dynamic binaries instead of static
- compile htpasswd with -pie
- do not conflict with other webservers (bug #71742)
- update to version 2.25b
- Fix use of aclocal.
- update to 2.24, includes a fix for a buffer overflow [bug #32734]
- fixed virtual hosting security hole [bug #32757]
- fixed permissions according to permissions.secure,
  added macros %run_permissions and %verify_permissions
- added macros %stop_on_removal and %restart_on_update [bug #29022]
- remove unpackaged files from buildroot 
- fixed permissions of the init scipt [bug #25084]
- substitute correct servroot during built
- use /srv/www rather then /usr/local/httpd [bug #20802]
- adapt server root 
- Change group from wwwadmin to www
- do not source rc.config anymore
- update to version 2.23beta1
- update to version 2.20c
- added thttpd-2.20c-sec.patch
- removed START_THTTPD from README.SuSE
- removed START_THTTPD 
- fix version on template webpage
- fix /etc/init.d in thttpd-SuSE.tar.bz2 files
- split patches on configure, dirs, time_h and newautoconf 
- fix for new autoconf 
- changed initscript according to skeleton
- compiled with RPM_OPT_FLAGS
- fixed to compile
- generatig of default page moved to %install (it was in %post and
- caused [#4566]
- default cgibin pattern changed [#4564]
- rcthttpd link added
- new version: 2.20b
- moved init-script 
- fix ugly bug in startup scripts
- new version: 2.20
- fix bug in startup script
- new version: 2.19
- buildroot fixed
- buildroot added
- update to 2.16 
- moved man pages to %{_mandir}
- new version: 2.15
- bug #1268 rc.config variable set to no 
- new version: 2.11
- new conflicts (roxen, apache, aolserv), provides (http_daemon)
- new homepage
- Fix stack overflow
- ran old prepare_spec on spec file to switch to new prepare_spec.
- fixed call of Check at the end of %install section
- new package: thttpd (a _small_ webserver)
  absolutely no configuration needed - and yet save (chroot)!

OBS-URL: https://build.opensuse.org/package/show/server:http/thttpd?expand=0&rev=51
2024-12-05 17:25:02 +00:00

53 lines
1.9 KiB
Diff
Raw Blame History

Index: thttpd-2.25b/libhttpd.c
===================================================================
--- thttpd-2.25b.orig/libhttpd.c 2013-03-04 18:01:55.209721739 +0100
+++ thttpd-2.25b/libhttpd.c 2013-03-04 18:01:55.244722735 +0100
@@ -1024,6 +1024,7 @@ auth_check2( httpd_conn* hc, char* dirna
static size_t maxprevuser = 0;
static char* prevcryp;
static size_t maxprevcryp = 0;
+ char *crypt_result;
/* Construct auth filename. */
httpd_realloc_str(
@@ -1072,7 +1073,10 @@ auth_check2( httpd_conn* hc, char* dirna
strcmp( authinfo, prevuser ) == 0 )
{
/* Yes. Check against the cached encrypted password. */
- if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 )
+ crypt_result = crypt( authpass, prevcryp );
+ if ( ! crypt_result )
+ return -1;
+ if ( strcmp( crypt_result, prevcryp ) == 0 )
{
/* Ok! */
httpd_realloc_str(
@@ -1121,7 +1125,10 @@ auth_check2( httpd_conn* hc, char* dirna
/* Yes. */
(void) fclose( fp );
/* So is the password right? */
- if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+ crypt_result = crypt( authpass, cryp );
+ if ( ! crypt_result )
+ return -1;
+ if ( strcmp( crypt_result, cryp ) == 0 )
{
/* Ok! */
httpd_realloc_str(
Index: thttpd-2.25b/extras/htpasswd.c
===================================================================
--- thttpd-2.25b.orig/extras/htpasswd.c 2013-03-04 18:01:55.226722223 +0100
+++ thttpd-2.25b/extras/htpasswd.c 2013-03-04 18:02:15.755306445 +0100
@@ -133,7 +133,10 @@ add_password( char* user, FILE* f )
(void) srandom( (int) time( (time_t*) 0 ) );
to64( &salt[0], random(), 2 );
cpw = crypt( pw, salt );
- (void) fprintf( f, "%s:%s\n", user, cpw );
+ if (cpw)
+ (void) fprintf( f, "%s:%s\n", user, cpw );
+ else
+ (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
}
static void usage(void) {
Reference in New Issue View Git Blame Copy Permalink