Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libhtp. The debdiff is attached. The actual change is very small and does not affect the API/ABI. This update is meant to go hand-in-hand with the new version of Suricata (4.1.4) for which we have also asked for an unblock in #928294. Again, with libhtp as the HTTP parsing component of a security-relevant software tool exposed to potentially malicious traffic we should aim for the latest version available in buster. Here's the full changelog since the version in buster: 0.5.30 (07 March 2019) ---------------------- - array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz - improved Windows support - fuzz targets improvements by Philippe Antoine - packaging improvements by Fabrice Fontaine - install doc improved by Wenhui Zhang unblock libhtp/1:0.5.30-1 Best regards Sascha
diff -Nru libhtp-0.5.29/appveyor.yml libhtp-0.5.30/appveyor.yml --- libhtp-0.5.29/appveyor.yml 1970-01-01 01:00:00.000000000 +0100 +++ libhtp-0.5.30/appveyor.yml 2019-03-07 08:35:13.000000000 +0100 @@ -0,0 +1,18 @@ +environment: + matrix: + - COMPILER: mingw-w64 + MINGW_DIR: c:\msys64\mingw64 + MINGW_ARCH: x86_64 + + - COMPILER: mingw + MINGW_DIR: c:\msys64\mingw32 + MINGW_ARCH: i686 + +build_script: + - set Path=%MINGW_DIR%\bin;c:\msys64\usr\bin;%Path% + - bash autogen.sh + - bash configure + - make distcheck + +#on_finish: +# - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) diff -Nru libhtp-0.5.29/ChangeLog libhtp-0.5.30/ChangeLog --- libhtp-0.5.29/ChangeLog 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/ChangeLog 2019-03-07 08:35:13.000000000 +0100 @@ -1,3 +1,16 @@ +0.5.30 (07 March 2019) +---------------------- + +- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz + +- improved Windows support + +- fuzz targets improvements by Philippe Antoine + +- packaging improvements by Fabrice Fontaine + +- install doc improved by Wenhui Zhang + 0.5.29 (21 December 2018) ------------------------- diff -Nru libhtp-0.5.29/configure.ac libhtp-0.5.30/configure.ac --- libhtp-0.5.29/configure.ac 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/configure.ac 2019-03-07 08:35:13.000000000 +0100 @@ -118,6 +118,11 @@ OS_WINDOWS="true" NO_STACK_PROTECTOR="true" ;; + MSYS*) + AC_MSG_RESULT(MSYS) + OS_WINDOWS="true" + NO_STACK_PROTECTOR="true" + ;; CYGWIN*) AC_MSG_RESULT(Cygwin) OS_CYGWIN="true" diff -Nru libhtp-0.5.29/debian/changelog libhtp-0.5.30/debian/changelog --- libhtp-0.5.29/debian/changelog 2018-12-27 12:23:45.000000000 +0100 +++ libhtp-0.5.30/debian/changelog 2019-05-02 16:38:21.000000000 +0200 @@ -1,3 +1,9 @@ +libhtp (1:0.5.30-1) unstable; urgency=medium + + * New upstream release. + + -- Sascha Steinbiss <sa...@debian.org> Thu, 02 May 2019 16:38:21 +0200 + libhtp (1:0.5.29-1) unstable; urgency=medium * New upstream release. diff -Nru libhtp-0.5.29/htp/htp_list.c libhtp-0.5.30/htp/htp_list.c --- libhtp-0.5.29/htp/htp_list.c 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/htp/htp_list.c 2019-03-07 08:35:13.000000000 +0100 @@ -172,15 +172,7 @@ if (idx + 1 > l->current_size) return HTP_DECLINED; - size_t i = l->first; - - while (idx--) { - if (++i == l->max_size) { - i = 0; - } - } - - l->elements[i] = e; + l->elements[(l->first + idx) % l->max_size] = e; return HTP_OK; } diff -Nru libhtp-0.5.29/htp.pc.in libhtp-0.5.30/htp.pc.in --- libhtp-0.5.29/htp.pc.in 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/htp.pc.in 2019-03-07 08:35:13.000000000 +0100 @@ -7,5 +7,6 @@ Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products. Version: @PACKAGE_VERSION@ Libs: -L${libdir} -lhtp +Libs.private: @LIBICONV@ Cflags: -I${includedir} -I${libdir}/htp/include diff -Nru libhtp-0.5.29/README libhtp-0.5.30/README --- libhtp-0.5.29/README 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/README 2019-03-07 08:35:13.000000000 +0100 @@ -43,6 +43,8 @@ Assuming you're using an already packaged version of LibHTP, the installation process should be as simple as: + $ sudo chmod u+x autogen.sh + $ ./autogen.sh $ ./configure $ make $ sudo make install diff -Nru libhtp-0.5.29/test/fuzz/fuzz_htp.c libhtp-0.5.30/test/fuzz/fuzz_htp.c --- libhtp-0.5.29/test/fuzz/fuzz_htp.c 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/test/fuzz/fuzz_htp.c 2019-03-07 08:35:13.000000000 +0100 @@ -10,7 +10,7 @@ #include <sys/types.h> #include <string.h> #include <stdio.h> - +#include <inttypes.h> #include <sys/stat.h> #include <fcntl.h> @@ -26,22 +26,82 @@ * * @param[in] connp */ -static int callback_response(htp_tx_t *out_tx) { +static int HTPCallbackResponse(htp_tx_t *out_tx) { if (out_tx != NULL) { char *x = bstr_util_strdup_to_c(out_tx->request_line); - fprintf(logfile, "%s\n", x); + fprintf(logfile, "HTPCallbackResponse %s\n", x); free(x); } return 0; } +static int HTPCallbackRequestHeaderData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackRequestHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackResponseHeaderData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackResponseHeaderData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackRequestHasTrailer(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestHasTrailer\n"); + return 0; +} + +static int HTPCallbackResponseHasTrailer(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackResponseHasTrailer\n"); + return 0; +} + +static int HTPCallbackRequestBodyData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackRequestBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackResponseBodyData(htp_tx_data_t *tx_data) +{ + fprintf(logfile, "HTPCallbackResponseBodyData %"PRIuMAX"\n", (uintmax_t)tx_data->len); + return 0; +} + +static int HTPCallbackRequestStart(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestStart\n"); + return 0; +} + +static int HTPCallbackRequest(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequest\n"); + return 0; +} + +static int HTPCallbackResponseStart(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackResponseStart\n"); + return 0; +} + +static int HTPCallbackRequestLine(htp_tx_t *tx) +{ + fprintf(logfile, "HTPCallbackRequestLine\n"); + return 0; +} + /** * Invoked every time LibHTP wants to log. * * @param[in] log */ -static int callback_log(htp_log_t *log) { - fprintf(logfile, "[%d][code %d][file %s][line %d] %s\n", +static int HTPCallbackLog(htp_log_t *log) { + fprintf(logfile, "HTPCallbackLog [%d][code %d][file %s][line %d] %s\n", log->level, log->code, log->file, log->line, log->msg); return 0; } @@ -73,8 +133,20 @@ htp_config_destroy(cfg); return 0; } - htp_config_register_response_complete(cfg, callback_response); - htp_config_register_log(cfg, callback_log); + htp_config_register_log(cfg, HTPCallbackLog); + htp_config_register_request_header_data(cfg, HTPCallbackRequestHeaderData); + htp_config_register_request_trailer_data(cfg, HTPCallbackRequestHeaderData); + htp_config_register_response_header_data(cfg, HTPCallbackResponseHeaderData); + htp_config_register_response_trailer_data(cfg, HTPCallbackResponseHeaderData); + htp_config_register_request_trailer(cfg, HTPCallbackRequestHasTrailer); + htp_config_register_response_trailer(cfg, HTPCallbackResponseHasTrailer); + htp_config_register_request_body_data(cfg, HTPCallbackRequestBodyData); + htp_config_register_response_body_data(cfg, HTPCallbackResponseBodyData); + htp_config_register_request_start(cfg, HTPCallbackRequestStart); + htp_config_register_request_complete(cfg, HTPCallbackRequest); + htp_config_register_response_start(cfg, HTPCallbackResponseStart); + htp_config_register_response_complete(cfg, HTPCallbackResponse); + htp_config_register_request_line(cfg, HTPCallbackRequestLine); connp = htp_connp_create(cfg); htp_connp_set_user_data(connp, (void *) 0x02); diff -Nru libhtp-0.5.29/.travis.yml libhtp-0.5.30/.travis.yml --- libhtp-0.5.29/.travis.yml 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/.travis.yml 2019-03-07 08:35:13.000000000 +0100 @@ -8,3 +8,17 @@ - sudo apt-get update -qq - sudo apt-get install -y build-essential autoconf automake libtool zlib1g zlib1g-dev make +matrix: + include: + - name: fuzza + env: CXX="clang++" ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address" LDFLAGS="-fsanitize=address" + compiler: clang + os: linux + - name: fuzzm + env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=memory" LDFLAGS="-fsanitize=memory" + compiler: clang + os: linux + - name: fuzzu + env: CXX="clang++" CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fno-sanitize-recover=undefined,integer" LDFLAGS="-fsanitize=undefined" + compiler: clang + os: linux diff -Nru libhtp-0.5.29/VERSION libhtp-0.5.30/VERSION --- libhtp-0.5.29/VERSION 2018-12-20 18:55:58.000000000 +0100 +++ libhtp-0.5.30/VERSION 2019-03-07 08:35:13.000000000 +0100 @@ -1,2 +1,2 @@ # This file is intended to be sourced by sh -PKG_VERSION=0.5.28 +PKG_VERSION=0.5.30
signature.asc
Description: OpenPGP digital signature