diff --git a/CVE-2023-27371.patch b/CVE-2023-27371.patch deleted file mode 100644 index b4c409d..0000000 --- a/CVE-2023-27371.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 6d6846e20bfdf4b3eb1b592c97520a532f724238 Mon Sep 17 00:00:00 2001 -From: Christian Grothoff -Date: Sun, 26 Feb 2023 17:51:24 +0100 -Subject: [PATCH] fix parser bug that could be used to crash servers using the - MHD_PostProcessor - ---- - ChangeLog | 14 +++++++++----- - src/microhttpd/postprocessor.c | 2 +- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/ChangeLog b/ChangeLog -index 2292219c1..5d50c60c7 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -1,3 +1,7 @@ -+Sun Feb 26 05:49:30 PM CET 2023 -+ Fix potential DoS vector in MHD_PostProcessor discovered -+ by Gynvael Coldwind and Dejan Alvadzijevic. -CG -+ - Sun 26 Dec 2021 20:30:00 MSK - Releasing GNU libmicrohttpd 0.9.75 -EG - -@@ -23,7 +27,7 @@ December 2021 - Some code improvements for new test test_client_put_stop. - Added special log message if thread creation failed due to system limits. - Fully restructured new_connection_process_() to correctly handle errors, -- fixed missing decrement of number of daemon connections if any error -+ fixed missing decrement of number of daemon connections if any error - encountered, fixed app notification of connection termination when app has - not been notified about connection start, fixed (highly unlikely) reset of - the list of connections if reached daemon's connections limit. -@@ -67,7 +71,7 @@ November 2021 - for testing of MHD. - Renamed 'early_response' connection flag to 'discard_request' and reworked - handling of connection's flags. -- Clarified request termination reasons doxy, fixed reporting of -+ Clarified request termination reasons doxy, fixed reporting of - MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used - in reporting). - Enforce all libcurl tests exit code to be zero or one. -@@ -76,7 +80,7 @@ November 2021 - of the last LF in termination chunk, handle correctly chunk sizes with more - than 16 digits (leading zeros are valid according to HTTP RFC), fixed - handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report -- error when invalid chunk format is received without waiting to receive -+ error when invalid chunk format is received without waiting to receive - (possibly missing) end of the line, reply to the client with special error - if chunk size is too large to be handled by MHD (>16 EiB). - Added error reply if client used too large request payload (>16 EiB). -@@ -92,7 +96,7 @@ October 2021 - Added test family test_toolarge to check correct handling of the buffers - when the size of data is larger than free space. - Fixed missing updated of read and write buffers sizes. -- Added detection and use of supported "noreturn" keyword for function -+ Added detection and use of supported "noreturn" keyword for function - declaration. It should help compiler and static analyser. - Added support for leak sanitizer. - Fixed analyser errors on W32. -@@ -290,7 +294,7 @@ June 2021 - used for the next request data. - Fixed completely broken calculation of request header size. - Chunked response: do not ask app callback for more data then -- it is possible to process (more than 16 MBytes). -+ it is possible to process (more than 16 MBytes). - Check and report if app used wrong response code (>999 or <100) - Refuse to add second "Transfer-Encoding" header. - HTTPS tests: check whether all libcurl function succeeded. -diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c -index 990742150..c00605c77 100644 ---- a/src/microhttpd/postprocessor.c -+++ b/src/microhttpd/postprocessor.c -@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection, - return NULL; /* failed to determine boundary */ - boundary += MHD_STATICSTR_LEN_ ("boundary="); - blen = strlen (boundary); -- if ( (blen == 0) || -+ if ( (blen < 2) || - (blen * 2 + 2 > buffer_size) ) - return NULL; /* (will be) out of memory or invalid boundary */ - if ( (boundary[0] == '"') && diff --git a/libmicrohttpd-0.9.75.tar.gz b/libmicrohttpd-0.9.75.tar.gz deleted file mode 100644 index 0e827c2..0000000 Binary files a/libmicrohttpd-0.9.75.tar.gz and /dev/null differ diff --git a/libmicrohttpd-0.9.77.tar.gz b/libmicrohttpd-0.9.77.tar.gz new file mode 100644 index 0000000..f9643b1 Binary files /dev/null and b/libmicrohttpd-0.9.77.tar.gz differ diff --git a/libmicrohttpd.spec b/libmicrohttpd.spec index c830c47..3c06b6c 100644 --- a/libmicrohttpd.spec +++ b/libmicrohttpd.spec @@ -1,6 +1,6 @@ Name: libmicrohttpd -Version: 0.9.75 -Release: 4 +Version: 0.9.77 +Release: 1 Epoch: 1 Summary: Lightweight library for embedding a webserver in applications License: LGPLv2+ @@ -9,7 +9,6 @@ Source0: https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz Patch0001: 0001-gnutls-utilize-system-crypto-policy.patch Patch0002: fix-libmicrohttpd-tutorial-info.patch Patch0003: fixed-missing-websocket.inc-in-dist-files.patch -Patch0004: CVE-2023-27371.patch BuildRequires: autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz Requires(post): info @@ -55,6 +54,7 @@ cp src/examples/*.c examples cp doc/examples/*.c examples chmod 644 examples/*.c cp -R doc/doxygen/html html + %post help install-info %{_infodir}/libmicrohttpd.info.gz %{_infodir}/dir || : install-info %{_infodir}/libmicrohttpd-tutorial.info.gz %{_infodir}/dir || : @@ -80,7 +80,6 @@ fi %{_libdir}/pkgconfig/libmicrohttpd.pc %exclude %{_libdir}/libmicrohttpd.la %exclude %{_infodir}/dir -%exclude %{_bindir}/demo %files help %doc AUTHORS ChangeLog examples html README @@ -90,6 +89,9 @@ fi %{_infodir}/libmicrohttpd_performance_data.png.gz %changelog +* Fri Jan 12 2024 yaoxin - 1:0.9.77-1 +- Upgrade to 0.9.77 + * Sun Oct 08 2023 wulei - 1:0.9.75-4 - Fixed missing websocket.inc in dist files