--- bozohttpd-20111118.orig/Makefile.boot +++ bozohttpd-20111118/Makefile.boot @@ -7,8 +7,8 @@ CFLAGS= -O -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 GROFF= groff -Tascii -CRYPTOLIBDIR= # -L/usr/local/lib -CRYPTOLIBS= $(CRYPTOLIBDIR) -lcrypto -lssl +CRYPTOLIBDIR= # -L/usr/lib +CRYPTOLIBS= $(CRYPTOLIBDIR) -lcrypt -lssl -lcrypto FILES= bozohttpd.c auth-bozo.c cgi-bozo.c content-bozo.c daemon-bozo.c \ dir-index-bozo.c ssl-bozo.c tilde-luzah-bozo.c main.c --- bozohttpd-20111118.orig/bozohttpd.c +++ bozohttpd-20111118/bozohttpd.c @@ -866,7 +866,11 @@ bozo_check_special_files(request, basename); } - snprintf(dirfile, sizeof(dirfile), "%s/%s", dir, DIRECT_ACCESS_FILE); + if ((size_t)snprintf(dirfile, sizeof(dirfile), "%s/%s", dir, DIRECT_ACCESS_FILE) >= sizeof(dirfile)) { + bozo_http_error(request->hr_httpd, 404, request,"directfile path too long"); + return 0; + } + if (stat(dirfile, &sb) < 0 || (fp = fopen(dirfile, "r")) == NULL) return 0; @@ -1040,9 +1044,9 @@ /* * checks to see if this request has a valid .bzredirect file. returns - * 0 on failure and 1 on success. + * 0 on failure and 1 on success, -1 on error. */ -static void +static int check_bzredirect(bozo_httpreq_t *request) { struct stat sb; @@ -1054,7 +1058,10 @@ * if this pathname is really a directory, but doesn't end in /, * use it as the directory to look for the redir file. */ - snprintf(dir, sizeof(dir), "%s", request->hr_file + 1); + if((size_t)snprintf(dir, sizeof(dir), "%s", request->hr_file + 1) >= sizeof(dir)) { + bozo_http_error(request->hr_httpd, 404, request, "file path too long"); + return -1; + } debug((request->hr_httpd, DEBUG_FAT, "check_bzredirect: dir %s", dir)); basename = strrchr(dir, '/'); @@ -1068,15 +1075,21 @@ bozo_check_special_files(request, basename); } - snprintf(redir, sizeof(redir), "%s/%s", dir, REDIRECT_FILE); + if ((size_t)snprintf(redir, sizeof(redir), "%s/%s", dir, REDIRECT_FILE) >= sizeof(redir)) { + bozo_http_error(request->hr_httpd, 404, request, "redirectfile path too long"); + return -1; + } if (lstat(redir, &sb) == 0) { if (!S_ISLNK(sb.st_mode)) - return; + return 0; absolute = 0; } else { - snprintf(redir, sizeof(redir), "%s/%s", dir, ABSREDIRECT_FILE); + if((size_t)snprintf(redir, sizeof(redir), "%s/%s", dir, ABSREDIRECT_FILE) >= sizeof(redir)) { + bozo_http_error(request->hr_httpd, 404, request, "redirectfile path too long"); + return -1; + } if (lstat(redir, &sb) < 0 || !S_ISLNK(sb.st_mode)) - return; + return 0; absolute = 1; } debug((request->hr_httpd, DEBUG_FAT, @@ -1084,7 +1097,7 @@ rv = readlink(redir, redirpath, sizeof redirpath - 1); if (rv == -1 || rv == 0) { debug((request->hr_httpd, DEBUG_FAT, "readlink failed")); - return; + return 0; } redirpath[rv] = '\0'; debug((request->hr_httpd, DEBUG_FAT, @@ -1093,9 +1106,12 @@ /* now we have the link pointer, redirect to the real place */ if (absolute) finalredir = redirpath; - else - snprintf(finalredir = redir, sizeof(redir), "/%s/%s", dir, - redirpath); + else { + if ((size_t)snprintf(finalredir = redir, sizeof(redir), "/%s/%s", dir, redirpath) >= sizeof(redir)) { + bozo_http_error(request->hr_httpd, 404, request, "redirect path too long"); + return -1; + } + } debug((request->hr_httpd, DEBUG_FAT, "check_bzredirect: new redir %s", finalredir)); @@ -1103,19 +1119,17 @@ } /* this fixes the %HH hack that RFC2396 requires. */ -static void -fix_url_percent(bozo_httpreq_t *request) +int +bozo_decode_url_percent(bozo_httpreq_t *request, char *str) { bozohttpd_t *httpd = request->hr_httpd; - char *s, *t, buf[3], *url; + char *s, *t, buf[3]; char *end; /* if end is not-zero, we don't translate beyond that */ - url = request->hr_file; - - end = url + strlen(url); + end = str + strlen(str); /* fast forward to the first % */ - if ((s = strchr(url, '%')) == NULL) + if ((s = strchr(str, '%')) == NULL) return; t = s; @@ -1172,8 +1186,7 @@ *t++ = *s++; } *t = '\0'; - debug((httpd, DEBUG_FAT, "fix_url_percent returns %s in url", - request->hr_file)); + debug((httpd, DEBUG_FAT, "bozo_decode_url_percent returns `%s'", request->hr_file)); } /* @@ -1202,7 +1215,9 @@ file = NULL; *isindex = 0; debug((httpd, DEBUG_FAT, "tf_req: file %s", request->hr_file)); - fix_url_percent(request); + if (bozo_decode_url_percent(request, request->hr_file)) { + goto bad_done; + } if (check_virtual(request)) { goto bad_done; } @@ -1213,7 +1228,12 @@ goto bad_done; } - check_bzredirect(request); + switch(check_bzredirect(request)) { + case -1: + goto bad_done; + case 1: + return 0; + } if (httpd->untrustedref) { int to_indexhtml = 0; --- bozohttpd-20111118.orig/debian/bozohttpd.dirs +++ bozohttpd-20111118/debian/bozohttpd.dirs @@ -0,0 +1 @@ +usr/sbin --- bozohttpd-20111118.orig/debian/bozohttpd.postinst +++ bozohttpd-20111118/debian/bozohttpd.postinst @@ -0,0 +1,20 @@ +#!/bin/sh -e + +case "$1" in +abort-upgrade | abort-deconfigure | abort-remove) + update-inetd --enable www + ;; +configure) + if [ -n "$2" ]; then + update-inetd --enable www + else + update-inetd --group STANDARD --add "www stream tcp nowait root /usr/sbin/tcpd /usr/sbin/bozohttpd /var/www -X -c /usr/lib/cgi-bin -U www-data -u" + fi + ;; +*) + printf "$0: incorrect arguments: $*\n" >&2 + exit 1 + ;; +esac + +#DEBHELPER# --- bozohttpd-20111118.orig/debian/bozohttpd.postrm +++ bozohttpd-20111118/debian/bozohttpd.postrm @@ -0,0 +1,18 @@ +#!/bin/sh -e + +case "$1" in +abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear) + ;; +purge) + # If netbase is not installed, then we don't need to do the remove. + if command -v update-inetd >/dev/null 2>&1; then + update-inetd --remove "www.*/usr/sbin/bozohttpd" + fi + ;; +*) + echo "$0: incorrect arguments: $*" >&2 + exit 1 + ;; +esac + +#DEBHELPER# --- bozohttpd-20111118.orig/debian/bozohttpd.prerm +++ bozohttpd-20111118/debian/bozohttpd.prerm @@ -0,0 +1,8 @@ +#!/bin/sh -e + +# If netbase is not installed, then we don't need to do the remove. +if command -v update-inetd >/dev/null 2>&1; then + update-inetd --disable www +fi + +#DEBHELPER# --- bozohttpd-20111118.orig/debian/changelog +++ bozohttpd-20111118/debian/changelog @@ -0,0 +1,200 @@ +bozohttpd (20111118-1+deb7u1build0.14.04.1) trusty-security; urgency=medium + + * fake sync from Debian + + -- Steve Beattie Fri, 24 Jun 2016 14:35:34 -0700 + +bozohttpd (20111118-1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2014-5015: + bozotic HTTP server (aka bozohttpd) before 201407081 truncates paths when + checking .htpasswd restrictions, which allows remote attackers to bypass + the HTTP authentication scheme and access restrictions via a long path. + (Closes: #755197) + * CVE-2015-8212: + Fix a security issue in CGI suffix handler support which would allow remote + code execution. + + -- Markus Koschany Thu, 26 May 2016 05:46:07 +0200 + +bozohttpd (20111118-1) unstable; urgency=low + + * New upstream release (closes: #664042) + * Updated to Debian Policy v3.9.3.1. No changes needed. + + -- Mattias Nordstrom Tue, 27 Mar 2012 13:26:57 +0300 + +bozohttpd (20100920-1) unstable; urgency=low + + * New upstream release. + * Applied Ubuntu patch to fix FTBFS (closes: #615698) + + -- Mattias Nordstrom Tue, 05 Apr 2011 16:17:18 +0300 + +bozohttpd (20100621-1) unstable; urgency=low + + * New upstream release, fixes CVE-2010-2320 , CVE-2010-2195 (closes: #590298) + * Updated to Debian Policy v3.9.1.0. No changes needed. + + -- Mattias Nordstrom Mon, 26 Jul 2010 18:17:35 +0300 + +bozohttpd (20090522-2) unstable; urgency=low + + * Applied patch from Matthew Green to fix input parse bug (closes: #566325) + + -- Mattias Nordstrom Fri, 29 Jan 2010 18:19:36 +0200 + +bozohttpd (20090522-1) unstable; urgency=low + + * New upstream release (closes: #564727) + * Updated to Debian Policy v3.8.3.0. No changes needed. + + -- Mattias Nordstrom Tue, 12 Jan 2010 16:17:30 +0200 + +bozohttpd (20090418-2) unstable; urgency=low + + * Compiled with support for basic authentication (htpasswd) (closes: #528158) + + -- Mattias Nordstrom Mon, 08 Jun 2009 16:59:34 +0300 + +bozohttpd (20090418-1) unstable; urgency=low + + * New upstream release (closes: #525592) + + -- Mattias Nordstrom Wed, 29 Apr 2009 18:16:47 +0300 + +bozohttpd (20080303-1) unstable; urgency=low + + * New upstream release (closes: #493864) + * Included patch for CGI scripts in subdirectories bug (closes: #472383) + + -- Mattias Nordstrom Sat, 11 Apr 2009 14:54:31 +0300 + +bozohttpd (20060517-6) unstable; urgency=low + + * Changed maintainer email address. + * Added .xhtml support (closes: #434695) + + -- Mattias Nordstrom Sat, 17 Nov 2007 15:04:57 +0200 + +bozohttpd (20060517-5) unstable; urgency=low + + * Fixed FTBFS on GNU/kFreeBSD (closes: #414289) + + -- Mattias Nordstrom Wed, 14 Mar 2007 15:15:45 +0200 + +bozohttpd (20060517-4) unstable; urgency=low + + * Corrected the fix for improper header handling, as described in #376731. + + -- Mattias Nordstrom Sun, 8 Oct 2006 14:04:45 +0300 + +bozohttpd (20060517-3) unstable; urgency=low + + * Fixed improper header handling in CGI scripts (closes: #376731) + + -- Mattias Nordstrom Sun, 23 Jul 2006 21:31:58 +0300 + +bozohttpd (20060517-2) unstable; urgency=low + + * Parent directory link first in listing (closes: #375467) + * Fixed %HH hack regression; URLs not ending in %HH failed (closes: #377967) + * Use ISO times in directory index (closes: #375465) + * Corrected layout issues in directory index (closes: #375466) + + -- Mattias Nordstrom Sun, 16 Jul 2006 22:12:21 +0300 + +bozohttpd (20060517-1) unstable; urgency=low + + * New upstream release (closes: #370753, #370777) + + -- Mattias Nordstrom Sun, 18 Jun 2006 16:34:00 +0300 + +bozohttpd (20050410-4) unstable; urgency=low + + * Updated to Debian Policy v3.7.2. No changes needed. + * Updated to debhelper 5. + * Fixed manpage typo (closes: #355219) + + -- Mattias Nordstrom Sat, 13 May 2006 22:15:01 +0300 + +bozohttpd (20050410-3) unstable; urgency=low + + * openssl transition (depends on libssl-dev >= 0.9.8-1) + + -- Mattias Nordstrom Mon, 10 Oct 2005 20:10:22 +0300 + +bozohttpd (20050410-2) unstable; urgency=low + + * Added dependancy on netbase, needed by maintainer scripts for update-inetd. + + -- Mattias Nordstrom Fri, 26 Aug 2005 18:07:16 +0300 + +bozohttpd (20050410-1) unstable; urgency=low + + * New upstream release (closes: #311079, #290430) + * Updated to Debian Policy v3.6.2.1. + * New maintainer (closes: #295231) + * Provide httpd-cgi virtual package (closes: #304307) + * Disabled default chroot environment, added CGI interface (closes: #280725) + * Proper accept() parameter initialization (closes: #246776) + * Enabled ~user dir translation (closes: #309095) + * Create /var/www if it doesn't exist (closes: #311076) + * Added note to manpage about -u option conflicting with -t (closes: #311088) + * Compile with debugging, enables -d (closes: #311089) + * Manpage wording (closes: #311075) + * Added libssl-dev build dependancy. + + -- Mattias Nordstrom Thu, 23 Jun 2005 19:18:15 +0300 + +bozohttpd (20030313-1) unstable; urgency=low + + * New upstream release (closes: #194872) + * Bumped Standards-Version to 3.5.10 + + -- Thomas Seyrat Wed, 4 Jun 2003 14:54:51 +0200 + +bozohttpd (20021106-2) unstable; urgency=low + + * Added text/css MIME type support. (closes: #172228) + + -- Thomas Seyrat Sun, 8 Dec 2002 19:39:56 +0100 + +bozohttpd (20021106-1) unstable; urgency=low + + * New upstream release + + -- Thomas Seyrat Wed, 13 Nov 2002 09:32:35 +0100 + +bozohttpd (5.15-1) unstable; urgency=low + + * New upstream release + * Bumped Standards-Version to 3.5.7 + + -- Thomas Seyrat Fri, 18 Oct 2002 15:38:56 +0200 + +bozohttpd (5.14-1) unstable; urgency=low + + * New upstream release + + -- Thomas Seyrat Tue, 27 Aug 2002 22:00:08 +0200 + +bozohttpd (5.13-3) unstable; urgency=low + + * Minor description fix. (closes: #157998) + + -- Thomas Seyrat Sat, 24 Aug 2002 15:11:16 +0200 + +bozohttpd (5.13-2) unstable; urgency=low + + * Applied patch from upstream to fix compilation problem on m68k. + + -- Thomas Seyrat Mon, 12 Aug 2002 10:31:05 +0200 + +bozohttpd (5.13-1) unstable; urgency=low + + * Initial Release. (closes: #156080) + + -- Thomas Seyrat Sat, 10 Aug 2002 01:29:37 +0200 + --- bozohttpd-20111118.orig/debian/compat +++ bozohttpd-20111118/debian/compat @@ -0,0 +1 @@ +5 --- bozohttpd-20111118.orig/debian/control +++ bozohttpd-20111118/debian/control @@ -0,0 +1,20 @@ +Source: bozohttpd +Section: httpd +Priority: extra +Maintainer: Mattias Nordstrom +Build-Depends: debhelper (>> 5.0.0), libssl-dev (>= 0.9.8) +Standards-Version: 3.9.3.1 + +Package: bozohttpd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, openbsd-inetd | inet-superserver +Provides: httpd, httpd-cgi +Homepage: http://www.eterna.com.au/bozohttpd/ +Description: Bozotic HTTP server + A small and secure HTTP server. Its main feature is the + lack of features, reducing code size and improving verifiability. It + has no configuration file by design. + . + It supports CGI/1.1, HTTP/1.1, HTTP/1.0, HTTP/0.9, ~user translations, + virtual hosting support, as well as multiple IP-based servers on a + single machine, and is able to serve pages via the IPv6 protocol. --- bozohttpd-20111118.orig/debian/copyright +++ bozohttpd-20111118/debian/copyright @@ -0,0 +1,42 @@ +This package was debianized by Thomas Seyrat on +Fri, 9 Aug 2002 17:32:26 +0200. +It was adopted for maintainership by Mattias Nordstrom +on Thu, 23 Jun 2005 16:52:46 +0300. + +It was downloaded from http://www.eterna.com.au/bozohttpd/ + +Upstream Author: Matthew R. Green + +Copyright: + +/* + * Copyright (c) 1997-2005 Matthew R. Green + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer and + * dedication in the documentation and/or other materials provided + * with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +/* this program is dedicated to the Great God of Processed Cheese */ --- bozohttpd-20111118.orig/debian/rules +++ bozohttpd-20111118/debian/rules @@ -0,0 +1,56 @@ +#!/usr/bin/make -f +#export DH_VERBOSE=1 + +configure: + +build: build-arch build-indep + +build-arch: build-stamp + +build-indep: build-stamp + +build-stamp: + dh_testdir + #cc -O2 -o bozohttpd bozohttpd.c + + # DEBUG adds -d option to bozohttpd + + $(MAKE) -f Makefile.boot "CFLAGS=-DDEBUG -DDO_HTPASSWD" + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + rm -f bozohttpd + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + install bozohttpd $(CURDIR)/debian/bozohttpd/usr/sbin + install -d $(CURDIR)/debian/bozohttpd/var/www + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installman bozohttpd.8 + dh_installchangelogs CHANGES + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure