Hello community, here is the log from the commit of package libevent.3426 for openSUSE:13.1:Update checked in at 2015-01-23 20:01:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/libevent.3426 (Old) and /work/SRC/openSUSE:13.1:Update/.libevent.3426.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libevent.3426" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.libevent.3426.new/libevent.changes 2015-01-23 20:01:06.000000000 +0100 @@ -0,0 +1,332 @@ +------------------------------------------------------------------- +Thu Jan 15 15:01:56 UTC 2015 - meiss...@suse.com + +- libevent20-CVE-2014-6272.patch: Fixed heap overflows in buffer API + (bsc#897243 CVE-2014-6272) + +------------------------------------------------------------------- +Sat Jun 29 12:36:28 UTC 2013 - i...@marguerite.su + +- update to 2.0.21 + * see ChangeLog for details. + +------------------------------------------------------------------- +Fri Nov 16 21:24:42 UTC 2012 - andreas.stie...@gmx.de + +- update to 2.0.20 + * core: Make event_pending() threadsafe + * evhttp: Fix a memory leak on error in evhttp_uriencode + * evbuffer: Avoid possible needless call to writev + * evdns: memset sockaddr_in before using it + * evhttp: Check more setsockopt return values when binding sockets + * evdns: Avoid segfault on weird timeout during name lookup + * bufferevent_ssl: Correctly invoke callbacks when a SSL + bufferevent reads some and then blocks + +------------------------------------------------------------------- +Mon Jul 30 22:21:50 UTC 2012 - crrodrig...@opensuse.org + +- Libevent 2.0.19 +* Fix periodic timeout behavior when time jumps forwar +* Avoid certain priority inversions +* More evdns improvements +* lots of other bugfixes, see NEWS for details. +- Provide openssl support. + +------------------------------------------------------------------- +Wed Feb 1 01:13:02 UTC 2012 - jeng...@medozas.de + +- Remove redundant tags/sections per specfile guideline suggestions +- Use "pkgconfig" BR so that the package also works on Redhats. + +------------------------------------------------------------------- +Wed Aug 3 13:59:36 UTC 2011 - fris...@gmx.de + +- spec mods + o libsoname macro + o name macro +- added baselibs.conf +- rpmlint + o fix self obsoletes + +------------------------------------------------------------------- +Mon Mar 22 11:51:31 UTC 2011 - dims...@opensuse.org + +- Drop autoreconf call from build section. We do not carry any + patches at this time. + +------------------------------------------------------------------- +Mon Mar 21 23:02:31 UTC 2011 - dims...@opensuse.org + +- Update to version 2.0.10: + + Bugfixes: + - Minor fix for IOCP shutdown handling fix + - Correctly notify the main thread when activating an event + from a subthread + - Reject overlong http requests early when Expect:100-continue + is set + - EVUTIL_ASSERT: Use sizeof() to avoid "unused variable" + warnings with -DNDEBUG. + + Code cleanups: + - bufferevent-internal.h: Use the new event2/util.h header, + not evutil.h + - Use relative includes instead of system includes consistently + - Make whitespace more consistent +- For all changes between 1.4.14 and 2.0.10, see ChangeLog. +- BuildRequire pkg-config, for proper pkgconfig() provides. +- Change library soname to libevent-2_0-5 + +------------------------------------------------------------------- +Mon Jun 21 14:41:53 UTC 2010 - alexan...@exatati.com.br + +- Spec file cleaned with spec-cleaner; +- Changes in 1.4.14b-stable + o Set the VERSION_INFO correctly for 1.4.14 + +- Changes in 1.4.14-stable + o Add a .gitignore file for the 1.4 branch. (d014edb) + o Backport evbuffer_readln(). (b04cc60 Nicholas Marriott) + o Make the evbuffer_readln backport follow the current API (c545485) + o Valgrind fix: Clear struct kevent before checking for OSX bug. (5713d5d William Ahern) + o Fix a crash when reading badly formatted resolve.conf (5b10d00 Yasuoka Masahiko) + o Fix memory-leak of signal handler array with kqueue. [backport] (01f3775) + o Update sample/signal-test.c to use newer APIs and not leak. (891765c Evan Jones) + o Correct all versions in 1.4 branch (ac0d213) + o Make evutil_make_socket_nonblocking() leave any other flags alone. (81c26ba Jardel Weyrich) + o Adjusted fcntl() retval comparison on evutil_make_socket_nonblocking(). (5f2e250 Jardel Weyrich) + o Correct a debug message in evhttp_parse_request_line (35df59e) + o Merge branch 'readln-backport' into patches-1.4 (8771d5b) + o Do not send an HTTP error when we've already closed or responded. (4fd2dd9 Pavel Plesov) + o Re-add event_siglcb; some old code _was_ still using it. :( (bd03d06) + o Make Libevent 1.4 build on win32 with Unicode enabled. (bce58d6 Brodie Thiesfield) + o Distribute nmake makefile for 1.4 (20d706d) + o do not fail while sending on http connections the client closed. (5c8b446) + o make evhttp_send() safe against terminated connections, too (01ea0c5) + o Fix a free(NULL) in min_heap.h (2458934) + o Fix memory leak when setting up priorities; reported by Alexander Drozdov (cb1a722) + o Clean up properly when adding a signal handler fails. (ae6ece0 Gilad Benjamini) + o Do not abort HTTP requests missing a reason string. (29d7b32 Pierre Phaneuf) + o Fix compile warning in http.c (906d573) + o Define _REENTRANT as needed on Solaris, elsewhere (6cbea13) + +- Changes in 1.4.13-stable: + o If the kernel tells us that there are a negative number of bytes to read from a socket, do not believe it. Fixes bug 2841177; found by Alexander Pronchenkov. + o Do not allocate the maximum event queue and fd array for the epoll backend at startup. Instead, start out accepting 32 events at a time, and double the queue's size when it seems that the OS is generating events faster than we're requesting them. Saves up to 512K per epoll-based event_base. Resolves bug 2839240. + o Fix compilation on Android, which forgot to define fd_mask in its sys/select.h + o Do not drop data from evbuffer when out of memory; reported by Jacek Masiulaniec + o Rename our replacement compat/sys/_time.h header to avoid build a conflict on HPUX; reported by Kathryn Hogg. + o Build kqueue.c correctly on GNU/kFreeBSD platforms. Patch pulled upstream from Debian. + o Fix a problem with excessive memory allocation when using multiple event priorities. + o When running set[ug]id, don't check the environment. Based on a patch from OpenBSD. + + +------------------------------------------------------------------- +Wed Oct 28 17:39:29 UTC 2009 - crrodrig...@opensuse.org + +- libevent-devel Requires glibc-devel + +------------------------------------------------------------------- +Thu Aug 27 15:21:57 CEST 2009 - meiss...@suse.de + +- Changes in 1.4.12-stable: + o Try to contain degree of failure when running on a win32 version so + heavily firewalled that we can't fake a socketpair. + o Fix an obscure timing-dependent, allocator-dependent crash in the evdns code. + o Use __VA_ARGS__ syntax for varargs macros in event_rpcgen when compiler + is not GCC. + o Activate fd events in a pseudorandom order with O(N) backends, so + that we don't systematically favor low fds (select) or earlier-added fds + (poll, win32). + o Fix another pair of fencepost bugs in epoll.c. [Patch from Adam Langley.] + o Do not break evdns connections to nameservers when our IP changes. + o Set truncated flag correctly in evdns server replies. + o Disable strict aliasing with GCC: our code is not compliant with it. + +- Changes in 1.4.11-stable: + o Fix a bug when removing a timeout from the heap. [Patch from Marko Kreen] + o Remove the limit on size of HTTP headers by removing static buffers. + o Fix a nasty dangling pointer bug in epoll.c that could occur after + epoll_recalc(). [Patch from Kevin Springborn] + o Distribute Win32-Code/event-config.h, not ./event-config.h + +- Changes in 1.4.10-stable: + o clean up buffered http connection data on reset; reported by Brian O'Kelley + o bug fix and potential race condition in signal handling; from Alexander Drozdov + o rename the Solaris event ports backend to evport + o support compilation on Haiku + o fix signal processing when a signal callback delivers a signal; from Alexander Drozdov + o const-ify some arguments to evdns functions. + o off-by-one error in epoll_recalc; reported by Victor Goya + o include Doxyfile in tar ball; from Jeff Garzik + o correctly parse queries with encoded \r, \n or + characters + +------------------------------------------------------------------- +Mon Mar 16 16:48:18 CET 2009 - meiss...@suse.de + +- updated to 1.4.9-stable: + o event_add would not return error for some backends; from Dean McNamee + o Clear the timer cache on entering the event loop; reported by Victor Chang + o Only bind the socket on connect when a local address has been provided; + reported by Alejo Sanchez + o Allow setting of local port for evhttp connections to support millions + of connections from a single system; from Richard J ones. + o Clear the timer cache when leaving the event loop; reported by Robin Haberkorn + o Fix a typo in setting the global event base; reported by lance. + o Fix a memory leak when reading multi-line headers + o Fix a memory leak by not running explicit close detection for server connections + +- updated to 1.4.8-stable: + o Match the query in DNS replies to the query in the request; from Vsevolod Stakhov. + o Fix a merge problem in which name_from_addr returned pointers to the stack; found by Jiang Hong. + o Do not remove Accept-Encoding header + +- updated to 1.4.7-stable: + o Fix a bug where headers arriving in multiple packets were not parsed; fix from Jiang Hong; test by me. + +- updated to 1.4.6-stable: + o evutil.h now includes <stdarg.h> directly + o switch all uses of [v]snprintf over to evutil + o Correct handling of trailing headers in chunked replies; from Scott Lamb. + o Support multi-line HTTP headers; based on a patch from Moshe Litvin + o Reject negative Content-Length headers; anonymous bug report + o Detect CLOCK_MONOTONIC at runtime for evdns; anonymous bug report + o Fix a bug where deleting signals with the kqueue backend would cause subsequent adds to fail + o Support multiple events listening on the same signal; make signals + regular events that go on the same event queue; problem + report by Alexander Drozdov. + o Deal with evbuffer_read() returning -1 on EINTR|EAGAIN; from Adam Langley. ++++ 135 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.libevent.3426.new/libevent.changes New: ---- baselibs.conf libevent-2.0.21-stable.tar.gz libevent.changes libevent.spec libevent20-CVE-2014-6272.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libevent.spec ++++++ # # spec file for package libevent # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libevent %define libsoname %{name}-2_0-5 Version: 2.0.21 Release: 0 Summary: An event notification library License: BSD-3-Clause Group: System/Libraries Url: http://libevent.org/ Source0: https://github.com/downloads/libevent/libevent/%{name}-%{version}-stable.tar.gz Source1: baselibs.conf Patch0: libevent20-CVE-2014-6272.patch BuildRequires: openssl-devel BuildRequires: pkg-config BuildRequires: zlib-devel Requires(pre): %fillup_prereq Requires(pre): %insserv_prereq BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. Furthermore, libevent also support callbacks due to signals or regular timeouts. Currently, libevent supports /dev/poll, kqueue(2), event ports, POSIX select(2), Windows select(), poll(2), and epoll(4). Libevent additionally provides a sophisticated framework for buffered network IO, with support for sockets, filters, rate-limiting, SSL, zero-copy file transmission, and IOCP. Libevent includes support for several useful protocols, including DNS, HTTP, and a minimal RPC framework. %package -n %{libsoname} Summary: An event notification library Group: System/Libraries Provides: %{name} = %{version} Obsoletes: %{name} < %{version} %description -n %{libsoname} The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. Furthermore, libevent also support callbacks due to signals or regular timeouts. Currently, libevent supports /dev/poll, kqueue(2), event ports, POSIX select(2), Windows select(), poll(2), and epoll(4). Libevent additionally provides a sophisticated framework for buffered network IO, with support for sockets, filters, rate-limiting, SSL, zero-copy file transmission, and IOCP. Libevent includes support for several useful protocols, including DNS, HTTP, and a minimal RPC framework. This package holds the shared libraries for libevent. %package devel Summary: Development files for libevent2 Group: Development/Libraries/C and C++ Requires: %{libsoname} = %{version} Requires: glibc-devel Provides: %{name}:/usr/include/event.h # Both have /usr/include/event.h Conflicts: libev-devel %description devel The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. Furthermore, libevent also support callbacks due to signals or regular timeouts. Currently, libevent supports /dev/poll, kqueue(2), event ports, POSIX select(2), Windows select(), poll(2), and epoll(4). Libevent additionally provides a sophisticated framework for buffered network IO, with support for sockets, filters, rate-limiting, SSL, zero-copy file transmission, and IOCP. Libevent includes support for several useful protocols, including DNS, HTTP, and a minimal RPC framework. This package holds the development files for libevent2. %prep %setup -q -n %{name}-%{version}-stable %patch0 -p1 %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall find %{buildroot}%{_libdir} -name "*.la" -delete -print %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig %files -n %{libsoname} %defattr(-,root,root,-) %doc ChangeLog README LICENSE whatsnew-2.0.txt %{_libdir}/%{name}-2.0.so.5* %{_libdir}/%{name}_core-2.0.so.5* %{_libdir}/%{name}_extra-2.0.so.5* %{_libdir}/%{name}_pthreads-2.0.so.5* %{_libdir}/%{name}_openssl-2.0.so.5* %files devel %defattr(-,root,root) %{_bindir}/event_rpcgen.py %{_includedir}/evdns.h %{_includedir}/event.h %{_includedir}/evhttp.h %{_includedir}/evrpc.h %{_includedir}/evutil.h %{_includedir}/event2 %{_libdir}/%{name}.so %{_libdir}/%{name}_core.so %{_libdir}/%{name}_extra.so %{_libdir}/%{name}_pthreads.so %{_libdir}/%{name}_openssl.so %{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}_pthreads.pc %{_libdir}/pkgconfig/%{name}_openssl.pc %changelog ++++++ baselibs.conf ++++++ libevent-2_0-5 ++++++ libevent20-CVE-2014-6272.patch ++++++ diff --git a/buffer.c b/buffer.c index fab7d80..eb41fe4 100644 --- a/buffer.c +++ b/buffer.c @@ -157,12 +157,20 @@ evbuffer_chain_new(size_t size) struct evbuffer_chain *chain; size_t to_alloc; + if (size > SIZE_MAX - EVBUFFER_CHAIN_SIZE) + return (NULL); + size += EVBUFFER_CHAIN_SIZE; /* get the next largest memory that can hold the buffer */ - to_alloc = MIN_BUFFER_SIZE; - while (to_alloc < size) - to_alloc <<= 1; + if (size < SIZE_MAX / 2) { + to_alloc = MIN_BUFFER_SIZE; + while (to_alloc < size) { + to_alloc <<= 1; + } + } else { + to_alloc = size; + } /* we get everything in one chunk */ if ((chain = mm_malloc(to_alloc)) == NULL) @@ -1002,6 +1010,7 @@ evbuffer_drain(struct evbuffer *buf, size_t len) buf->first = chain; if (chain) { + EVUTIL_ASSERT(remaining <= chain->off); chain->misalign += remaining; chain->off -= remaining; } @@ -1068,6 +1077,7 @@ evbuffer_copyout(struct evbuffer *buf, void *data_out, size_t datlen) if (datlen) { EVUTIL_ASSERT(chain); + EVUTIL_ASSERT(datlen <= chain->off); memcpy(data, chain->buffer + chain->misalign, datlen); } @@ -1543,6 +1553,9 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen) if (buf->freeze_end) { goto done; } + if (datlen > EV_SIZE_MAX - buf->total_len) { + goto done; + } chain = buf->last; @@ -1556,7 +1569,10 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen) } if ((chain->flags & EVBUFFER_IMMUTABLE) == 0) { - remain = (size_t)(chain->buffer_len - chain->misalign - chain->off); + /* Always true for mutable buffers */ + EVUTIL_ASSERT(chain->misalign >= 0 && + (ev_uint64_t)chain->misalign <= EV_SIZE_MAX); + remain = chain->buffer_len - (size_t)chain->misalign - chain->off; if (remain >= datlen) { /* there's enough space to hold all the data in the * current last chain */ @@ -1627,6 +1643,9 @@ evbuffer_prepend(struct evbuffer *buf, const void *data, size_t datlen) if (buf->freeze_start) { goto done; } + if (datlen > EV_SIZE_MAX - buf->total_len) { + goto done; + } chain = buf->first; @@ -1639,6 +1658,10 @@ evbuffer_prepend(struct evbuffer *buf, const void *data, size_t datlen) /* we cannot touch immutable buffers */ if ((chain->flags & EVBUFFER_IMMUTABLE) == 0) { + /* Always true for mutable buffers */ + EVUTIL_ASSERT(chain->misalign >= 0 && + (ev_uint64_t)chain->misalign <= EV_SIZE_MAX); + /* If this chain is empty, we can treat it as * 'empty at the beginning' rather than 'empty at the end' */ if (chain->off == 0) @@ -1676,6 +1699,7 @@ evbuffer_prepend(struct evbuffer *buf, const void *data, size_t datlen) tmp->next = chain; tmp->off = datlen; + EVUTIL_ASSERT(datlen <= tmp->buffer_len); tmp->misalign = tmp->buffer_len - datlen; memcpy(tmp->buffer + tmp->misalign, data, datlen); @@ -1774,7 +1798,8 @@ evbuffer_expand_singlechain(struct evbuffer *buf, size_t datlen) /* Would expanding this chunk be affordable and worthwhile? */ if (CHAIN_SPACE_LEN(chain) < chain->buffer_len / 8 || - chain->off > MAX_TO_COPY_IN_EXPAND) { + chain->off > MAX_TO_COPY_IN_EXPAND || + EV_SIZE_MAX - datlen >= chain->off) { /* It's not worth resizing this chain. Can the next one be * used? */ if (chain->next && CHAIN_SPACE_LEN(chain->next) >= datlen) { @@ -1902,6 +1927,8 @@ _evbuffer_expand_fast(struct evbuffer *buf, size_t datlen, int n) rmv_all = 1; avail = 0; } else { + /* can't overflow, since only mutable chains have + * huge misaligns. */ avail = (size_t) CHAIN_SPACE_LEN(chain); chain = chain->next; } @@ -1912,6 +1939,7 @@ _evbuffer_expand_fast(struct evbuffer *buf, size_t datlen, int n) EVUTIL_ASSERT(chain->off == 0); evbuffer_chain_free(chain); } + EVUTIL_ASSERT(datlen >= avail); tmp = evbuffer_chain_new(datlen - avail); if (tmp == NULL) { if (rmv_all) { @@ -2041,6 +2069,7 @@ get_n_bytes_readable_on_socket(evutil_socket_t fd) unsigned long lng = EVBUFFER_MAX_READ; if (ioctlsocket(fd, FIONREAD, &lng) < 0) return -1; + /* Can overflow, but mostly harmlessly. XXXX */ return (int)lng; #elif defined(FIONREAD) int n = EVBUFFER_MAX_READ; @@ -2153,8 +2182,14 @@ evbuffer_read(struct evbuffer *buf, evutil_socket_t fd, int howmuch) #ifdef USE_IOVEC_IMPL remaining = n; for (i=0; i < nvecs; ++i) { - ev_ssize_t space = (ev_ssize_t) CHAIN_SPACE_LEN(*chainp); - if (space < remaining) { + /* can't overflow, since only mutable chains have + * huge misaligns. */ + size_t space = (size_t) CHAIN_SPACE_LEN(*chainp); + /* XXXX This is a kludge that can waste space in perverse + * situations. */ + if (space > EV_SSIZE_MAX) + space = EV_SSIZE_MAX; + if ((ev_ssize_t)space < remaining) { (*chainp)->off += space; remaining -= (int)space; } else { @@ -2427,12 +2462,17 @@ evbuffer_ptr_set(struct evbuffer *buf, struct evbuffer_ptr *pos, case EVBUFFER_PTR_ADD: /* this avoids iterating over all previous chains if we just want to advance the position */ + if (pos->pos < 0 || EV_SIZE_MAX - position < (size_t)pos->pos) { + EVBUFFER_UNLOCK(buf); + return -1; + } chain = pos->_internal.chain; pos->pos += position; position = pos->_internal.pos_in_chain; break; } + EVUTIL_ASSERT(EV_SIZE_MAX - left >= position); while (chain && position + left >= chain->off) { left -= chain->off - position; chain = chain->next; @@ -2465,7 +2505,9 @@ evbuffer_ptr_memcmp(const struct evbuffer *buf, const struct evbuffer_ptr *pos, ASSERT_EVBUFFER_LOCKED(buf); - if (pos->pos + len > buf->total_len) + if (pos->pos < 0 || + EV_SIZE_MAX - len < (size_t)pos->pos || + pos->pos + len > buf->total_len) return -1; chain = pos->_internal.chain; @@ -2651,7 +2693,8 @@ evbuffer_add_vprintf(struct evbuffer *buf, const char *fmt, va_list ap) va_end(aq); - if (sz < 0) + if (sz < 0 || + (size_t)sz == EV_SIZE_MAX) goto done; if ((size_t)sz < space) { chain->off += sz; @@ -2746,6 +2789,10 @@ evbuffer_add_file(struct evbuffer *outbuf, int fd, #endif int ok = 1; + if (offset < 0 || + (ev_uint64_t)offset > EV_SIZE_MAX - length) + return (-1); + #if defined(USE_SENDFILE) if (use_sendfile) { EVBUFFER_LOCK(outbuf); @@ -2851,7 +2898,8 @@ evbuffer_add_file(struct evbuffer *outbuf, int fd, * can abort without side effects if the read fails. */ while (length) { - read = evbuffer_readfile(tmp, fd, (ev_ssize_t)length); + ev_ssize_t to_read = length > EV_SSIZE_MAX ? EV_SSIZE_MAX : (ev_ssize_t)length; + read = evbuffer_readfile(tmp, fd, to_read); if (read == -1) { evbuffer_free(tmp); return (-1); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
