From 0e01d6d1eb98fe0dbeb60ab2956e6c92371deceb2502ad56f28ccdec0efcbcec Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Thu, 5 Dec 2024 17:25:02 +0000 Subject: [PATCH] - added thttpd-c99.patch * keep using the deprecated function sigset * patch borrowed from fedora rpm - Use %patch -P N instead of deprecated %patchN. - Added hardening to systemd service(s) (bsc#1181400). Modified: * thttpd.service - Allow regular users to execute makeweb (bsc#1171580) * Set permissions to 2751 - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors. - Update to 2.29 (bsc#1112629) Allow CGI to handle HTTP methods besides GET/HEAD/POST. Improvements to the FreeBSD startup script. (Craig Leres) Minor portability tweak in mmc.c. Fix to buffer overrun bug in htpasswd. Reported by Alessio Santoru as CVE-2017-17663. - update thttpd-2.25b-overflow.diff - Trim filler wording from description. - Require group www (bsc#1057985) - update to 2.27 Stats syslogs changed from LOG_INFO to LOG_NOTICE. Use memmove() for self-overlapping string copies instead of strcpy(). Couple of subroutine name changes for consistency. - drop thttpd-2.25b-strcpy.patch (upstream) - enforce single process build, as parallel does fail sometimes - added Conflicts: apache2-example-pages * both packages provide /srv/www/htdocs/index.html - build with pie and full relro - package cleanup (bnc#899218) * removed SUSE branding * added logrotate support * changed note about default codepage - added Conflicts: apache2-utils * both packages provide /usr/bin/htpasswd * see comments in https://build.opensuse.org/request/show/310178 - use /usr/sbin path in service to fix start (bnc#906696) - drop thttpd-2.25b.tar.bz2 (old tarball) - update to 2.26 (bnc#894285) Ignore ECONNABORTED on accept(). Correctly implemented the config-file option change from "nosymlink" to "nosymlinkcheck", which was supposedly done in version 2.24. Removed mailto: link from default index page. Allow CGIs to provide both Location and Status headers. Better logic for figuring out CGI SERVER_NAME environment variable. Updated for clang, and general cleanup. - dropped thttpd-2.25b-getline.patch (upstream) - added thttpd-crypt_is_in_crypt.h.patch - Use systemd instead of sysvinit in openSUSE > 12.2 - fix CVE-2013-0348 (bnc#853381) * don't create a world readable logfile - DO not add sample index.html that will conflict with apache - added checks for crypt() return value (CVE-2012-5640) (bnc#783165) * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch - use different versions of automake (SLE) - use %set_permissions instead of %run_permissions (bnc#764110) - fix build with automake 1.12 - drop thttpd-2.25b-x86_64_machine_not_recognized.patch but copy config.guess from automake to fix ppc64 as well - fixed build and added -fpie for makeweb - add libtool as buildrequire to avoid implicit dependency - rename getline to my_getline to avoid collision with function from glibc - add new branding (bnc#492693) - fixed another syntax error in config file - fix syntax error in config file - use %config(noreplace) for /etc/thttpd.conf - added Short-Description tag into init script - added config file (/etc/thttpd.conf) - Adding check for zero length - from Marcus Meissner - zerolen.patch - Replacing strcpy with memmove when they overlap - strcpy.patch - Both from #230776 - Fix building as non-root. - fix buffer overflows in htpasswd (#156978) - converted neededforbuild to BuildRequires - fix tmp race in syslogtocern (#131056) - use %config(noreplace) for index.html - compile dynamic binaries instead of static - compile htpasswd with -pie - do not conflict with other webservers (bug #71742) - update to version 2.25b - Fix use of aclocal. - update to 2.24, includes a fix for a buffer overflow [bug #32734] - fixed virtual hosting security hole [bug #32757] - fixed permissions according to permissions.secure, added macros %run_permissions and %verify_permissions - added macros %stop_on_removal and %restart_on_update [bug #29022] - remove unpackaged files from buildroot - fixed permissions of the init scipt [bug #25084] - substitute correct servroot during built - use /srv/www rather then /usr/local/httpd [bug #20802] - adapt server root - Change group from wwwadmin to www - do not source rc.config anymore - update to version 2.23beta1 - update to version 2.20c - added thttpd-2.20c-sec.patch - removed START_THTTPD from README.SuSE - removed START_THTTPD - fix version on template webpage - fix /etc/init.d in thttpd-SuSE.tar.bz2 files - split patches on configure, dirs, time_h and newautoconf - fix for new autoconf - changed initscript according to skeleton - compiled with RPM_OPT_FLAGS - fixed to compile - generatig of default page moved to %install (it was in %post and - caused [#4566] - default cgibin pattern changed [#4564] - rcthttpd link added - new version: 2.20b - moved init-script - fix ugly bug in startup scripts - new version: 2.20 - fix bug in startup script - new version: 2.19 - buildroot fixed - buildroot added - update to 2.16 - moved man pages to %{_mandir} - new version: 2.15 - bug #1268 rc.config variable set to no - new version: 2.11 - new conflicts (roxen, apache, aolserv), provides (http_daemon) - new homepage - Fix stack overflow - ran old prepare_spec on spec file to switch to new prepare_spec. - fixed call of Check at the end of %install section - new package: thttpd (a _small_ webserver) absolutely no configuration needed - and yet save (chroot)! OBS-URL: https://build.opensuse.org/package/show/server:http/thttpd?expand=0&rev=51 --- .gitattributes | 23 + .gitignore | 1 + ...E-2012-5640-check_crypt_return_value.patch | 52 ++ thttpd-2.25b-chown.diff | 27 ++ thttpd-2.25b-configure.patch | 106 ++++ thttpd-2.25b-dirs.patch | 68 +++ thttpd-2.25b-newautoconf.patch | 11 + thttpd-2.25b-overflow.diff | 24 + thttpd-2.25b-pie.patch | 25 + thttpd-2.25b-sec.patch | 16 + thttpd-2.25b-static.patch | 39 ++ thttpd-2.25b-syslogtocern.diff | 18 + thttpd-2.25b-time_h.patch | 11 + thttpd-2.25b-zerolen.patch | 20 + thttpd-2.29.tar.gz | 3 + thttpd-CVE-2013-0348.patch | 56 +++ thttpd-c99.patch | 34 ++ thttpd-crypt_is_in_crypt.h.patch | 24 + thttpd-initd.script | 86 ++++ thttpd.changes | 451 ++++++++++++++++++ thttpd.conf | 70 +++ thttpd.logrotate | 10 + thttpd.service | 23 + thttpd.spec | 178 +++++++ 24 files changed, 1376 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch create mode 100644 thttpd-2.25b-chown.diff create mode 100644 thttpd-2.25b-configure.patch create mode 100644 thttpd-2.25b-dirs.patch create mode 100644 thttpd-2.25b-newautoconf.patch create mode 100644 thttpd-2.25b-overflow.diff create mode 100644 thttpd-2.25b-pie.patch create mode 100644 thttpd-2.25b-sec.patch create mode 100644 thttpd-2.25b-static.patch create mode 100644 thttpd-2.25b-syslogtocern.diff create mode 100644 thttpd-2.25b-time_h.patch create mode 100644 thttpd-2.25b-zerolen.patch create mode 100644 thttpd-2.29.tar.gz create mode 100644 thttpd-CVE-2013-0348.patch create mode 100644 thttpd-c99.patch create mode 100644 thttpd-crypt_is_in_crypt.h.patch create mode 100644 thttpd-initd.script create mode 100644 thttpd.changes create mode 100644 thttpd.conf create mode 100644 thttpd.logrotate create mode 100644 thttpd.service create mode 100644 thttpd.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch b/thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch new file mode 100644 index 0000000..8fdee70 --- /dev/null +++ b/thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch @@ -0,0 +1,52 @@ +Index: thttpd-2.25b/libhttpd.c +=================================================================== +--- thttpd-2.25b.orig/libhttpd.c 2013-03-04 18:01:55.209721739 +0100 ++++ thttpd-2.25b/libhttpd.c 2013-03-04 18:01:55.244722735 +0100 +@@ -1024,6 +1024,7 @@ auth_check2( httpd_conn* hc, char* dirna + static size_t maxprevuser = 0; + static char* prevcryp; + static size_t maxprevcryp = 0; ++ char *crypt_result; + + /* Construct auth filename. */ + httpd_realloc_str( +@@ -1072,7 +1073,10 @@ auth_check2( httpd_conn* hc, char* dirna + strcmp( authinfo, prevuser ) == 0 ) + { + /* Yes. Check against the cached encrypted password. */ +- if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 ) ++ crypt_result = crypt( authpass, prevcryp ); ++ if ( ! crypt_result ) ++ return -1; ++ if ( strcmp( crypt_result, prevcryp ) == 0 ) + { + /* Ok! */ + httpd_realloc_str( +@@ -1121,7 +1125,10 @@ auth_check2( httpd_conn* hc, char* dirna + /* Yes. */ + (void) fclose( fp ); + /* So is the password right? */ +- if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 ) ++ crypt_result = crypt( authpass, cryp ); ++ if ( ! crypt_result ) ++ return -1; ++ if ( strcmp( crypt_result, cryp ) == 0 ) + { + /* Ok! */ + httpd_realloc_str( +Index: thttpd-2.25b/extras/htpasswd.c +=================================================================== +--- thttpd-2.25b.orig/extras/htpasswd.c 2013-03-04 18:01:55.226722223 +0100 ++++ thttpd-2.25b/extras/htpasswd.c 2013-03-04 18:02:15.755306445 +0100 +@@ -133,7 +133,10 @@ add_password( char* user, FILE* f ) + (void) srandom( (int) time( (time_t*) 0 ) ); + to64( &salt[0], random(), 2 ); + cpw = crypt( pw, salt ); +- (void) fprintf( f, "%s:%s\n", user, cpw ); ++ if (cpw) ++ (void) fprintf( f, "%s:%s\n", user, cpw ); ++ else ++ (void) fprintf( stderr, "crypt() returned NULL, sorry\n" ); + } + + static void usage(void) { diff --git a/thttpd-2.25b-chown.diff b/thttpd-2.25b-chown.diff new file mode 100644 index 0000000..fca39ea --- /dev/null +++ b/thttpd-2.25b-chown.diff @@ -0,0 +1,27 @@ +--- Makefile.in ++++ Makefile.in +@@ -111,11 +111,11 @@ + + installthis: + -mkdir -p $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(SBINDIR) ++ $(INSTALL) -m 555 thttpd $(DESTDIR)$(SBINDIR) + + install-man: + -mkdir -p $(DESTDIR)$(MANDIR)/man8 +- $(INSTALL) -m 444 -o bin -g bin thttpd.8 $(DESTDIR)$(MANDIR)/man8 ++ $(INSTALL) -m 444 thttpd.8 $(DESTDIR)$(MANDIR)/man8 + + installsubdirs: + for i in $(SUBDIRS) ; do ( \ +--- extras/Makefile.in ++++ extras/Makefile.in +@@ -69,7 +69,7 @@ + install: all + rm -f $(SBINDIR)/makeweb $(SBINDIR)/htpasswd $(SBINDIR)/syslogtocern + cp makeweb $(BINDIR)/makeweb +- chgrp $(WEBGROUP) $(BINDIR)/makeweb ++ -chgrp $(WEBGROUP) $(BINDIR)/makeweb + chmod 2755 $(BINDIR)/makeweb + cp htpasswd $(BINDIR)/htpasswd + cp syslogtocern $(SBINDIR)/syslogtocern diff --git a/thttpd-2.25b-configure.patch b/thttpd-2.25b-configure.patch new file mode 100644 index 0000000..ebe7e16 --- /dev/null +++ b/thttpd-2.25b-configure.patch @@ -0,0 +1,106 @@ +Index: config.h +=================================================================== +--- config.h.orig 2014-09-03 09:38:25.650677391 +0200 ++++ config.h 2014-09-03 09:38:50.657956674 +0200 +@@ -57,17 +57,7 @@ + ** as a security measure that's how you do it, just don't define any + ** pattern here and don't run with the -c flag. + */ +-#ifdef notdef +-/* Some sample patterns. Allow programs only in one central directory: */ +-#define CGI_PATTERN "/cgi-bin/*" +-/* Allow programs in a central directory, or anywhere in a trusted +-** user's tree: */ +-#define CGI_PATTERN "/cgi-bin/*|/jef/**" +-/* Allow any program ending with a .cgi: */ +-#define CGI_PATTERN "**.cgi" +-/* When virtual hosting, enable the central directory on every host: */ +-#define CGI_PATTERN "/*/cgi-bin/*" +-#endif ++#define CGI_PATTERN "/cgi-bin/*|**.cgi" + + /* CONFIGURE: How many seconds to allow CGI programs to run before killing + ** them. This is in case someone writes a CGI program that goes into an +@@ -75,7 +65,7 @@ + ** or whatever. If you don't want any limit, comment this out, but that's + ** probably a really bad idea. + */ +-#define CGI_TIMELIMIT 30 ++#define CGI_TIMELIMIT 60 + + /* CONFIGURE: Maximum number of simultaneous CGI programs allowed. + ** If this many are already running, then attempts to run more will +@@ -123,8 +113,8 @@ + ** You can also leave both options undefined, and thttpd will not do + ** anything special about tildes. Enabling both options is an error. + */ +-#ifdef notdef + #define TILDE_MAP_1 "users" ++#ifdef notdef + #define TILDE_MAP_2 "public_html" + #endif + +@@ -185,9 +175,7 @@ + ** measure, to prevent inadvertant exposure by accidentally running without -r. + ** You can still disable it at runtime with the -nor flag. + */ +-#ifdef notdef + #define ALWAYS_CHROOT +-#endif + + /* CONFIGURE: Define this if you want to always do virtual hosting, without + ** having to give the -v command line flag. You can still disable it at +@@ -237,7 +225,7 @@ + ** initializing. If this user (or the one specified by the -u flag) does + ** not exist, the program will refuse to run. + */ +-#define DEFAULT_USER "nobody" ++#define DEFAULT_USER "wwwrun" + + /* CONFIGURE: When started as root, the program can automatically chdir() + ** to the home directory of the user specified by -u or DEFAULT_USER. +@@ -276,7 +264,7 @@ + + /* CONFIGURE: $PATH to use for CGI programs. + */ +-#define CGI_PATH "/usr/local/bin:/usr/ucb:/bin:/usr/bin" ++#define CGI_PATH "/bin:/usr/bin" + + /* CONFIGURE: If defined, $LD_LIBRARY_PATH to use for CGI programs. + */ +@@ -327,7 +315,7 @@ + /* CONFIGURE: A list of index filenames to check. The files are searched + ** for in this order. + */ +-#define INDEX_NAMES "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm", "index.cgi" ++#define INDEX_NAMES "index.html", "index.htm", "index.xhtml", "index.xht", "index.cgi" + + /* CONFIGURE: If this is defined then thttpd will automatically generate + ** index pages for directories that don't have an explicit index file. +Index: configure.in +=================================================================== +--- configure.in.orig 2014-09-03 09:38:25.651677402 +0200 ++++ configure.in 2014-09-03 09:38:50.657956674 +0200 +@@ -6,8 +6,10 @@ AC_CANONICAL_SYSTEM + + AC_PROG_CC + +-V_CCOPT="-O" +-if test "$GCC" = yes ; then ++if test "x$V_CCOPT" = "x"; then ++ V_CCOPT="-O" ++ ++ if test "$GCC" = yes ; then + AC_MSG_CHECKING(gcc version) + AC_CACHE_VAL(ac_cv_lbl_gcc_vers, + ac_cv_lbl_gcc_vers=`$CC -dumpversion 2>&1 | \ +@@ -16,7 +18,8 @@ if test "$GCC" = yes ; then + if test "$ac_cv_lbl_gcc_vers" -gt 1 ; then + V_CCOPT="-O2" + fi +-fi ++ fi ++fi + if test -f .devel ; then + V_CCOPT="-g $V_CCOPT -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long" + fi diff --git a/thttpd-2.25b-dirs.patch b/thttpd-2.25b-dirs.patch new file mode 100644 index 0000000..131be3b --- /dev/null +++ b/thttpd-2.25b-dirs.patch @@ -0,0 +1,68 @@ +--- Makefile.in ++++ Makefile.in +@@ -30,11 +30,12 @@ + prefix = @prefix@ + exec_prefix = @exec_prefix@ + # Pathname of directory to install the binary. +-BINDIR = @sbindir@ ++BINDIR = @bindir@ ++SBINDIR = @sbindir@ + # Pathname of directory to install the man page. + MANDIR = @mandir@ + # Pathname of directory to install the CGI programs. +-WEBDIR = $(prefix)/www ++WEBDIR = /srv/www/htdocs + + # CONFIGURE: The group that the web directory belongs to. This is so that + # the makeweb program can be installed set-group-id to that group, and make +@@ -110,7 +111,7 @@ + + installthis: + -mkdir -p $(DESTDIR)$(BINDIR) +- $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(BINDIR) ++ $(INSTALL) -m 555 -o bin -g bin thttpd $(DESTDIR)$(SBINDIR) + + install-man: + -mkdir -p $(DESTDIR)$(MANDIR)/man8 +@@ -121,9 +122,11 @@ + cd $$i ; \ + pwd ; \ + $(MAKE) $(MFLAGS) \ +- WEBDIR=$(WEBDIR) \ +- CGIBINDIR=$(CGIBINDIR) \ +- MANDIR=$(MANDIR) \ ++ BINDIR=$(DESTDIR)$(BINDIR) \ ++ SBINDIR=$(DESTDIR)$(SBINDIR) \ ++ WEBDIR=$(DESTDIR)$(WEBDIR) \ ++ CGIBINDIR=$(DESTDIR)$(CGIBINDIR) \ ++ MANDIR=$(DESTDIR)$(MANDIR) \ + WEBGROUP=$(WEBGROUP) \ + install \ + ) ; done +--- extras/Makefile.in ++++ extras/Makefile.in +@@ -26,7 +26,8 @@ + + prefix = @prefix@ + exec_prefix = @exec_prefix@ +-BINDIR = @sbindir@ ++BINDIR = @bindir@ ++SBINDIR = @sbindir@ + WEBDIR = $(prefix)/www + CGIBINDIR = $(WEBDIR)/cgi-bin + MANDIR = @mandir@ +@@ -66,12 +67,12 @@ + + + install: all +- rm -f $(BINDIR)/makeweb $(BINDIR)/htpasswd $(BINDIR)/syslogtocern ++ rm -f $(SBINDIR)/makeweb $(SBINDIR)/htpasswd $(SBINDIR)/syslogtocern + cp makeweb $(BINDIR)/makeweb + chgrp $(WEBGROUP) $(BINDIR)/makeweb + chmod 2755 $(BINDIR)/makeweb + cp htpasswd $(BINDIR)/htpasswd +- cp syslogtocern $(BINDIR)/syslogtocern ++ cp syslogtocern $(SBINDIR)/syslogtocern + rm -f $(MANDIR)/man1/makeweb.1 + cp makeweb.1 $(MANDIR)/man1/makeweb.1 + rm -f $(MANDIR)/man1/htpasswd.1 diff --git a/thttpd-2.25b-newautoconf.patch b/thttpd-2.25b-newautoconf.patch new file mode 100644 index 0000000..64754d7 --- /dev/null +++ b/thttpd-2.25b-newautoconf.patch @@ -0,0 +1,11 @@ +--- aclocal.m4 ++++ aclocal.m4 +@@ -26,7 +26,7 @@ + AC_TRY_LINK(dnl + ifelse([$2], [main], , dnl Avoid conflicting decl of main. + [/* Override any gcc2 internal prototype to avoid an error. */ +-]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus ++]ifelse([AC_LANG], CPLUSPLUS, [#ifdef __cplusplus + extern "C" + #endif + ])dnl diff --git a/thttpd-2.25b-overflow.diff b/thttpd-2.25b-overflow.diff new file mode 100644 index 0000000..31de52d --- /dev/null +++ b/thttpd-2.25b-overflow.diff @@ -0,0 +1,24 @@ +Index: extras/htpasswd.c +=================================================================== +--- extras/htpasswd.c.orig 2018-10-22 10:48:47.811465609 +0200 ++++ extras/htpasswd.c 2018-10-22 10:52:45.008744706 +0200 +@@ -193,7 +193,8 @@ int main(int argc, char *argv[]) { + putline(tfp,line); + continue; + } +- strcpy(l,line); ++ strncpy(l,line,MAX_STRING_LEN); ++ l[MAX_STRING_LEN-1]='\0'; + getword(w,l,':'); + if(strcmp(user,w)) { + putline(tfp,line); +@@ -211,7 +212,8 @@ int main(int argc, char *argv[]) { + } + fclose(f); + fclose(tfp); +- sprintf(command,"cp %s %s",temp_template,argv[1]); ++ snprintf(command,MAX_STRING_LEN,"cp %s %s",temp_template,argv[1]); ++ command[MAX_STRING_LEN-1]='\0'; + system(command); + unlink(temp_template); + exit(0); diff --git a/thttpd-2.25b-pie.patch b/thttpd-2.25b-pie.patch new file mode 100644 index 0000000..61aedc7 --- /dev/null +++ b/thttpd-2.25b-pie.patch @@ -0,0 +1,25 @@ +Index: extras/Makefile.in +=================================================================== +--- extras/Makefile.in.orig 2012-01-31 14:03:08.735817916 +0100 ++++ extras/Makefile.in 2012-01-31 14:05:10.222510744 +0100 +@@ -54,16 +54,16 @@ + all: makeweb htpasswd + + makeweb: makeweb.o +- $(CC) $(LDFLAGS) makeweb.o -o makeweb $(LIBS) $(NETLIBS) ++ $(CC) $(LDFLAGS) -pie makeweb.o -o makeweb $(LIBS) $(NETLIBS) + + makeweb.o: makeweb.c ../config.h +- $(CC) $(CFLAGS) -DWEBDIR=\"$(WEBDIR)\" -c makeweb.c ++ $(CC) $(CFLAGS) $(F_PIE) -DWEBDIR=\"$(WEBDIR)\" -c makeweb.c + + htpasswd: htpasswd.o +- $(CC) $(LDFLAGS) $(STATICFLAG) htpasswd.o -o htpasswd $(LIBS) ++ $(CC) $(LDFLAGS) $(STATICFLAG) -pie htpasswd.o -o htpasswd $(LIBS) + + htpasswd.o: htpasswd.c ../config.h +- $(CC) $(CFLAGS) -DWEBDIR=\"$(WEBDIR)\" -c htpasswd.c ++ $(CC) $(CFLAGS) $(F_PIE) -DWEBDIR=\"$(WEBDIR)\" -c htpasswd.c + + + install: all diff --git a/thttpd-2.25b-sec.patch b/thttpd-2.25b-sec.patch new file mode 100644 index 0000000..b34f1d3 --- /dev/null +++ b/thttpd-2.25b-sec.patch @@ -0,0 +1,16 @@ +--- libhttpd.c ++++ libhttpd.c +@@ -1044,10 +1044,12 @@ + } + + /* Decode it. */ ++ memset(authinfo, 0, sizeof(authinfo)); + l = b64_decode( + &(hc->authorization[6]), (unsigned char*) authinfo, + sizeof(authinfo) - 1 ); +- authinfo[l] = '\0'; ++ authinfo[sizeof(authinfo)-1] = '\0'; ++ + /* Split into user and password. */ + authpass = strchr( authinfo, ':' ); + if ( authpass == (char*) 0 ) diff --git a/thttpd-2.25b-static.patch b/thttpd-2.25b-static.patch new file mode 100644 index 0000000..50a56f0 --- /dev/null +++ b/thttpd-2.25b-static.patch @@ -0,0 +1,39 @@ +Index: configure.in +=================================================================== +--- configure.in.orig 2014-09-03 09:46:46.273266534 +0200 ++++ configure.in 2014-09-03 09:46:46.300266836 +0200 +@@ -24,34 +24,6 @@ if test -f .devel ; then + V_CCOPT="-g $V_CCOPT -ansi -pedantic -U__STRICT_ANSI__ -Wall -Wpointer-arith -Wshadow -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wno-long-long" + fi + +-dnl +-dnl maybe this should be a loop +-dnl +-AC_MSG_CHECKING(how to link static binaries) +-AC_CACHE_VAL(ac_cv_lbl_static_flag, +- ac_cv_lbl_static_flag=unknown +- echo 'main() {}' > conftest.c +- if test "$GCC" != yes ; then +- trial_flag="-Bstatic" +- test=`$CC $trial_flag -o conftest conftest.c 2>&1` +- if test -z "$test" ; then +- ac_cv_lbl_static_flag="$trial_flag" +- fi +- rm -f conftest +- fi +- if test "$ac_cv_lbl_static_flag" = unknown ; then +- trial_flag="-static" +- test=`$CC $trial_flag -o conftest conftest.c 2>&1` +- if test -z "$test" ; then +- ac_cv_lbl_static_flag="$trial_flag" +- fi +- rm -f conftest +- fi +- rm conftest.c) +-AC_MSG_RESULT($ac_cv_lbl_static_flag) +-if test "$ac_cv_lbl_static_flag" != unknown ; then +- V_STATICFLAG="$ac_cv_lbl_static_flag" +-fi + + AC_MSG_CHECKING(for __progname) + AC_CACHE_VAL(ac_cv_extern__progname, diff --git a/thttpd-2.25b-syslogtocern.diff b/thttpd-2.25b-syslogtocern.diff new file mode 100644 index 0000000..d3717f1 --- /dev/null +++ b/thttpd-2.25b-syslogtocern.diff @@ -0,0 +1,18 @@ +--- extras/syslogtocern ++++ extras/syslogtocern +@@ -31,8 +31,8 @@ + exit 1 + fi + +-tmp1=/tmp/stc1.$$ +-rm -f $tmp1 ++tmp1=`mktemp -t stc1.XXXXXX` || { echo "$0: Cannot create temporary file" >&2; exit 1; } ++trap " [ -f \"$tmp1\" ] && /bin/rm -f -- \"$tmp1\"" 0 1 2 3 13 15 + + # Gather up all the thttpd entries. + egrep -h ' thttpd\[' "$@" > $tmp1 +@@ -65,4 +65,3 @@ + sed -e "s,\([A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\) [^ ]* thttpd\[[0-9]*\]: \(.*\),[\1 ${year}] \2," > error_log + + # Done. +-rm -f $tmp1 diff --git a/thttpd-2.25b-time_h.patch b/thttpd-2.25b-time_h.patch new file mode 100644 index 0000000..fbfcd21 --- /dev/null +++ b/thttpd-2.25b-time_h.patch @@ -0,0 +1,11 @@ +--- libhttpd.h ++++ libhttpd.h +@@ -28,6 +28,8 @@ + #ifndef _LIBHTTPD_H_ + #define _LIBHTTPD_H_ + ++#include ++ + #include + #include + #include diff --git a/thttpd-2.25b-zerolen.patch b/thttpd-2.25b-zerolen.patch new file mode 100644 index 0000000..652b433 --- /dev/null +++ b/thttpd-2.25b-zerolen.patch @@ -0,0 +1,20 @@ +--- libhttpd.c ++++ libhttpd.c +@@ -1471,7 +1471,7 @@ + httpd_realloc_str( &checked, &maxchecked, checkedlen ); + (void) strcpy( checked, path ); + /* Trim trailing slashes. */ +- while ( checked[checkedlen - 1] == '/' ) ++ while ( checkedlen && checked[checkedlen - 1] == '/' ) + { + checked[checkedlen - 1] = '\0'; + --checkedlen; +@@ -1490,7 +1490,7 @@ + restlen = strlen( path ); + httpd_realloc_str( &rest, &maxrest, restlen ); + (void) strcpy( rest, path ); +- if ( rest[restlen - 1] == '/' ) ++ if ( restlen && rest[restlen - 1] == '/' ) + rest[--restlen] = '\0'; /* trim trailing slash */ + if ( ! tildemapped ) + /* Remove any leading slashes. */ diff --git a/thttpd-2.29.tar.gz b/thttpd-2.29.tar.gz new file mode 100644 index 0000000..3c63c7e --- /dev/null +++ b/thttpd-2.29.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397 +size 133967 diff --git a/thttpd-CVE-2013-0348.patch b/thttpd-CVE-2013-0348.patch new file mode 100644 index 0000000..bf996f1 --- /dev/null +++ b/thttpd-CVE-2013-0348.patch @@ -0,0 +1,56 @@ +From d2e186dbd58d274a0dea9b59357edc8498b5388d Mon Sep 17 00:00:00 2001 +From: "Anthony G. Basile" +Date: Tue, 26 Feb 2013 14:28:26 -0500 +Subject: [PATCH] src/thttpd.c: Fix world readable log, CVE-2013-0348. + +Make sure that the logfile is created or reopened as read/write +by thttpd user only. + +X-gentoo-Bug: 458896 +X-gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=458896 +Reported-by: Agostino Sarubbo +Signed-off-by: Anthony G. Basile +--- + src/thttpd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +Index: thttpd-2.25b/thttpd.c +=================================================================== +--- thttpd-2.25b.orig/thttpd.c 2013-12-03 15:38:31.719334530 +0100 ++++ thttpd-2.25b/thttpd.c 2013-12-03 15:38:31.754334893 +0100 +@@ -331,6 +331,7 @@ static void + re_open_logfile( void ) + { + FILE* logfp; ++ int retchmod; + + if ( no_log || hs == (httpd_server*) 0 ) + return; +@@ -340,7 +341,8 @@ re_open_logfile( void ) + { + syslog( LOG_NOTICE, "re-opening logfile" ); + logfp = fopen( logfile, "a" ); +- if ( logfp == (FILE*) 0 ) ++ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); ++ if ( logfp == (FILE*) 0 || retchmod != 0 ) + { + syslog( LOG_CRIT, "re-opening %.80s - %m", logfile ); + return; +@@ -360,6 +362,7 @@ main( int argc, char** argv ) + gid_t gid = 32767; + char cwd[MAXPATHLEN+1]; + FILE* logfp; ++ int retchmod; + int num_ready; + int cnum; + connecttab* c; +@@ -429,7 +432,8 @@ main( int argc, char** argv ) + else + { + logfp = fopen( logfile, "a" ); +- if ( logfp == (FILE*) 0 ) ++ retchmod = chmod( logfile, S_IRUSR|S_IWUSR ); ++ if ( logfp == (FILE*) 0 || retchmod != 0 ) + { + syslog( LOG_CRIT, "%.80s - %m", logfile ); + perror( logfile ); diff --git a/thttpd-c99.patch b/thttpd-c99.patch new file mode 100644 index 0000000..1368e6b --- /dev/null +++ b/thttpd-c99.patch @@ -0,0 +1,34 @@ +diff --git a/libhttpd.c b/libhttpd.c +index 6a985f8601d0ccfc..7c3ae74d0cda56d1 100644 +--- a/libhttpd.c ++++ b/libhttpd.c +@@ -47,7 +47,12 @@ + #include + #endif /* HAVE_MEMORY_H */ + #include ++ + #include ++/* Not available with glibc default feature test macros. Kludge to ++ avoid extensive changes. */ ++extern __typeof (signal) sigset; ++ + #include + #include + #include +diff --git a/thttpd.c b/thttpd.c +index bfb57bacd955cd1b..25ad5d4cd47dc094 100644 +--- a/thttpd.c ++++ b/thttpd.c +@@ -44,7 +44,12 @@ + #ifdef HAVE_GRP_H + #include + #endif ++ + #include ++/* Not available with glibc default feature test macros. Kludge to ++ avoid extensive changes. */ ++extern __typeof (signal) sigset; ++ + #include + #include + #include diff --git a/thttpd-crypt_is_in_crypt.h.patch b/thttpd-crypt_is_in_crypt.h.patch new file mode 100644 index 0000000..fe20175 --- /dev/null +++ b/thttpd-crypt_is_in_crypt.h.patch @@ -0,0 +1,24 @@ +Index: thttpd-2.26/extras/htpasswd.c +=================================================================== +--- thttpd-2.26.orig/extras/htpasswd.c 2014-09-03 09:54:25.155386527 +0200 ++++ thttpd-2.26/extras/htpasswd.c 2014-09-03 10:32:19.736082368 +0200 +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #define LF 10 + #define CR 13 +Index: thttpd-2.26/libhttpd.c +=================================================================== +--- thttpd-2.26.orig/libhttpd.c 2014-09-03 09:54:25.155386527 +0200 ++++ thttpd-2.26/libhttpd.c 2014-09-03 10:33:13.913694495 +0200 +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #ifdef HAVE_OSRELDATE_H diff --git a/thttpd-initd.script b/thttpd-initd.script new file mode 100644 index 0000000..e050c4b --- /dev/null +++ b/thttpd-initd.script @@ -0,0 +1,86 @@ +#! /bin/sh +# Copyright (c) 1996-1999 SuSE Gmbh Nuernberg, Germany. All rights reserved. +# +# /etc/init.d/thttpd +# +### BEGIN INIT INFO +# Provides: thttpd +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: thttpd +# Description: Starts the http daemon thttpd +### END INIT INFO + +THTTPD_BIN=/usr/sbin/thttpd +test -x $THTTPD_BIN || exit 5 + +. /etc/rc.status + +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signalling is not supported) are +# considered a success. + +case "$1" in + start) + echo -n "Starting service thttpd" + startproc $THTTPD_BIN -C /etc/thttpd.conf + rc_status -v + ;; + stop) + echo -n "Shutting down service thttpd" + killproc -TERM $THTTPD_BIN + rc_status -v + ;; + try-restart) + ## Stop the service and if this succeeds (i.e. the + ## service was running before), start it again. + $0 status >/dev/null && $0 restart + # Remember status and be quiet + rc_status + ;; + force-reload) + ## Stop the service and if this succeeds (i.e. the + ## service was running before), start it again. + $0 stop && sleep 1 && $0 start + # Remember status and be quiet + rc_status + ;; + restart) + $0 stop + sleep 1 + $0 start + rc_status + ;; + reload) + rc_failed 3 + rc_status -v + ;; + status) + echo -n "Checking for service thttpd: " + checkproc $THTTPD_BIN + rc_status -v + ;; + probe) + # + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 +esac +rc_exit + diff --git a/thttpd.changes b/thttpd.changes new file mode 100644 index 0000000..143e60e --- /dev/null +++ b/thttpd.changes @@ -0,0 +1,451 @@ +------------------------------------------------------------------- +Tue Dec 3 20:19:55 UTC 2024 - Giacomo Comes + +- added thttpd-c99.patch + * keep using the deprecated function sigset + * patch borrowed from fedora rpm + +------------------------------------------------------------------- +Mon Feb 26 14:42:02 UTC 2024 - pgajdos@suse.com + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Wed Nov 24 15:13:25 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * thttpd.service + +------------------------------------------------------------------- +Thu May 14 08:42:14 UTC 2020 - Vítězslav Čížek + +- Allow regular users to execute makeweb (bsc#1171580) + * Set permissions to 2751 + +------------------------------------------------------------------- +Mon Feb 3 16:40:08 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Mon Oct 22 08:44:39 UTC 2018 - Vítězslav Čížek + +- Update to 2.29 (bsc#1112629) + Allow CGI to handle HTTP methods besides GET/HEAD/POST. + Improvements to the FreeBSD startup script. (Craig Leres) + Minor portability tweak in mmc.c. + Fix to buffer overrun bug in htpasswd. Reported by Alessio Santoru as CVE-2017-17663. +- update thttpd-2.25b-overflow.diff + +------------------------------------------------------------------- +Wed Oct 18 08:30:54 UTC 2017 - jengelh@inai.de + +- Trim filler wording from description. + +------------------------------------------------------------------- +Mon Sep 11 09:36:59 UTC 2017 - vcizek@suse.com + +- Require group www (bsc#1057985) + +------------------------------------------------------------------- +Mon Jun 26 11:58:22 UTC 2017 - vcizek@suse.com + +- update to 2.27 + Stats syslogs changed from LOG_INFO to LOG_NOTICE. + Use memmove() for self-overlapping string copies instead of strcpy(). + Couple of subroutine name changes for consistency. +- drop thttpd-2.25b-strcpy.patch (upstream) +- enforce single process build, as parallel does fail sometimes + +------------------------------------------------------------------- +Thu Sep 17 14:10:46 UTC 2015 - vcizek@suse.com + +- added Conflicts: apache2-example-pages + * both packages provide /srv/www/htdocs/index.html + +------------------------------------------------------------------- +Sun Jul 5 09:43:36 UTC 2015 - vcizek@suse.com + +- build with pie and full relro + +------------------------------------------------------------------- +Thu Jun 18 15:07:51 UTC 2015 - thehejik@suse.com + +- package cleanup (bnc#899218) + * removed SUSE branding + * added logrotate support + * changed note about default codepage + +------------------------------------------------------------------- +Thu Jun 4 15:09:12 UTC 2015 - vcizek@suse.com + +- added Conflicts: apache2-utils + * both packages provide /usr/bin/htpasswd + * see comments in https://build.opensuse.org/request/show/310178 + +------------------------------------------------------------------- +Sun Nov 23 04:50:32 UTC 2014 - bwiedemann@suse.com + +- use /usr/sbin path in service to fix start (bnc#906696) + +------------------------------------------------------------------- +Mon Sep 22 13:34:52 UTC 2014 - vcizek@suse.com + +- drop thttpd-2.25b.tar.bz2 (old tarball) + +------------------------------------------------------------------- +Wed Sep 3 07:42:53 UTC 2014 - vcizek@suse.com + +- update to 2.26 (bnc#894285) + Ignore ECONNABORTED on accept(). + Correctly implemented the config-file option change from "nosymlink" + to "nosymlinkcheck", which was supposedly done in version 2.24. + Removed mailto: link from default index page. + Allow CGIs to provide both Location and Status headers. + Better logic for figuring out CGI SERVER_NAME environment variable. + Updated for clang, and general cleanup. +- dropped thttpd-2.25b-getline.patch (upstream) +- added thttpd-crypt_is_in_crypt.h.patch + +------------------------------------------------------------------- +Fri Jul 18 16:40:22 UTC 2014 - p.drouand@gmail.com + +- Use systemd instead of sysvinit in openSUSE > 12.2 + +------------------------------------------------------------------- +Tue Dec 3 14:31:18 UTC 2013 - vcizek@suse.com + +- fix CVE-2013-0348 (bnc#853381) + * don't create a world readable logfile + +------------------------------------------------------------------- +Thu Jun 27 21:03:49 UTC 2013 - crrodriguez@opensuse.org + +- DO not add sample index.html that will conflict with apache + +------------------------------------------------------------------- +Mon Mar 4 16:04:08 UTC 2013 - vcizek@suse.com + +- added checks for crypt() return value (CVE-2012-5640) (bnc#783165) + * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch + +------------------------------------------------------------------- +Wed Oct 24 21:20:29 UTC 2012 - suse@ammler.ch + +- use different versions of automake (SLE) + +------------------------------------------------------------------- +Fri Jun 8 14:29:40 UTC 2012 - vcizek@suse.com + +- use %set_permissions instead of %run_permissions (bnc#764110) + +------------------------------------------------------------------- +Tue May 29 14:06:26 UTC 2012 - puzel@suse.com + +- fix build with automake 1.12 + +------------------------------------------------------------------- +Thu Mar 22 09:33:49 UTC 2012 - dvaleev@suse.com + +- drop thttpd-2.25b-x86_64_machine_not_recognized.patch but copy + config.guess from automake to fix ppc64 as well + +------------------------------------------------------------------- +Tue Jan 31 13:07:43 UTC 2012 - vcizek@suse.com + +- fixed build and added -fpie for makeweb + +------------------------------------------------------------------- +Wed Nov 23 09:32:34 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Jun 8 00:41:37 CEST 2009 - ro@suse.de + +- rename getline to my_getline to avoid collision with function + from glibc + +------------------------------------------------------------------- +Tue May 26 15:18:48 CEST 2009 - anicka@suse.cz + +- add new branding (bnc#492693) + +------------------------------------------------------------------- +Mon Jun 11 11:10:28 CEST 2007 - pcerny@suse.cz + +- fixed another syntax error in config file + +------------------------------------------------------------------- +Fri Jun 8 19:21:06 CEST 2007 - dmueller@suse.de + +- fix syntax error in config file + +------------------------------------------------------------------- +Wed Jun 6 13:16:46 CEST 2007 - pcerny@suse.cz + +- use %config(noreplace) for /etc/thttpd.conf + +------------------------------------------------------------------- +Tue Jun 5 21:53:06 CEST 2007 - pcerny@suse.cz + +- added Short-Description tag into init script + +------------------------------------------------------------------- +Fri Jun 1 19:34:10 CEST 2007 - pcerny@suse.cz + +- added config file (/etc/thttpd.conf) + +------------------------------------------------------------------- +Fri Feb 16 17:36:35 CET 2007 - mvaner@suse.cz + +- Adding check for zero length + - from Marcus Meissner + - zerolen.patch +- Replacing strcpy with memmove when they overlap + - strcpy.patch +- Both from #230776 + +------------------------------------------------------------------- +Wed Feb 14 15:04:06 CET 2007 - schwab@suse.de + +- Fix building as non-root. + +------------------------------------------------------------------- +Fri Mar 10 17:14:09 CET 2006 - anicka@suse.cz + +- fix buffer overflows in htpasswd (#156978) + +------------------------------------------------------------------- +Wed Jan 25 21:42:09 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Nov 21 15:57:27 CET 2005 - anicka@suse.cz + +- fix tmp race in syslogtocern (#131056) + +------------------------------------------------------------------- +Wed Oct 12 19:11:17 CEST 2005 - anicka@suse.cz + +- use %config(noreplace) for index.html + +------------------------------------------------------------------- +Wed Jun 22 15:54:10 CEST 2005 - anicka@suse.cz + +- compile dynamic binaries instead of static +- compile htpasswd with -pie + +------------------------------------------------------------------- +Wed Mar 9 18:26:33 CET 2005 - mcihar@suse.cz + +- do not conflict with other webservers (bug #71742) + +------------------------------------------------------------------- +Tue Feb 17 17:46:41 CET 2004 - tcrhak@suse.cz + +- update to version 2.25b + +------------------------------------------------------------------- +Tue Jan 13 18:07:52 CET 2004 - schwab@suse.de + +- Fix use of aclocal. + +------------------------------------------------------------------- +Wed Oct 29 16:59:58 CET 2003 - tcrhak@suse.cz + +- update to 2.24, includes a fix for a buffer overflow [bug #32734] +- fixed virtual hosting security hole [bug #32757] +- fixed permissions according to permissions.secure, + added macros %run_permissions and %verify_permissions + +------------------------------------------------------------------- +Mon Sep 01 20:40:30 CEST 2003 - tcrhak@suse.cz + +- added macros %stop_on_removal and %restart_on_update [bug #29022] + +------------------------------------------------------------------- +Thu Jun 5 15:57:54 CEST 2003 - ro@suse.de + +- remove unpackaged files from buildroot + +------------------------------------------------------------------- +Tue Mar 11 16:55:30 CET 2003 - tcrhak@suse.cz + +- fixed permissions of the init scipt [bug #25084] + +------------------------------------------------------------------- +Tue Oct 15 15:08:21 CEST 2002 - tcrhak@suse.cz + +- substitute correct servroot during built + +------------------------------------------------------------------- +Mon Oct 14 19:52:11 CEST 2002 - tcrhak@suse.cz + +- use /srv/www rather then /usr/local/httpd [bug #20802] + +------------------------------------------------------------------- +Fri Aug 2 01:23:09 CEST 2002 - ro@suse.de + +- adapt server root + +------------------------------------------------------------------- +Sat Jul 27 19:01:40 CEST 2002 - kukuk@suse.de + +- Change group from wwwadmin to www + +------------------------------------------------------------------- +Sat Jul 27 18:54:13 CEST 2002 - adrian@suse.de + +- do not source rc.config anymore + +------------------------------------------------------------------- +Tue Jul 02 15:15:28 CEST 2002 - tcrhak@suse.cz + +- update to version 2.23beta1 + +------------------------------------------------------------------- +Tue Jan 15 13:14:02 CET 2002 - tcrhak@suse.cz + +- update to version 2.20c +- added thttpd-2.20c-sec.patch +- removed START_THTTPD from README.SuSE + +------------------------------------------------------------------- +Tue Jan 15 00:28:27 CET 2002 - ro@suse.de + +- removed START_THTTPD + +------------------------------------------------------------------- +Fri Sep 21 13:32:45 CEST 2001 - bjacke@suse.de + +- fix version on template webpage + +------------------------------------------------------------------- +Mon Sep 3 12:10:09 CEST 2001 - adostal@suse.cz + +- fix /etc/init.d in thttpd-SuSE.tar.bz2 files +- split patches on configure, dirs, time_h and newautoconf + +------------------------------------------------------------------- +Thu Jun 14 14:16:41 CEST 2001 - adostal@suse.cz + +- fix for new autoconf + +------------------------------------------------------------------- +Fri Apr 13 14:44:59 CEST 2001 - nadvornik@suse.cz + +- changed initscript according to skeleton + +------------------------------------------------------------------- +Thu Mar 8 14:13:39 CET 2001 - nadvornik@suse.cz + +- compiled with RPM_OPT_FLAGS + +------------------------------------------------------------------- +Thu Feb 15 09:12:17 CET 2001 - nadvornik@suse.cz + +- fixed to compile + +------------------------------------------------------------------- +Wed Dec 13 11:22:35 CET 2000 - smid@suse.cz + +- generatig of default page moved to %install (it was in %post and +- caused [#4566] + +------------------------------------------------------------------- +Tue Dec 12 12:00:29 CET 2000 - smid@suse.cz + +- default cgibin pattern changed [#4564] +- rcthttpd link added + +------------------------------------------------------------------- +Sun Dec 3 13:49:37 CET 2000 - smid@suse.cz + +- new version: 2.20b + +------------------------------------------------------------------- +Fri Dec 1 12:52:43 CET 2000 - ro@suse.de + +- moved init-script + +------------------------------------------------------------------- +Thu Nov 2 11:09:38 CET 2000 - smid@suse.cz + +- fix ugly bug in startup scripts + +------------------------------------------------------------------- +Thu Sep 28 15:08:03 CEST 2000 - smid@suse.cz + +- new version: 2.20 + +------------------------------------------------------------------- +Wed Aug 30 10:37:06 CEST 2000 - smid@suse.cz + +- fix bug in startup script + +------------------------------------------------------------------- +Wed Jul 5 14:20:46 MEST 2000 - mha@suse.de + +- new version: 2.19 + +------------------------------------------------------------------- +Tue May 23 09:03:05 CEST 2000 - smid@suse.cz + +- buildroot fixed + +------------------------------------------------------------------- +Wed May 3 12:35:48 CEST 2000 - smid@suse.cz + +- buildroot added + +------------------------------------------------------------------- +Tue Mar 21 11:34:04 CET 2000 - mha@suse.de + +- update to 2.16 + +------------------------------------------------------------------- +Fri Mar 3 17:32:43 MET 2000 - uli@suse.de + +- moved man pages to %{_mandir} + +------------------------------------------------------------------- +Mon Feb 28 16:34:00 MET 2000 - mha@suse.de + +- new version: 2.15 + +------------------------------------------------------------------- +Thu Feb 17 18:23:19 CET 2000 - dipa@suse.de + +- bug #1268 rc.config variable set to no + +------------------------------------------------------------------- +Wed Jan 12 13:40:40 MET 2000 - mha@suse.de + +- new version: 2.11 +- new conflicts (roxen, apache, aolserv), provides (http_daemon) +- new homepage + +------------------------------------------------------------------- +Tue Nov 16 18:14:45 MET 1999 - kukuk@suse.de + +- Fix stack overflow + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Thu Sep 9 12:15:28 CEST 1999 - bs@suse.de + +- fixed call of Check at the end of %install section + +------------------------------------------------------------------- +Sun Jul 11 16:21:57 MEST 1999 - mha@suse.de + +- new package: thttpd (a _small_ webserver) + absolutely no configuration needed - and yet save (chroot)! + diff --git a/thttpd.conf b/thttpd.conf new file mode 100644 index 0000000..31fe409 --- /dev/null +++ b/thttpd.conf @@ -0,0 +1,70 @@ +# thttpd.conf -- configuration file for thttpd +# +# The strategy used is similar to e.g. OpenSSH: +# specify options with their default value where possible, +# but leave them commented. Uncommented options change +# a default value. Parenthesis state the command line option + +# Port to listen on (-p) +#port=80 + +# www root directory (-d) +dir=/srv/www/htdocs + +# The eternal question whether to chroot() or not to chroot() +# into "dir" above. If you don't want thttpd to chroot() change +# the next line to "nochroot" (-r|-nor) +#chroot + +# data directory in the chroot dir +# as the default configuration just chroots into "dir" +# we leave this unset. Use it for running more complex webs with +# thttpd (note, that at some point something more robust +# (e.g. apache)might be a better choice). (-dd) +#data_dir= + +# Instructs thttpd to check whether symlinked documents really +# belong to the document tree. Disable with "nosymlinkcheck", +# although this is not recommended (-s|-nos) +#symlinkcheck + +# "El-cheapo" webhosting, enable with "vhost" (-v|-nov) +#novhost + +# Use server-global .htpasswd file (see man page). Enable with +# "globalpasswd" (-g|-nog) +#noglobalpasswd + +# User to switch to after initialization when started as root +# (-u) +#user=wwwrun + +# CGI scripts pattern (-c) +#cgipat=/cgi-bin/*|**.cgi + +# File of throttle settings (-t) - see manpage +#throttles= + +# Hostname to bind to for multihoming (-h) +#host=your.hostname.here + +# Log-file; empty = use syslog(), /dev/null = without log. (-l) +logfile=/var/log/thttpd.log + +# File to write the process-id to (-i), can be used for signalling +# thttpd +pidfile=/var/run/thttpd.pid + +# Character set to use with text MIME types. +# Defaults to UTF-8 (-t) +#charset= + +# P3P server privacy header is returned with all responses +# (see manpage). Use p3p to enable it (-P|-noP) +## + +# seconds to be used in a "Cache-Control: max-age" header and +# generates equivalent Expires meta tag +#max_age= + +# -- end of thttpd.conf diff --git a/thttpd.logrotate b/thttpd.logrotate new file mode 100644 index 0000000..0f1515f --- /dev/null +++ b/thttpd.logrotate @@ -0,0 +1,10 @@ +/var/log/thttpd.log { + compress + dateext + maxage 365 + rotate 99 + size=+4096k + notifempty + missingok + copytruncate +} diff --git a/thttpd.service b/thttpd.service new file mode 100644 index 0000000..4529bab --- /dev/null +++ b/thttpd.service @@ -0,0 +1,23 @@ +[Unit] +Description=Tiny HTTP Daemon + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +PIDFile=/run/thttpd.pid +ExecStart=/usr/sbin/thttpd -D -C /etc/thttpd.conf +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/thttpd.spec b/thttpd.spec new file mode 100644 index 0000000..dea1314 --- /dev/null +++ b/thttpd.spec @@ -0,0 +1,178 @@ +# +# spec file for package thttpd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define serverroot /srv/www +%if 0%{?suse_version} > 1220 +%define with_systemd 1 +%else +%define with_systemd 0 +%endif +Name: thttpd +Version: 2.29 +Release: 0 +Summary: Small and simple webserver +License: BSD-3-Clause +Group: Productivity/Networking/Web/Servers +URL: http://www.acme.com/software/thttpd/ +Source: http://www.acme.com/software/thttpd/%{name}-%{version}.tar.gz +Source1: %{name}-initd.script +Source2: %{name}.service +Source3: %{name}.logrotate +Source4: %{name}.conf +Patch0: %{name}-2.25b-configure.patch +Patch1: %{name}-2.25b-dirs.patch +Patch2: %{name}-2.25b-time_h.patch +Patch3: %{name}-2.25b-newautoconf.patch +Patch4: %{name}-2.25b-sec.patch +Patch5: %{name}-2.25b-static.patch +Patch6: %{name}-2.25b-pie.patch +Patch7: %{name}-2.25b-syslogtocern.diff +Patch8: %{name}-2.25b-overflow.diff +Patch9: %{name}-2.25b-chown.diff +Patch10: %{name}-2.25b-zerolen.patch +# PATCH-FIX-SUSE CVE-2012-5640 +Patch13: thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch +Patch14: thttpd-CVE-2013-0348.patch +Patch15: thttpd-crypt_is_in_crypt.h.patch +# PATCH-FIX-SUSE keep using deprecated function sigset +Patch16: thttpd-c99.patch +BuildRequires: automake +BuildRequires: libtool +Requires(post): permissions +Requires: group(www) +Recommends: logrotate +# both packages provide /srw/www/htdocs/index.html +Conflicts: apache2-example-pages +# both packages provide /usr/bin/htpasswd +Conflicts: apache2-utils +Provides: http_daemon +%if %{with_systemd} +BuildRequires: pkgconfig(systemd) +%{?systemd_ordering} +%else +Requires(post): %fillup_prereq +Requires(post): %insserv_prereq +%endif + +%description +Thttpd is a compact httpd serving daemon that can handle +high loads. While lacking many of the advanced features of Roxen +or Apache, thttpd operates without forking and is efficient +in memory use. Basic support for CGI scripts, authentication, and SSI +is provided. Advanced features include the ability to throttle +traffic. + +%prep +%setup -q +%patch -P 0 +%patch -P 1 +%patch -P 2 +%patch -P 3 +%patch -P 4 +%patch -P 5 +%patch -P 6 +%patch -P 7 +%patch -P 8 +%patch -P 9 +%patch -P 10 +%patch -P 13 -p1 +%patch -P 14 -p1 +%patch -P 15 -p1 +%patch -P 16 -p1 + +%build +cp %{_datadir}/automake-1.*/config.* . +mv aclocal.m4 acinclude.m4 +libtoolize --force +aclocal --force +autoconf -f +export V_CCOPT="%{optflags} -fPIC -DPIC -fPIE" +export CFLAGS="%{optflags} -fPIC -DPIC -fPIE" +export LDFLAGS="-pie -Wl,-z,relro,-z,now" +%configure +# parallel build causes problems, single thread build takes only 10s anyway +make -j1 + +%install +install -d %{buildroot}%{_bindir} \ + %{buildroot}%{_sbindir} \ + %{buildroot}%{_mandir}/man1 \ + %{buildroot}%{_mandir}/man8 \ + %{buildroot}%{serverroot}/htdocs/users +%make_install +install -D -m0644 index.html %{buildroot}/%{serverroot}/htdocs/index.html +install -D -m0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}.conf +install -D -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +%if %{with_systemd} +install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +%else +install -D -m0644 %{SOURCE1} %{buildroot}%{_initddir}/%{name} +ln -s %{buildroot}%{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} +%endif + +%if %{with_systemd} +%pre +%service_add_pre %{name}.service +%endif + +%post +%if %{with_systemd} +%service_add_post %{name}.service +%else +%{fillup_and_insserv thttpd} +%endif +%set_permissions %{_bindir}/makeweb + +%verifyscript +%verify_permissions -e %{_bindir}/makeweb + +%preun +%if %{with_systemd} +%service_del_preun %{name}.service +%else +%stop_on_removal thttpd +%endif + +%postun +%if %{with_systemd} +%service_del_postun %{name}.service +%else +%restart_on_update thttpd +%insserv_cleanup +%endif + +%files +%doc README config.h +%dir %{serverroot} +%dir %{serverroot}/htdocs +%{serverroot}/htdocs/* +%attr(775, root, www) %{serverroot}/htdocs/users +%verify(not mode) %attr(2751, root, www) %{_bindir}/makeweb +%{_bindir}/htpasswd +%{_sbindir}/* +%{_mandir}/*/* +%config %{_sysconfdir}/logrotate.d/%{name} +%if %{with_systemd} +%{_unitdir}/%{name}.service +%else +%config %{_initddir}/thttpd +%endif +%config(noreplace) %{_sysconfdir}/thttpd.conf + +%changelog