开源软件构建与测试

_service:tar_scm:libmicrohttpd.spec Changed

@@ -1,6 +1,6 @@
 Name:           libmicrohttpd
 Version:        0.9.75
-Release:        1
+Release:        3
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
@@ -8,6 +8,8 @@
 Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Patch0001:      0001-gnutls-utilize-system-crypto-policy.patch
 Patch0002:      fix-libmicrohttpd-tutorial-info.patch
+Patch0003:      fixed-missing-websocket.inc-in-dist-files.patch
+Patch0004:      CVE-2023-27371.patch
 
 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires(post): info
@@ -88,6 +90,12 @@
 %{_infodir}/libmicrohttpd_performance_data.png.gz
 
 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.75-3
+- Fix CVE-2023-27371
+
+* Fri Aug 5 2022 liyanan <liyanan32@h-partners.com> - 1:0.9.75-2
+- Fixed missing websocket.inc in dist files
+
 * Fri Jan 14 2022 xigaoxinyan<xigaoxinyan@huawei.com> - 0.9.75-1
 - update to 0.9.75
 * Thu Aug 05 2021 caodongxia<caodongxia@huawei.com> - 0.9.59-5

_service:tar_scm:CVE-2023-27371.patch Added

@@ -0,0 +1,81 @@
+From 6d6846e20bfdf4b3eb1b592c97520a532f724238 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: PATCH fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ ChangeLog                      | 14 +++++++++-----
+ src/microhttpd/postprocessor.c |  2 +-
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2292219c1..5d50c60c7 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++Sun Feb 26 05:49:30 PM CET 2023
++    Fix potential DoS vector in MHD_PostProcessor discovered
++    by Gynvael Coldwind and Dejan Alvadzijevic. -CG
++
+ Sun 26 Dec 2021 20:30:00 MSK
+     Releasing GNU libmicrohttpd 0.9.75 -EG
+ 
+@@ -23,7 +27,7 @@ December 2021
+     Some code improvements for new test test_client_put_stop.
+     Added special log message if thread creation failed due to system limits.
+     Fully restructured new_connection_process_() to correctly handle errors,
+-    fixed missing decrement of number of daemon connections if any error 
++    fixed missing decrement of number of daemon connections if any error
+     encountered, fixed app notification of connection termination when app has
+     not been notified about connection start, fixed (highly unlikely) reset of
+     the list of connections if reached daemon's connections limit.
+@@ -67,7 +71,7 @@ November 2021
+     for testing of MHD.
+     Renamed 'early_response' connection flag to 'discard_request' and reworked
+     handling of connection's flags.
+-    Clarified request termination reasons doxy, fixed reporting of 
++    Clarified request termination reasons doxy, fixed reporting of
+     MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used
+     in reporting).
+     Enforce all libcurl tests exit code to be zero or one.
+@@ -76,7 +80,7 @@ November 2021
+     of the last LF in termination chunk, handle correctly chunk sizes with more
+     than 16 digits (leading zeros are valid according to HTTP RFC), fixed
+     handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report
+-    error when invalid chunk format is received without waiting to receive 
++    error when invalid chunk format is received without waiting to receive
+     (possibly missing) end of the line, reply to the client with special error
+     if chunk size is too large to be handled by MHD (>16 EiB).
+     Added error reply if client used too large request payload (>16 EiB).
+@@ -92,7 +96,7 @@ October 2021
+     Added test family test_toolarge to check correct handling of the buffers
+     when the size of data is larger than free space.
+     Fixed missing updated of read and write buffers sizes.
+-    Added detection and use of supported "noreturn" keyword for function 
++    Added detection and use of supported "noreturn" keyword for function
+     declaration. It should help compiler and static analyser.
+     Added support for leak sanitizer.
+     Fixed analyser errors on W32.
+@@ -290,7 +294,7 @@ June 2021
+     used for the next request data.
+     Fixed completely broken calculation of request header size.
+     Chunked response: do not ask app callback for more data then
+-    it is possible to process (more than 16 MBytes). 
++    it is possible to process (more than 16 MBytes).
+     Check and report if app used wrong response code (>999 or <100)
+     Refuse to add second "Transfer-Encoding" header.
+     HTTPS tests: check whether all libcurl function succeeded.
+diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+index 990742150..c00605c77 100644
+--- a/src/microhttpd/postprocessor.c
++++ b/src/microhttpd/postprocessor.c
+@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection,
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid boundary */
+     if ( (boundary0 == '"') &&

_service:tar_scm:fixed-missing-websocket.inc-in-dist-files.patch Added

_service Changed

Changes of Revision 2