Upgrade to 0.9.77

2024-01-12 09:39:47 +08:00 · 2024-01-12 09:39:47 +08:00 · 03daa847a0
commit 03daa847a0
parent 002d153761
4 changed files with 6 additions and 85 deletions
--- a/CVE-2023-27371.patch
+++ b/CVE-2023-27371.patch
@ -1,81 +0,0 @@
 From 6d6846e20bfdf4b3eb1b592c97520a532f724238 Mon Sep 17 00:00:00 2001
 From: Christian Grothoff <christian@grothoff.org>
 Date: Sun, 26 Feb 2023 17:51:24 +0100
 Subject: [PATCH] fix parser bug that could be used to crash servers using the
 MHD_PostProcessor
 ---
 ChangeLog                      | 14 +++++++++-----
 src/microhttpd/postprocessor.c |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)
 diff --git a/ChangeLog b/ChangeLog
 index 2292219c1..5d50c60c7 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,7 @@
 +Sun Feb 26 05:49:30 PM CET 2023
 +    Fix potential DoS vector in MHD_PostProcessor discovered
 +    by Gynvael Coldwind and Dejan Alvadzijevic. -CG
 +
 Sun 26 Dec 2021 20:30:00 MSK
     Releasing GNU libmicrohttpd 0.9.75 -EG
@@ -23,7 +27,7 @@ December 2021
     Some code improvements for new test test_client_put_stop.
     Added special log message if thread creation failed due to system limits.
     Fully restructured new_connection_process_() to correctly handle errors,
 -    fixed missing decrement of number of daemon connections if any error 
 +    fixed missing decrement of number of daemon connections if any error
     encountered, fixed app notification of connection termination when app has
     not been notified about connection start, fixed (highly unlikely) reset of
     the list of connections if reached daemon's connections limit.
@@ -67,7 +71,7 @@ November 2021
     for testing of MHD.
     Renamed 'early_response' connection flag to 'discard_request' and reworked
     handling of connection's flags.
 -    Clarified request termination reasons doxy, fixed reporting of 
 +    Clarified request termination reasons doxy, fixed reporting of
     MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used
     in reporting).
     Enforce all libcurl tests exit code to be zero or one.
@@ -76,7 +80,7 @@ November 2021
     of the last LF in termination chunk, handle correctly chunk sizes with more
     than 16 digits (leading zeros are valid according to HTTP RFC), fixed
     handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report
 -    error when invalid chunk format is received without waiting to receive 
 +    error when invalid chunk format is received without waiting to receive
     (possibly missing) end of the line, reply to the client with special error
     if chunk size is too large to be handled by MHD (>16 EiB).
     Added error reply if client used too large request payload (>16 EiB).
@@ -92,7 +96,7 @@ October 2021
     Added test family test_toolarge to check correct handling of the buffers
     when the size of data is larger than free space.
     Fixed missing updated of read and write buffers sizes.
 -    Added detection and use of supported "noreturn" keyword for function 
 +    Added detection and use of supported "noreturn" keyword for function
     declaration. It should help compiler and static analyser.
     Added support for leak sanitizer.
     Fixed analyser errors on W32.
@@ -290,7 +294,7 @@ June 2021
     used for the next request data.
     Fixed completely broken calculation of request header size.
     Chunked response: do not ask app callback for more data then
 -    it is possible to process (more than 16 MBytes). 
 +    it is possible to process (more than 16 MBytes).
     Check and report if app used wrong response code (>999 or <100)
     Refuse to add second "Transfer-Encoding" header.
     HTTPS tests: check whether all libcurl function succeeded.
 diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
 index 990742150..c00605c77 100644
 --- a/src/microhttpd/postprocessor.c
 +++ b/src/microhttpd/postprocessor.c
@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection,
       return NULL; /* failed to determine boundary */
     boundary += MHD_STATICSTR_LEN_ ("boundary=");
     blen = strlen (boundary);
 -    if ( (blen == 0) ||
 +    if ( (blen < 2) ||
          (blen * 2 + 2 > buffer_size) )
       return NULL;              /* (will be) out of memory or invalid boundary */
     if ( (boundary[0] == '"') &&
--- a/libmicrohttpd-0.9.75.tar.gz
+++ b/libmicrohttpd-0.9.75.tar.gz
--- a/libmicrohttpd-0.9.77.tar.gz
+++ b/libmicrohttpd-0.9.77.tar.gz
--- a/libmicrohttpd.spec
+++ b/libmicrohttpd.spec
@ -1,6 +1,6 @@
 Name:           libmicrohttpd
-Version:        0.9.75
+Version:        0.9.77
-Release:        4
+Release:        1
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
@ -9,7 +9,6 @@ Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Patch0001:      0001-gnutls-utilize-system-crypto-policy.patch
 Patch0002:      fix-libmicrohttpd-tutorial-info.patch
 Patch0003:      fixed-missing-websocket.inc-in-dist-files.patch
 Patch0004:      CVE-2023-27371.patch
 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires(post): info
@ -55,6 +54,7 @@ cp  src/examples/*.c examples
 cp doc/examples/*.c examples
 chmod 644 examples/*.c
 cp -R doc/doxygen/html html
 %post help
 install-info %{_infodir}/libmicrohttpd.info.gz %{_infodir}/dir || :
 install-info %{_infodir}/libmicrohttpd-tutorial.info.gz %{_infodir}/dir || :
@ -80,7 +80,6 @@ fi
 %{_libdir}/pkgconfig/libmicrohttpd.pc
 %exclude %{_libdir}/libmicrohttpd.la
 %exclude %{_infodir}/dir
 %exclude %{_bindir}/demo
 %files help
 %doc AUTHORS ChangeLog examples html README
@ -90,6 +89,9 @@ fi
 %{_infodir}/libmicrohttpd_performance_data.png.gz
 %changelog
 * Fri Jan 12 2024 yaoxin <yao_xin001@hoperun.com> - 1:0.9.77-1
 - Upgrade to 0.9.77
 * Sun Oct 08 2023 wulei <wulei80@h-partners.com> - 1:0.9.75-4
 - Fixed missing websocket.inc in dist files