head	1.2;
access;
symbols
	pkgsrc-2020Q3:1.1.0.10
	pkgsrc-2020Q3-base:1.1
	pkgsrc-2020Q2:1.1.0.8
	pkgsrc-2020Q2-base:1.1
	pkgsrc-2020Q1:1.1.0.4
	pkgsrc-2020Q1-base:1.1
	pkgsrc-2019Q4:1.1.0.6
	pkgsrc-2019Q4-base:1.1
	pkgsrc-2019Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2020.12.02.16.30.50;	author ast;	state dead;
branches;
next	1.1;
commitid	h7VONPUpNMiXFbyC;

1.1
date	2019.10.20.20.02.13;	author ast;	state Exp;
branches
	1.1.2.1;
next	;
commitid	ihPU96VKiS2AZDHB;

1.1.2.1
date	2019.10.20.20.02.13;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	PzALRi32egn9YQHB;

1.1.2.2
date	2019.10.22.11.07.30;	author bsiegert;	state Exp;
branches;
next	;
commitid	PzALRi32egn9YQHB;


desc
@@


1.2
log
@www/nostromo: update to nostromo 1.9.9; patches not needed anymore
@
text
@$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $

Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing
execution of /bin/sh with arbitrary arguments).

Nostromo as such handles encoded URI correctly but the strcutl()
function in the string manipulation library removes 0x0d in the
URI string resulting in a valid path. What should happen instead
is that the decoded 0x0d character remains in the URI, resulting
in an invalid path, giving rise to a 404.

--- src/libmy/strcutl.c.orig	2005-06-04 10:30:04.000000000 +0200
+++ src/libmy/strcutl.c	2019-10-20 11:30:29.704645745 +0200
@@@@ -26,8 +26,12 @@@@
 {
 	int	i = 0, j = 0, cl = 0;
 
-	/* first count all lines */
-	while (1) {
+	/* requested line must be a positive integer */
+	if (line <= 0)
+		return -1;
+
+	/* count lines up to requested line or end of string */
+	while (line >= cl) {
 		if (src[i] == '\n' && src[i + 1] == '\0') {
 			cl++;
 			break;
@@@@ -42,24 +46,24 @@@@
 		i++;
 	}
 
-	/* do we have the requested line ? */
-	if (line > cl || line == 0)
+	/* did we actually get the requested line ? */
+	if (line > cl)
 		return -1;
 
-	/* go to line start */
+	/* go to beginning of the requested line */
 	for (i = 0, j = 0; j != line - 1; i++)
 		if (src[i] == '\n')
 			j++;
 
-	/* read requested line */
+	/* copy the requested line to destination buffer */
 	for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) {
-		if (src[i] != '\r') {
-			dst[j] = src[i];
-			j++;
-		}
+		if (src[i] == '\r' && src[i + 1] == '\n')
+			continue;
+		dst[j] = src[i];
+		j++;
 	}
 
-	/* terminate string */
+	/* null terminate destination buffer */
 	dst[j] = '\0';
 
 	return cl;
@


1.1
log
@www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-strcutl was added on branch pkgsrc-2019Q3 on 2019-10-22 11:07:30 +0000
@
text
@d1 62
@


1.1.2.2
log
@Pullup ticket #6073 - requested by ast
www/nostromo: security fix

Revisions pulled up:
- www/nostromo/Makefile                                         1.3
- www/nostromo/PLIST                                            1.2
- www/nostromo/distinfo                                         1.2
- www/nostromo/patches/patch-http_header_comp                   1.1
- www/nostromo/patches/patch-strcutl                            1.1

---
   Module Name:    pkgsrc
   Committed By:   ast
   Date:           Sun Oct 20 20:02:14 UTC 2019

   Modified Files:
           pkgsrc/www/nostromo: Makefile PLIST distinfo
   Added Files:
           pkgsrc/www/nostromo/patches: patch-http_header_comp patch-strcutl

   Log Message:
   www/nostromo: fixes for CVE-2019-16278 and CVE-2019-16279
@
text
@a0 62
$NetBSD: patch-strcutl,v 1.1 2019/10/20 20:02:13 ast Exp $

Mitigate nostromo CVE-2019-16278 (bypassing a check for /../ allowing
execution of /bin/sh with arbitrary arguments).

Nostromo as such handles encoded URI correctly but the strcutl()
function in the string manipulation library removes 0x0d in the
URI string resulting in a valid path. What should happen instead
is that the decoded 0x0d character remains in the URI, resulting
in an invalid path, giving rise to a 404.

--- src/libmy/strcutl.c.orig	2005-06-04 10:30:04.000000000 +0200
+++ src/libmy/strcutl.c	2019-10-20 11:30:29.704645745 +0200
@@@@ -26,8 +26,12 @@@@
 {
 	int	i = 0, j = 0, cl = 0;
 
-	/* first count all lines */
-	while (1) {
+	/* requested line must be a positive integer */
+	if (line <= 0)
+		return -1;
+
+	/* count lines up to requested line or end of string */
+	while (line >= cl) {
 		if (src[i] == '\n' && src[i + 1] == '\0') {
 			cl++;
 			break;
@@@@ -42,24 +46,24 @@@@
 		i++;
 	}
 
-	/* do we have the requested line ? */
-	if (line > cl || line == 0)
+	/* did we actually get the requested line ? */
+	if (line > cl)
 		return -1;
 
-	/* go to line start */
+	/* go to beginning of the requested line */
 	for (i = 0, j = 0; j != line - 1; i++)
 		if (src[i] == '\n')
 			j++;
 
-	/* read requested line */
+	/* copy the requested line to destination buffer */
 	for (j = 0; src[i] != '\n' && src[i] != '\0' && j != dsize - 1; i++) {
-		if (src[i] != '\r') {
-			dst[j] = src[i];
-			j++;
-		}
+		if (src[i] == '\r' && src[i + 1] == '\n')
+			continue;
+		dst[j] = src[i];
+		j++;
 	}
 
-	/* terminate string */
+	/* null terminate destination buffer */
 	dst[j] = '\0';
 
 	return cl;
@