!26 [sync] PR-22: Fix CVE-2023-27371

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
Fix CVE-2023-27371
2023-03-13 07:18:38 +00:00 · 2023-03-13 14:33:57 +08:00 · 2023-01-30 02:47:01 +00:00 · 2023-01-30 10:23:04 +08:00 · 2021-08-06 01:49:05 +00:00 · 2021-08-06 08:50:58 +08:00
4 changed files with 93 additions and 90 deletions
--- a/0001-skip-tls-upgrade-test-case.patch
+++ b/0001-skip-tls-upgrade-test-case.patch
@ -0,0 +1,26 @@
+From dc3efc32ca70ba6924f43014cfa3669b3a54d8fa Mon Sep 17 00:00:00 2001
+From: wang--ge <wang__ge@126.com>
+Date: Sun, 29 Jan 2023 15:50:35 +0800
+Subject: [PATCH] skip tls upgrade test case
+
+---
+ src/microhttpd/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/microhttpd/Makefile.am b/src/microhttpd/Makefile.am
+index d89f3c1..e50ff5f 100644
+--- a/src/microhttpd/Makefile.am
+++ b/src/microhttpd/Makefile.am
+@@ -151,9 +151,6 @@ check_PROGRAMS = \
+ if HAVE_POSIX_THREADS
+ if ENABLE_UPGRADE
+   check_PROGRAMS += test_upgrade
+-if ENABLE_HTTPS
+-  check_PROGRAMS += test_upgrade_tls
+-endif
+ endif
+ endif
+ 
+-- 
+2.27.0
+
--- a/CVE-2023-27371.patch
+++ b/CVE-2023-27371.patch
@ -0,0 +1,12 @@
+diff -Naur a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+--- a/src/microhttpd/postprocessor.c	2023-03-13 11:20:38.069141187 +0800
+++ b/src/microhttpd/postprocessor.c	2023-03-13 11:21:37.158002318 +0800
+@@ -310,7 +310,7 @@
+ 	return NULL; /* failed to determine boundary */
+       boundary += MHD_STATICSTR_LEN_ ("boundary=");
+       blen = strlen (boundary);
+-      if ( (blen == 0) ||
+      if ( (blen < 2) ||
+            (blen * 2 + 2 > buffer_size) )
+         return NULL;            /* (will be) out of memory or invalid boundary */
+       if ( (boundary[0] == '"') &&
--- a/fix-libmicrohttpd-tutorial-info.patch
+++ b/fix-libmicrohttpd-tutorial-info.patch
@ -0,0 +1,39 @@
+From 398397ad7122fd46b34ab0d6bea79433feb7c84a Mon Sep 17 00:00:00 2001
+From: caodongxia <315816521@qq.com>
+Date: Thu, 5 Aug 2021 19:37:27 +0800
+Subject: [PATCH] init
+
+---
+ doc/libmicrohttpd-tutorial.info | 2 +-
+ doc/libmicrohttpd-tutorial.texi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/libmicrohttpd-tutorial.info b/doc/libmicrohttpd-tutorial.info
+index 9454640..28ba70e 100644
+--- a/doc/libmicrohttpd-tutorial.info
+++ b/doc/libmicrohttpd-tutorial.info
+@@ -15,7 +15,7 @@ April 2016.
+      section entitled "GNU Free Documentation License".
+ INFO-DIR-SECTION Software libraries
+ START-INFO-DIR-ENTRY
+-* libmicrohttpdtutorial: (libmicrohttpd).       A tutorial for GNU libmicrohttpd.
+* libmicrohttpdtutorial: (libmicrohttpd-tutorial).       A tutorial for GNU libmicrohttpd.
+ END-INFO-DIR-ENTRY
+ 
+ 
+diff --git a/doc/libmicrohttpd-tutorial.texi b/doc/libmicrohttpd-tutorial.texi
+index 8fd7b56..dc0eb91 100644
+--- a/doc/libmicrohttpd-tutorial.texi
+++ b/doc/libmicrohttpd-tutorial.texi
+@@ -15,7 +15,7 @@
+ 
+ @dircategory Software libraries
+ @direntry
+-* libmicrohttpdtutorial: (libmicrohttpd).       A tutorial for GNU libmicrohttpd.
+* libmicrohttpdtutorial: (libmicrohttpd-tutorial).       A tutorial for GNU libmicrohttpd.
+ @end direntry
+ 
+ @copying
+-- 
+2.27.0
+
--- a/libmicrohttpd.spec
+++ b/libmicrohttpd.spec
@ -1,183 +1,109 @@
 Name:           libmicrohttpd
-
 Version:        0.9.59
-
-Release:        4
-
+Release:        8
 Epoch:          1
-
 Summary:        Lightweight library for embedding a webserver in applications
-
 License:        LGPLv2+
-
 URL:            http://www.gnu.org/software/libmicrohttpd/
-
 Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
-
 Patch0001:      gnutls-utilize-system-crypto-policy.patch
-
-
+Patch0002:      fix-libmicrohttpd-tutorial-info.patch
+Patch0003:      0001-skip-tls-upgrade-test-case.patch
+Patch0004:      CVE-2023-27371.patch

 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
+Requires:       %{name}-help = %{epoch}:%{version}-%{release}

 Requires(post): info
-
 Requires(preun):info

-
-
 %description
-
 GNU libmicrohttpd is a small C library that is supposed to make it
-
 easy to run an HTTP server as part of another application.

-
-
 %package devel
-
 Summary:        Development files for libmicrohttpd
-
 Requires:       %{name} = %{epoch}:%{version}-%{release}

-
-
 %description devel
-
 Development files for libmicrohttpd

-
-
 %package help
-
 Summary:        This help package for libmicrohttpd
-
 Requires:       %{name} = %{epoch}:%{version}-%{release}
-
 BuildArch:      noarch
-
 Provides:       %{name}-doc = %{epoch}:%{version}-%{release}
-
 Obsoletes:      %{name}-doc < %{epoch}:%{version}-%{release}

-
-
 %description help
-
 The help package contains manual pages and doc files for libmicrohttpd

-
-
 %prep
-
 %autosetup -p1

-
-
 %build
-
 autoreconf --install --force
-
 %configure --disable-static --with-gnutls --enable-https=yes
-
 %make_build
-
 make -C doc/doxygen full

-
-
 %check
-
 make check

-
-
 %install
-
 %make_install

-
-
 mkdir examples
-
 cp  src/examples/*.c examples
-
 cp doc/examples/*.c examples
-
 chmod 644 examples/*.c
-
 cp -R doc/doxygen/html html
-
 %post help
-
 install-info %{_infodir}/libmicrohttpd.info.gz %{_infodir}/dir || :
-
 install-info %{_infodir}/libmicrohttpd-tutorial.info.gz %{_infodir}/dir || :

-
-
 %preun help
-
 if [ $1 = 0 ] ; then
-
 install-info --delete %{_infodir}/libmicrohttpd.info.gz %{_infodir}/dir || :
-
 install-info --delete %{_infodir}/libmicrohttpd-tutorial.info.gz %{_infodir}/dir || :
-
 fi

-
-
 %post
-
 /sbin/ldconfig
-
 %postun
-
 /sbin/ldconfig

-
-
 %files
-
 %license COPYING
-
 %{_libdir}/libmicrohttpd.so.*

-
-
 %files devel
-
 %{_includedir}/microhttpd.h
-
 %{_libdir}/libmicrohttpd.so
-
 %{_libdir}/pkgconfig/libmicrohttpd.pc
-
 %exclude %{_libdir}/libmicrohttpd.la
-
 %exclude %{_infodir}/dir
-
 %exclude %{_bindir}/demo

-
-
 %files help
-
 %doc AUTHORS ChangeLog examples html README
-
 %{_mandir}/man3/libmicrohttpd.3.gz
-
 %{_infodir}/libmicrohttpd.info.gz
-
 %{_infodir}/libmicrohttpd-tutorial.info.gz
-
 %{_infodir}/libmicrohttpd_performance_data.png.gz

-
-
 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.59-8
+- Fix CVE-2023-27371
+
+* Mon Jan 29 2023 Ge Wang<wangge20@h-partners.com> - 0.9.59-7
+- Skip upgrade_tls test case due to socket recv failure
+
+* Thu Aug 05 2021 caodongxia<caodongxia@huawei.com> - 0.9.59-6
+- Fix libmicrohttpd-tutorial info
+
+* Fri Nov 06 2020 leiju<leiju4@huawei.com> - 0.9.59-5
+- Add Requires libmicrohttpd-help into libmicrohttpd

 * Thu Nov 21 2019 wangye<wangye54@huawei.com> - 0.9.59-4
-
 - Package init
Author	SHA1	Message	Date
openeuler-ci-bot	ac803a1ae7	!26 [sync] PR-22: Fix CVE-2023-27371 From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-03-13 07:18:38 +00:00
starlet-dx	117842d735	Fix CVE-2023-27371 (cherry picked from commit 7ff34701427430d009f7e91e6c397bf7076fd033)	2023-03-13 14:33:57 +08:00
openeuler-ci-bot	58712cab46	!20 [sync] PR-19: Skip tls upgrade test case From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-01-30 02:47:01 +00:00
wang--ge	ca05bcbdac	skip tls upgrade test case (cherry picked from commit c864306da00273972b264708663251d83c6a6ad3)	2023-01-30 10:23:04 +08:00
openeuler-ci-bot	7a3879b208	!5 [sync] PR-4: 修复卸载告警信息 From: @openeuler-sync-bot Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-08-06 01:49:05 +00:00
caodongxia	fb246d21f3	Fix libmicrohttpd-tutorial info (cherry picked from commit 4c02ed9a3c8c4556b7429705dddb2300b478d3c7)	2021-08-06 08:50:58 +08:00
openeuler-ci-bot	824d07e97e	!3 Add Requires libmicrohttpd-help into libmicrohttpd From: @lei_ju Reviewed-by: @hht8,@small_leek Signed-off-by: @small_leek	2020-11-06 17:31:47 +08:00
lei_ju	40b7c91044	Add Requires libmicrohttpd-help into libmicrohttpd	2020-11-06 16:39:40 +08:00
openeuler-ci-bot	3538e679c7	!1 add libmicrohttpd Merge pull request !1 from yeah_wang/apple	2019-12-09 15:24:28 +08:00
yeah_wang	97e7a5a5aa	update libmicrohttpd.spec.	2019-12-09 15:00:58 +08:00