Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package haserl for openSUSE:Factory checked in at 2021-04-17 23:25:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haserl (Old) and /work/SRC/openSUSE:Factory/.haserl.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haserl" Sat Apr 17 23:25:10 2021 rev:19 rq:886294 version:0.9.36 Changes: -------- --- /work/SRC/openSUSE:Factory/haserl/haserl.changes 2015-08-02 22:46:26.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.haserl.new.12324/haserl.changes 2021-04-17 23:25:18.429629027 +0200 @@ -1,0 +2,11 @@ +Wed Apr 14 00:52:23 UTC 2021 - Ferdinand Thiessen <r...@fthiessen.de> + +- Update to version 0.9.36: + * Fixed: Its possible to issue a PUT request without a CONTENT-TYPE. + Assume an octet-stream in that case. ( CVE-2021-29133 ) + * Change the Prefix for variables to be the REQUEST_METHOD + (PUT/DELETE/GET/POST) THIS IS A BREAKING CHANGE + * Mitigations vs running haserl to get access to files not + available to the user. + +------------------------------------------------------------------- Old: ---- haserl-0.9.35.tar.gz New: ---- haserl-0.9.36.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haserl.spec ++++++ --- /var/tmp/diff_new_pack.AGc7gk/_old 2021-04-17 23:25:18.801629660 +0200 +++ /var/tmp/diff_new_pack.AGc7gk/_new 2021-04-17 23:25:18.801629660 +0200 @@ -20,7 +20,7 @@ BuildRequires: automake BuildRequires: lua-devel BuildRequires: pkg-config -Version: 0.9.35 +Version: 0.9.36 Release: 0 Url: http://haserl.sourceforge.net/ Source: http://downloads.sourceforge.net/project/%{name}/haserl-devel/%{name}-%{version}.tar.gz @@ -65,7 +65,7 @@ %files %defattr(-,root,root) -/usr/bin/haserl +%{_bindir}/haserl %{_mandir}/man1/haserl.1.gz %changelog ++++++ haserl-0.9.35.tar.gz -> haserl-0.9.36.tar.gz ++++++ ++++ 2295 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/ChangeLog new/haserl-0.9.36/ChangeLog --- old/haserl-0.9.35/ChangeLog 2015-03-11 20:03:32.000000000 +0100 +++ new/haserl-0.9.36/ChangeLog 2021-03-08 03:04:04.000000000 +0100 @@ -1,3 +1,14 @@ +2021-03-07 + 0.9.36 + * Fix sf.net issue #5 - its possible to issue a PUT request + without a CONTENT-TYPE. Assume an octet-stream in that case. + * Change the Prefix for variables to be the REQUEST_METHOD + (PUT/DELETE/GET/POST) + **** THIS IS A BREAKING CHANGE vs 0.9.33 **** + * Mitigations vs running haserl to get access to files not + available to the user. + + 2015-03-11 0.9.35 * Geert Jan de Groot reported a possible segfault if CONTENT_TYPE is not diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/compile new/haserl-0.9.36/compile --- old/haserl-0.9.35/compile 2015-01-06 08:50:54.000000000 +0100 +++ new/haserl-0.9.36/compile 2020-11-20 08:43:23.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2020 Free Software Foundation, Inc. # Written by Tom Tromey <tro...@cygnus.com>. # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -53,7 +53,7 @@ MINGW*) file_conv=mingw ;; - CYGWIN*) + CYGWIN* | MSYS*) file_conv=cygwin ;; *) @@ -67,7 +67,7 @@ mingw/*) file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` ;; - cygwin/*) + cygwin/* | msys/*) file=`cygpath -m "$file" || echo "$file"` ;; wine/*) @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -339,9 +340,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/configure.ac new/haserl-0.9.36/configure.ac --- old/haserl-0.9.35/configure.ac 2015-03-11 19:57:51.000000000 +0100 +++ new/haserl-0.9.36/configure.ac 2021-03-08 03:01:03.000000000 +0100 @@ -1,5 +1,5 @@ # Process this file with autoconf to produce a configure script. -AC_INIT([haserl],[0.9.35],[Nathan Angelacos - nan...@users.sourceforge.net],[haserl]) +AC_INIT([haserl],[0.9.36],[Nathan Angelacos - nan...@users.sourceforge.net],[haserl]) AM_INIT_AUTOMAKE # Checks for programs. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/missing new/haserl-0.9.36/missing --- old/haserl-0.9.35/missing 2015-01-06 08:50:54.000000000 +0100 +++ new/haserl-0.9.36/missing 2020-11-20 08:43:23.000000000 +0100 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2020 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pin...@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,9 +207,9 @@ exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/src/h_script.c new/haserl-0.9.36/src/h_script.c --- old/haserl-0.9.35/src/h_script.c 2015-02-15 23:16:48.000000000 +0100 +++ new/haserl-0.9.36/src/h_script.c 2021-03-08 01:56:14.000000000 +0100 @@ -104,6 +104,7 @@ memset (scriptbuf->buf, 0, filestat.st_size + 1); read (scriptfp, scriptbuf->buf, filestat.st_size); + scriptbuf->bang_script = 0; scriptbuf->size = filestat.st_size; scriptbuf->uid = filestat.st_uid; scriptbuf->gid = filestat.st_gid; @@ -130,6 +131,10 @@ (scriptbuf->curpos)++; } (scriptbuf->curpos)++; + /* check to make sure the string following the #! matches argc[0] */ + if (memcmp (scriptbuf->buf+2, global.exec_name, strlen(global.exec_name)) == 0) { + scriptbuf->bang_script=1; + } } /* If this is the first script, switch to <? ?> mode only @@ -264,6 +269,7 @@ char *start, *end, *curpos, *endpos; token_t *curtoken, *firsttoken; + int tokens = 0; curtoken = tokenlist; firsttoken = tokenlist; @@ -315,6 +321,7 @@ /* push start of token to end of token */ curtoken = push_token_on_list (curtoken, scriptbuf, start, end - start); + tokens = tokens + 1; if (firsttoken == NULL) firsttoken = curtoken; curpos = end + 2; @@ -324,12 +331,14 @@ /* push curpos to end of script */ curtoken = push_token_on_list (curtoken, scriptbuf, curpos, endpos - curpos); + tokens = tokens + 1; if (firsttoken == NULL) firsttoken = curtoken; curpos = endpos; } } + scriptbuf->tokens = tokens; return (firsttoken); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/src/h_script.h new/haserl-0.9.36/src/h_script.h --- old/haserl-0.9.35/src/h_script.h 2015-02-15 22:29:12.000000000 +0100 +++ new/haserl-0.9.36/src/h_script.h 2021-03-08 00:46:33.000000000 +0100 @@ -1,5 +1,5 @@ /* -------------------------------------------------------------------------- - * Copyright 2003-2011 (inclusive) Nathan Angelacos + * Copyright 2003-2021 (inclusive) Nathan Angelacos * (nan...@users.sourceforge.net) * * This file is part of haserl. @@ -28,8 +28,10 @@ int size; /* size of script in bytes */ uid_t uid; /* user owner */ gid_t gid; /* group owner */ - char *buf; /* pointer to malloc'ed buffer */ - size_t curpos; /* current position in buffer */ + char *buf; /* pointer to malloc'ed buffer */ + size_t curpos; /* current position in buffer */ + int bang_script; /* true if script starts with #!*/ + int tokens; /* number of tokens in script */ void *next; /* next script in our chain */ } script_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/src/haserl.c new/haserl-0.9.36/src/haserl.c --- old/haserl-0.9.35/src/haserl.c 2015-03-11 19:56:52.000000000 +0100 +++ new/haserl-0.9.36/src/haserl.c 2021-03-08 02:49:08.000000000 +0100 @@ -1,5 +1,5 @@ /* -------------------------------------------------------------------------- - * Copyright 2003-2015 (inclusive) Nathan Angelacos + * Copyright 2003-2021 (inclusive) Nathan Angelacos * (nan...@users.sourceforge.net) * * This file is part of haserl. @@ -42,7 +42,7 @@ #include <sys/types.h> #include <sys/wait.h> #include <sys/stat.h> -#include <sys/fcntl.h> +#include <fcntl.h> #include <stdlib.h> #include <string.h> #include <grp.h> @@ -463,6 +463,8 @@ int ReadCGIPOSTValues (list_t * env ) { + char prefix[64]; + size_t content_length = 0; size_t max_len; int urldecoding = 0; @@ -481,26 +483,31 @@ content_type = getenv(CONTENT_TYPE); - if ( ( content_type != NULL ) && - ( strncasecmp ( content_type , "multipart/form-data", 19)) == 0 ) - { - /* This is a mime request, we need to go to the mime handler */ - i = rfc2388_handler (env); - return (i); - } - - /* at this point its either urlencoded or some other blob */ - if ( (content_type == NULL ) || - ( strncasecmp (getenv (CONTENT_TYPE), "application/x-www-form-urlencoded", 33) == 0 ) ) + if ( content_type != NULL ) { - urldecoding = 1; - matchstr = "&"; + if ( strncasecmp ( content_type , "multipart/form-data", 19) == 0 ) + { + /* This is a mime request, we need to go to the mime handler */ + i = rfc2388_handler (env); + return (i); + } + if ( strncasecmp (getenv (CONTENT_TYPE), "application/x-www-form-urlencoded", 33) == 0 ) + { + /* url encoded data in the payload */ + urldecoding = 1; + matchstr = "&"; + } } + /* otherwise, assume just a binary octet stream */ + // These were set in the variable definition - just leave them alone + // matchstr = ""; + // urldecoding = 0; /* Allow 2MB content, unless they have a global upload set */ max_len = ((global.uploadkb == 0) ? 2048 : global.uploadkb) *1024; + s_buffer_init (&sbuf, 32768); sbuf.fh = STDIN; @@ -514,8 +521,15 @@ buffer_add( &token, "body=", 5 ); } + /* Set the prefix to the request method */ + if (getenv ("REQUEST_METHOD") != NULL) + { + snprintf (prefix, 64, "%s_", getenv("REQUEST_METHOD")); + } else { + snprintf (prefix, 64, "REQUEST_"); + } - do + do { /* x is true if this token ends with a matchstr or is at the end of stream */ x = s_buffer_read (&sbuf, matchstr); @@ -555,7 +569,7 @@ unescape_url ((char *) data); } myputenv (env, (char *) data, global.var_prefix); - myputenv (env, (char *) data, global.post_prefix); + myputenv (env, (char *) data, prefix); if (token.data) { buffer_reset (&token); @@ -629,19 +643,29 @@ } int -BecomeUser (uid_t uid, gid_t gid) +BecomeUser (script_t *scriptbuf) { /* This silently fails if it doesn't work */ - /* Following is from Timo Teras */ - if (getuid () == 0) - setgroups (1, &gid); - setgid (gid); - setgid (getgid ()); - - setuid (uid); - setuid (getuid ()); + /* if we are not root, trying to run a root script, + * verify it looks like a script (pass 1) + */ + if ( scriptbuf->uid == 0 ) { + if ( scriptbuf->bang_script > 0 ) { + /* Then we change permissions */ + setgid (scriptbuf->gid); + setgid (getgid ()); + + setuid (scriptbuf->uid); + setuid (getuid ()); + + /* Following is from Timo Teras */ + setgroups (1, &(scriptbuf->gid)); + } else { + die_with_message ( NULL, NULL, "Exception."); + } + } return (0); } @@ -666,7 +690,7 @@ global.cookie_prefix = "COOKIE_"; global.haserl_prefix = "HASERL_"; global.nul_prefix = ""; - + global.exec_name = ""; } @@ -732,6 +756,9 @@ haserl_buffer_init (&script_text); #endif + // assign exec_name to be the name of the interpreter + global.exec_name = argv[0]; + /* if more than argv[1] and argv[1] is not a file */ switch (argc) { @@ -793,7 +820,7 @@ scriptchain = load_script (filename, NULL); /* drop permissions */ - BecomeUser (scriptchain->uid, scriptchain->gid); + BecomeUser (scriptchain); /* populate the function pointers based on the shell selected */ if (strcmp (global.shell, "lua") && strcmp (global.shell, "luac")) @@ -875,6 +902,15 @@ if (strcmp (global.shell, "luac")) { tokenchain = build_token_list (scriptchain, NULL); + /* This is a second pass to make sure haserl running as root + * is actually running a haserl script. If the first script + * doesn't have any haserl tokens, assume it is not valid + */ + if (getuid () == 0) { + if ( scriptchain->tokens < 2 ) { + die_with_message ( NULL, NULL, "Exception."); + } + } preprocess_token_list (tokenchain); } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/src/haserl.h new/haserl-0.9.36/src/haserl.h --- old/haserl-0.9.35/src/haserl.h 2015-02-15 22:29:12.000000000 +0100 +++ new/haserl-0.9.36/src/haserl.h 2021-03-08 01:41:19.000000000 +0100 @@ -1,5 +1,5 @@ /* -------------------------------------------------------------------------- - * Copyright 2003-2011 (inclusive) Nathan Angelacos + * Copyright 2003-2021 (inclusive) Nathan Angelacos * (nan...@users.sourceforge.net) * * This file is part of haserl. @@ -21,6 +21,9 @@ #ifndef _HASERL_H #define _HASERL_H 1 +// should already be included - but BecomeUser needs this +#include "h_script.h" + /* Just a silly construct to contain global variables */ typedef struct @@ -40,6 +43,7 @@ int acceptall; /* true if we'll accept POST data on GETs and vice versa */ int silent; /* true if we never print errors */ + char *exec_name; /* pointer to argv[0] */ } haserl_t; extern haserl_t global; @@ -61,7 +65,7 @@ int ReadMimeEncodedInput(list_t *env); void PrintParseError(char *error, int linenum); int parseCommandLine(int argc, char *argv[]); -int BecomeUser(uid_t uid, gid_t gid); +int BecomeUser(script_t *scriptbuf); void assignGlobalStartupValues(void); void unlink_uploadlist (void); int main(int argc, char *argv[]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/haserl-0.9.35/src/rfc2388.c new/haserl-0.9.36/src/rfc2388.c --- old/haserl-0.9.35/src/rfc2388.c 2015-02-16 00:01:21.000000000 +0100 +++ new/haserl-0.9.36/src/rfc2388.c 2021-03-07 14:30:41.000000000 +0100 @@ -30,7 +30,7 @@ #include <sys/types.h> #include <sys/wait.h> #include <sys/stat.h> -#include <sys/fcntl.h> +#include <fcntl.h> #include <stdlib.h> #include <string.h>
