head 1.5; access; symbols pkgsrc-2024Q3:1.4.0.30 pkgsrc-2024Q3-base:1.4 pkgsrc-2024Q2:1.4.0.28 pkgsrc-2024Q2-base:1.4 pkgsrc-2024Q1:1.4.0.26 pkgsrc-2024Q1-base:1.4 pkgsrc-2023Q4:1.4.0.24 pkgsrc-2023Q4-base:1.4 pkgsrc-2023Q3:1.4.0.22 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.20 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.4.0.18 pkgsrc-2023Q1-base:1.4 pkgsrc-2022Q4:1.4.0.16 pkgsrc-2022Q4-base:1.4 pkgsrc-2022Q3:1.4.0.14 pkgsrc-2022Q3-base:1.4 pkgsrc-2022Q2:1.4.0.12 pkgsrc-2022Q2-base:1.4 pkgsrc-2022Q1:1.4.0.10 pkgsrc-2022Q1-base:1.4 pkgsrc-2021Q4:1.4.0.8 pkgsrc-2021Q4-base:1.4 pkgsrc-2021Q3:1.4.0.6 pkgsrc-2021Q3-base:1.4 pkgsrc-2021Q2:1.4.0.4 pkgsrc-2021Q2-base:1.4 pkgsrc-2021Q1:1.4.0.2 pkgsrc-2021Q1-base:1.4 pkgsrc-2015Q2:1.2.0.8 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.6 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.2.0.4 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.2.0.2 pkgsrc-2014Q3-base:1.2 pkgsrc-2014Q2:1.1.0.8 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.6 pkgsrc-2014Q1-base:1.1 pkgsrc-2013Q4:1.1.0.4 pkgsrc-2013Q4-base:1.1 pkgsrc-2013Q3:1.1.0.2 pkgsrc-2013Q3-base:1.1; locks; strict; comment @# @; 1.5 date 2024.10.27.15.35.09; author leot; state dead; branches; next 1.4; commitid XXjcdJm0aiwNyjvF; 1.4 date 2021.01.08.08.47.29; author otis; state Exp; branches; next 1.3; commitid UcKyXMFOypSVUTCC; 1.3 date 2015.07.25.14.43.23; author bsiegert; state dead; branches; next 1.2; commitid 64cIBG6KOCoGYFuy; 1.2 date 2014.09.07.23.24.56; author rodent; state Exp; branches 1.2.8.1; next 1.1; commitid C2aKvGwyFCzHatPx; 1.1 date 2013.09.13.09.41.32; author jperkin; state Exp; branches 1.1.8.1; next ; commitid GoSiLLqFcZdNag5x; 1.2.8.1 date 2015.07.26.19.57.43; author tron; state dead; branches; next ; commitid cKzhQA2j6Kn3HPuy; 1.1.8.1 date 2014.09.19.11.30.10; author tron; state Exp; branches; next ; commitid GE5wRbZX9zyJQWQx; desc @@ 1.5 log @socat: Update to 1.8.0.1 pkgsrc changes: - Remove all patches: they were all present upstream Changes: 1.8.0.1: Corrections: When no IP version was preferred by environment, option -4/-6, or address option pf, Socat version 1.8.0.0 address TCP-LISTEN did not accept TCP4 connections under BSD family operating systems, but only TCP6. To regain previous behaviour, preferring IP version 4 is now the default. This also fixes some other issues with bind and range options. Thanks to Mike Andrews for reporting this issue. Tests: LISTEN_4 LISTEN_6 V1800_*_RANGE V1800_*_BIND Added Socat option -0 to allow version 1.8.0.0 behaviour (no preferred IP version). UDP-SENDTO, UDPLITE-SENDTO, and IP-SENDTO addresses now select an IPv4 address in case the server name resolves to both IPv4 and IPv6 addresses. Tests: V1800_*_SENDTO_RESOLV_6_4 Guard applyopts_termios_value() with WITH_TERMIOS. Thanks to Kush Upadhyay from Amazon Bottlerocket team for providing the patch. In some situations xioclose() was called nested what could cause hanging of OpenSSL in pthread_rwlock_wrlock() socat 1.8.0.0 with addresses of type RECVFROM and option fork, where the second address failed to connect/open in the child process, entered a fork loop that was only stopped by FD exhaustion caused by FD leak. Test: RECVFROM_FORK_LOOP socat 1.8.0.0 had an FD leak with addresses of type RECVFROM with fork. Test: RECVFROM_FORK_LEAK With version 1.8.0.0, options ipv6-join-group and ipv6-join-source-group did not work. Thanks to Linus Luessing for reporting this bug. IP-SENDTO and option pf (protocol-family) with protocol name (vs.numeric argument) failed with message: E retropts_int(): trailing garbage in numerical arg of option "protocol-family" Test: IP_SENDTO_PF Fixed a possible buffer overrun with long log lines. In fact it does not write beyond end of buffer but lets pass excessive data to the write() function. Thanks to Heinrich Schuchardt from Canonical for reporting and sending a patch. Reworked domain name resolution, centralized IPv4/IPv6 sorting. Print warning about not checking CRLs in OpenSSL only in the first child process. Features: Total inactivity timeout option -T 0 now means 0.0 seconds; up to version 1.8.0.0 it meant no total inactivity timeout. Changed socat-chain.sh, socat-mux.sh, and socat-broker.sh to work with older Socat versions. socat-mux.sh and socat-broker.sh, when run as root, now internally use low (512..1023) UDP ports to increase security. Added option ai-all (sets AI_ALL flag of getaddrinfo() resolver) Socks5 now also allows syntax without socks port, and supports option socksport. Porting: Changes for building and testing on NetBSD New Linux distributions dislike egrep, fgrep When NETDB_INTERNAL is not available it should be set to -1. Thanks to Baruch Siach for sending a patch. On OpenSolaris/Illumos, isastream() is declared only in stropts.h, not in sys/stropts.h Thanks to Andy Fiddaman for sending a patch. On latest Illumos, compilation failed due to new unexpected SO_PROTOCOL implementation. Thanks to Andy Fiddaman for sending a patch. Building: Makefile.in: procan.o build requires srcdir prefix for explicit source file. Thanks to Hongxu Jia and Andrew Schoolman for providing patches. Makefile.in: the CC define for procan.o build failed when CC had more than one word. Thanks to Hongxu Jia for providing an inital patch. Testing: Added the optional DEVTESTS feature for developer tests with controlled name resolution to both IPv4 and IPV6 addresses: configure Socat with --enable-devtests, this provides internal resolution of domain dest-unreach.net with host names: localhost-4, localhost-6, localhost-4-6, and localhost-6-4 test.sh: lots of corrections and improvements test.sh: many hardcoded sleep values were replaced by much shorter values tuned to performance of the platform. test.sh -D for output of platform/system specific defines (variables) test.sh: fixed ss determination; more DEFS Documentation: Fixed a lot of typos. Thanks to Solomon Victorino for sending the patch. @ text @$NetBSD: patch-configure,v 1.4 2021/01/08 08:47:29 otis Exp $ Check for stropts.h for usage on SunOS --- configure.orig 2021-01-03 18:23:22.000000000 +0000 +++ configure @@@@ -4034,7 +4034,7 @@@@ fi done -for ac_header in util.h bsd/libutil.h libutil.h sys/stropts.h regex.h +for ac_header in util.h bsd/libutil.h libutil.h stropts.h sys/stropts.h regex.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" @ 1.4 log @socat: Fix build on SmartOS @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update socat to 1.7.3.0. From Ben Gergely in PR pkg/49996. ####################### V 1.7.3.0: security: (CVE Id pending) Fixed problems with signal handling caused by use of not async signal safe functions in signal handlers that could freeze socat, allowing denial of service attacks. Many changes in signal handling and the diagnostic messages system were applied to make the code async signal safe but still provide detailled logging from signal handlers: Coded function vsnprintf_r() as async signal safe incomplete substitute of libc vsnprintf() Coded function snprinterr() to replace %m in strings with a system error message Instead of gettimeofday() use clock_gettime() when available Pass Diagnostic messages from signal handler per unix socket to the main program flow Use sigaction() instead of signal() for better control Turn off nested signal handler invocations Thanks to Peter Lobsinger for reporting and explaining this issue. Red Hat issue 1019975: add TLS host name checks OpenSSL client checks if the server certificates names in extensions/subjectAltName/DNS or in subject/commonName match the name used to connect or the value of the openssl-commonname option. Test: OPENSSL_CN_CLIENT_SECURITY OpenSSL server checks if the client certificates names in extensions/subjectAltNames/DNS or subject/commonName match the value of the openssl-commonname option when it is used. Test: OPENSSL_CN_SERVER_SECURITY Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used Red Hat issue 1019972: needs to specify OpenSSL cipher suites Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to prevent downgrade attacks new features: OpenSSL addresses set couple of environment variables from values in peer certificate, e.g.: SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER, SOCAT_OPENSSL_X509_COMMONNAME, SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_* Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1 Tests: OPENSSL_METHOD_* Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested by Andrey Arapov. Added a new option termios-rawer for ptys. Thanks to Christian Vogelgsang for pointing me to this requirement corrections: Bind with ABSTRACT commands used non-abstract namespace (Linux). Test: ABSTRACT_BIND Thanks to Denis Shatov for reporting this bug. Fixed return value of nestlex() Option ignoreeof on the right address hung. Test: IGNOREEOF_REV Thanks to Franz Fasching for reporting this bug. Address SYSTEM, when terminating, shut down its parent addresses, e.g. an SSL connection which the parent assumed to still be active. Test: SYSTEM_SHUTDOWN Passive (listening or receiving) addresses with empty port field bound to a random port instead of terminating with error. Test: TCP4_NOPORT configure with some combination of disable options produced config files that failed to compile due to missing IPPROTO_TCP. Thanks to Thierry Fournier for report and patch. fixed a few minor bugs with OpenSSL in configure and with messages Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime is required. Thanks to Zhigang Wang for reporting and sending a patch. Christophe Leroy provided a patch that fixes memory leaks reported by valgrind Help for filan -L was bad, is now corrected to: "follow symbolic links instead of showing their properties" Address options fdin and fdout were silently ignored when not applicable due to -u or -U option. Now these combinations are caught as errors. Test: FDOUT_ERROR Issue reported by Hendrik. Added option termios-cfmakeraw that calls cfmakeraw() and is preferred over option raw which is now obsolote. On SysV systems this call is simulated by appropriate setting. Thanks to Youfu Zhang for reporting issue with option raw. porting: Socat included instead of POSIX Thanks to John Spencer for reporting this issue. Version 1.7.2.4 changed the check for gcc in configure.ac; this broke cross compiling. The particular check gets reverted. Thanks to Ross Burton and Danomi Manchego for reporting this issue. Debian Bug#764251: Set the build timestamp to a deterministic time: support external BUILD_DATE env var to allow to build reproducable binaries Joachim Fenkes provided an new adapted spec file. Type bool and macros Min and Max are defined by socat which led to compile errors when they were already provided by build framework. Thanks to Liyu Liu for providing a patch. David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h support and appropriate files in Config/ Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h on Illumos Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, _POSIX_PTHREAD_SEMANTICS; and minor changes Red Hat issue 1182005: socat 1.7.2.4 build failure missing linux/errqueue.h Socat failed to compile on on PPC due to new requirements for including and a weakness in the conditional code. Thanks to Michel Normand for reporting this issue. doc: In the man page the PTY example was badly formatted. Thanks to J.F.Sebastian for sending a patch. Added missing CVE ids to security issues in CHANGES testing: Do not distribute testcert.conf with socat source but generate it (and new testcert6.conf) during test.sh run. ####################### V 1.7.2.4: corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor Thanks to Ulises Alonso for reporting this bug make failed after configure with non gcc compiler due to missing include. Thanks to Horacio Mijail for reporting this problem configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. Thanks to Ben Gardiner for reporting and patching this bug In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. Thanks to David Binderman for reproting this issue. procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits. OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Thanks to Emile den Tex for reporting this bug. Changed some variable definitions to make gcc -O2 aliasing checker happy Thanks to Ilya Gordeev for reporting these warnings On big endian platforms with type long >32bit the range option applied a bad base address. Thanks to hejia hejia for reporting and fixing this bug. Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() Red Hat issue 1022063: out-of-range shifts on net mask bits Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. Thanks to Lorenzo Monti for pointing me to this issue porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang Performed changes for Fedora release 19 Adapted, improved test.sh script Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent() Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types. Artem Mygaiev extended Cedril Priscals Android build script with pty code The check for fips.h required stddef.h Thanks to Matt Hilt for reporting this issue and sending a patch Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. Thanks to Michael Vastola for sending a patch. autoconf now prefers configure.ac over configure.in Thanks to Michael Vastola for sending a patch. type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections docu: libwrap always logs to syslog added actual text version of GPLv2 @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2014/09/07 23:24:56 rodent Exp $ d3 1 a3 1 Include net/if.h for netinet/if_ether.h d5 1 a5 1 --- configure.orig 2014-03-09 19:57:51.000000000 +0000 d7 1 a7 1 @@@@ -4671,7 +4671,11 @@@@ fi d9 1 a9 10 fi if test "$WITH_INTERFACE"; then - ac_fn_c_check_header_mongrel "$LINENO" "netinet/if_ether.h" "ac_cv_header_netinet_if_ether_h" "$ac_includes_default" + ac_fn_c_check_header_mongrel "$LINENO" "netinet/if_ether.h" "ac_cv_header_netinet_if_ether_h" "$ac_includes_default + #if HAVE_NET_IF_H + #include + #endif +" if test "x$ac_cv_header_netinet_if_ether_h" = xyes; then : $as_echo "#define HAVE_NETINET_IF_ETHER_H 1" >>confdefs.h d11 5 @ 1.2 log @Update to latest stable, 1.7.2.4, which is supposed to resolve CVE-2014-0019. patches/patch-aa seems to have been committed upstream. Passing readline location to configure and fixing CCOPTS in Makefile.in seems to not be necessary anymore. From CHANGES: ####################### V 1.7.2.4: corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor make failed after configure with non gcc compiler due to missing include. configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits. OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Changed some variable definitions to make gcc -O2 aliasing checker happy On big endian platforms with type long >32bit the range option applied a bad base address. Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() Red Hat issue 1022063: out-of-range shifts on net mask bits Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang Performed changes for Fedora release 19 Adapted, improved test.sh script Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent() Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types. Artem Mygaiev extended Cedril Priscals Android build script with pty code The check for fips.h required stddef.h Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. autoconf now prefers configure.ac over configure.in type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections docu: libwrap always logs to syslog added actual text version of GPLv2 ####################### V 1.7.2.3: security: CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer overflow with data from command line (see socat-secadv5.txt) @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.1 2013/09/13 09:41:32 jperkin Exp $ @ 1.2.8.1 log @Pullup ticket #4782 - requested by bsiegert net/socat: security update Revisions pulled up: - net/socat/Makefile 1.35 - net/socat/distinfo 1.21 - net/socat/patches/patch-configure deleted - net/socat/patches/patch-mytypes.h 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Sat Jul 25 14:43:23 UTC 2015 Modified Files: pkgsrc/net/socat: Makefile distinfo pkgsrc/net/socat/patches: patch-mytypes.h Removed Files: pkgsrc/net/socat/patches: patch-configure Log Message: Update socat to 1.7.3.0. From Ben Gergely in PR pkg/49996. ####################### V 1.7.3.0: security: (CVE Id pending) Fixed problems with signal handling caused by use of not async signal safe functions in signal handlers that could freeze socat, allowing denial of service attacks. Many changes in signal handling and the diagnostic messages system were applied to make the code async signal safe but still provide detailled logging from signal handlers: Coded function vsnprintf_r() as async signal safe incomplete substitute of libc vsnprintf() Coded function snprinterr() to replace %m in strings with a system error message Instead of gettimeofday() use clock_gettime() when available Pass Diagnostic messages from signal handler per unix socket to the main program flow Use sigaction() instead of signal() for better control Turn off nested signal handler invocations Thanks to Peter Lobsinger for reporting and explaining this issue. Red Hat issue 1019975: add TLS host name checks OpenSSL client checks if the server certificates names in extensions/subjectAltName/DNS or in subject/commonName match the name used to connect or the value of the openssl-commonname option. Test: OPENSSL_CN_CLIENT_SECURITY OpenSSL server checks if the client certificates names in extensions/subjectAltNames/DNS or subject/commonName match the value of the openssl-commonname option when it is used. Test: OPENSSL_CN_SERVER_SECURITY Red Hat issue 1019964: socat now uses the system certificate store with OPENSSL when neither options cafile nor capath are used Red Hat issue 1019972: needs to specify OpenSSL cipher suites Default cipherlist is now "HIGH:-NULL:-PSK:-aNULL" instead of empty to prevent downgrade attacks new features: OpenSSL addresses set couple of environment variables from values in peer certificate, e.g.: SOCAT_OPENSSL_X509_SUBJECT, SOCAT_OPENSSL_X509_ISSUER, SOCAT_OPENSSL_X509_COMMONNAME, SOCAT_OPENSSL_X509V3_SUBJECTALTNAME_DNS Tests: ENV_OPENSSL_{CLIENT,SERVER}_X509_* Added support for methods TLSv1, TLSv1.1, TLSv1.2, and DTLS1 Tests: OPENSSL_METHOD_* Enabled OpenSSL server side use of ECDHE ciphers. Feature suggested by Andrey Arapov. Added a new option termios-rawer for ptys. Thanks to Christian Vogelgsang for pointing me to this requirement corrections: Bind with ABSTRACT commands used non-abstract namespace (Linux). Test: ABSTRACT_BIND Thanks to Denis Shatov for reporting this bug. Fixed return value of nestlex() Option ignoreeof on the right address hung. Test: IGNOREEOF_REV Thanks to Franz Fasching for reporting this bug. Address SYSTEM, when terminating, shut down its parent addresses, e.g. an SSL connection which the parent assumed to still be active. Test: SYSTEM_SHUTDOWN Passive (listening or receiving) addresses with empty port field bound to a random port instead of terminating with error. Test: TCP4_NOPORT configure with some combination of disable options produced config files that failed to compile due to missing IPPROTO_TCP. Thanks to Thierry Fournier for report and patch. fixed a few minor bugs with OpenSSL in configure and with messages Socat did not work in FIPS mode because 1024 instead of 512 bit DH prime is required. Thanks to Zhigang Wang for reporting and sending a patch. Christophe Leroy provided a patch that fixes memory leaks reported by valgrind Help for filan -L was bad, is now corrected to: "follow symbolic links instead of showing their properties" Address options fdin and fdout were silently ignored when not applicable due to -u or -U option. Now these combinations are caught as errors. Test: FDOUT_ERROR Issue reported by Hendrik. Added option termios-cfmakeraw that calls cfmakeraw() and is preferred over option raw which is now obsolote. On SysV systems this call is simulated by appropriate setting. Thanks to Youfu Zhang for reporting issue with option raw. porting: Socat included instead of POSIX Thanks to John Spencer for reporting this issue. Version 1.7.2.4 changed the check for gcc in configure.ac; this broke cross compiling. The particular check gets reverted. Thanks to Ross Burton and Danomi Manchego for reporting this issue. Debian Bug#764251: Set the build timestamp to a deterministic time: support external BUILD_DATE env var to allow to build reproducable binaries Joachim Fenkes provided an new adapted spec file. Type bool and macros Min and Max are defined by socat which led to compile errors when they were already provided by build framework. Thanks to Liyu Liu for providing a patch. David Arnstein contributed a patch for NetBSD 5.1 including stdbool.h support and appropriate files in Config/ Lauri Tirkkonen contributed a patch regarding netinet/if_ether.h on Illumos Changes for Openindiana: define _XPG4_2, __EXTENSIONS__, _POSIX_PTHREAD_SEMANTICS; and minor changes Red Hat issue 1182005: socat 1.7.2.4 build failure missing linux/errqueue.h Socat failed to compile on on PPC due to new requirements for including and a weakness in the conditional code. Thanks to Michel Normand for reporting this issue. doc: In the man page the PTY example was badly formatted. Thanks to J.F.Sebastian for sending a patch. Added missing CVE ids to security issues in CHANGES testing: Do not distribute testcert.conf with socat source but generate it (and new testcert6.conf) during test.sh run. ####################### V 1.7.2.4: corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor Thanks to Ulises Alonso for reporting this bug make failed after configure with non gcc compiler due to missing include. Thanks to Horacio Mijail for reporting this problem configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. Thanks to Ben Gardiner for reporting and patching this bug In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. Thanks to David Binderman for reproting this issue. procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits. OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Thanks to Emile den Tex for reporting this bug. Changed some variable definitions to make gcc -O2 aliasing checker happy Thanks to Ilya Gordeev for reporting these warnings On big endian platforms with type long >32bit the range option applied a bad base address. Thanks to hejia hejia for reporting and fixing this bug. Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() Red Hat issue 1022063: out-of-range shifts on net mask bits Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. Thanks to Lorenzo Monti for pointing me to this issue porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang Performed changes for Fedora release 19 Adapted, improved test.sh script Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent() Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types. Artem Mygaiev extended Cedril Priscals Android build script with pty code The check for fips.h required stddef.h Thanks to Matt Hilt for reporting this issue and sending a patch Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. Thanks to Michael Vastola for sending a patch. autoconf now prefers configure.ac over configure.in Thanks to Michael Vastola for sending a patch. type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections docu: libwrap always logs to syslog added actual text version of GPLv2 @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2014/09/07 23:24:56 rodent Exp $ @ 1.1 log @Need net/if.h for netinet/if_ether.h on SunOS. @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- configure.orig 2013-09-13 09:27:50.539358670 +0000 d7 1 a7 1 @@@@ -4625,7 +4625,11 @@@@ fi d17 1 a17 1 if test "x$ac_cv_header_netinet_if_ether_h" = x""yes; then : @ 1.1.8.1 log @Pullup ticket #4494 - requested by rodent net/socat: security update Revisions pulled up: - net/socat/Makefile 1.32 - net/socat/distinfo 1.20 - net/socat/patches/patch-aa deleted - net/socat/patches/patch-configure 1.2 - net/socat/patches/patch-mytypes.h 1.2 --- Module Name: pkgsrc Committed By: rodent Date: Sun Sep 7 23:24:56 UTC 2014 Modified Files: pkgsrc/net/socat: Makefile distinfo pkgsrc/net/socat/patches: patch-configure patch-mytypes.h Removed Files: pkgsrc/net/socat/patches: patch-aa Log Message: Update to latest stable, 1.7.2.4, which is supposed to resolve CVE-2014-0019. patches/patch-aa seems to have been committed upstream. Passing readline location to configure and fixing CCOPTS in Makefile.in seems to not be necessary anymore. From CHANGES: ####################### V 1.7.2.4: corrections: LISTEN based addresses applied some address options, e.g. so-keepalive, to the listening file descriptor instead of the connected file descriptor make failed after configure with non gcc compiler due to missing include. configure checked for --disable-rawsocket but printed --disable-genericsocket in the help text. In xioshutdown() a wrong branch was chosen after RECVFROM type addresses. Probably no impact. procan could not cleanly format ulimit values longer than 16 decimal digits. Thanks to Frank Dana for providing a patch that increases field width to 24 digits. OPENSSL-CONNECT with bind option failed on some systems, eg.FreeBSD, with "Invalid argument" Changed some variable definitions to make gcc -O2 aliasing checker happy On big endian platforms with type long >32bit the range option applied a bad base address. Red Hat issue 1022070: missing length check in xiolog_ancillary_socket() Red Hat issue 1022063: out-of-range shifts on net mask bits Red Hat issue 1022062: strcpy misuse in xiosetsockaddrenv_ip4() Red Hat issue 1022048: strncpy hardening: corrected suspicious strncpy() uses Red Hat issue 1021958: fixed a bug with faulty buffer/data length calculation in xio-ascii.c:_xiodump() Red Hat issue 1021972: fixed a missing NUL termination in return string of sysutils.c:sockaddr_info() for the AF_UNIX case fixed some typos and minor issues, including: Red Hat issue 1021967: formatting error in manual page UNIX-LISTEN with fork option did not remove the socket file system entry when exiting. Other file system based passive address types had similar issues or failed to apply options umask, user e.a. porting: Red Hat issue 1020203: configure checks fail with some compilers. Use case: clang Performed changes for Fedora release 19 Adapted, improved test.sh script Red Hat issue 1021429: getgroupent fails with large number of groups; use getgrouplist() when available instead of sequence of calls to getgrent() Red Hat issue 1021948: snprintf API change; Implemented xio_snprintf() function as wrapper that tries to emulate C99 behaviour on old glibc systems, and adapted all affected calls appropriately Mike Frysinger provided a patch that supports long long for time_t, socklen_t and a few other libc types. Artem Mygaiev extended Cedril Priscals Android build script with pty code The check for fips.h required stddef.h Check for linux/errqueue.h failed on some systems due to lack of linux/types.h inclusion. autoconf now prefers configure.ac over configure.in type of struct cmsghdr.cmsg is system dependend, determine it with configure; some more print format corrections docu: libwrap always logs to syslog added actual text version of GPLv2 ####################### V 1.7.2.3: security: CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer overflow with data from command line (see socat-secadv5.txt) @ text @d5 1 a5 1 --- configure.orig 2014-03-09 19:57:51.000000000 +0000 d7 1 a7 1 @@@@ -4671,7 +4671,11 @@@@ fi d17 1 a17 1 if test "x$ac_cv_header_netinet_if_ether_h" = xyes; then : @