Fix CVE-2019-3816, CVE-2019-3833 and remove Dist Tag from changelog

This commit is contained in:
Vitezslav Crhonek 2019-03-13 14:34:58 +01:00
parent 6dcd9ddbfc
commit b28c67e01e
3 changed files with 186 additions and 2 deletions

View File

@ -0,0 +1,79 @@
diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig 2019-03-13 08:52:06.112090942 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c 2019-03-13 09:01:15.496156789 +0100
@@ -336,10 +336,12 @@ date_to_epoch(const char *s)
}
static void
-remove_double_dots(char *s)
+remove_all_leading_dots(char *s)
{
char *p = s;
+ while (*s != '\0' && *s == '.') s++;
+
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\')
@@ -546,7 +548,7 @@ decide_what_to_do(struct conn *c)
*c->query++ = '\0';
_shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1);
- remove_double_dots(c->uri);
+ remove_all_leading_dots(c->uri);
root = c->ctx->options[OPT_ROOT];
if (strlen(c->uri) + strlen(root) >= sizeof(path)) {
@@ -556,6 +558,7 @@ decide_what_to_do(struct conn *c)
(void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri);
+ DBG(("decide_what_to_do -> processed path: [%s]", path));
/* User may use the aliases - check URI for mount point */
if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) {
(void) _shttpd_snprintf(path, sizeof(path), "%.*s%s",
@@ -572,7 +575,10 @@ decide_what_to_do(struct conn *c)
if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) {
_shttpd_setup_embedded_stream(c,
ruri->callback, ruri->callback_data);
- } else
+ } else {
+ _shttpd_send_server_error(c, 403, "Forbidden");
+ }
+#if 0
if (strstr(path, HTPASSWD)) {
/* Do not allow to view passwords files */
_shttpd_send_server_error(c, 403, "Forbidden");
@@ -656,6 +662,7 @@ decide_what_to_do(struct conn *c)
} else {
_shttpd_send_server_error(c, 500, "Internal Error");
}
+#endif
}
static int
diff -up openwsman-2.6.8/src/server/wsmand.c.orig openwsman-2.6.8/src/server/wsmand.c
--- openwsman-2.6.8/src/server/wsmand.c.orig 2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/wsmand.c 2019-03-13 09:03:25.919181279 +0100
@@ -198,6 +198,10 @@ static void daemonize(void)
int fd;
char *pid;
+ /* Change our CWD to / */
+ i = chdir("/");
+ assert(i == 0);
+
if (wsmand_options_get_foreground_debug() > 0) {
return;
}
@@ -214,10 +218,6 @@ static void daemonize(void)
log_pid = 0;
setsid();
- /* Change our CWD to / */
- i=chdir("/");
- assert(i == 0);
-
/* Close all file descriptors. */
for (i = getdtablesize(); i >= 0; --i)
close(i);

View File

@ -0,0 +1,94 @@
diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig 2019-03-13 09:32:32.417633057 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c 2019-03-13 09:58:04.482486589 +0100
@@ -705,11 +705,11 @@ parse_http_request(struct conn *c)
_shttpd_send_server_error(c, 500, "Cannot allocate request");
}
+ io_inc_tail(&c->rem.io, req_len);
+
if (c->loc.flags & FLAG_CLOSED)
return;
- io_inc_tail(&c->rem.io, req_len);
-
DBG(("Conn %d: parsing request: [%.*s]", c->rem.chan.sock, req_len, s));
c->rem.flags |= FLAG_HEADERS_PARSED;
@@ -975,7 +975,7 @@ write_stream(struct stream *from, struct
}
-static void
+static int
connection_desctructor(struct llhead *lp)
{
struct conn *c = LL_ENTRY(lp, struct conn, link);
@@ -999,7 +999,8 @@ connection_desctructor(struct llhead *lp
* Check the "Connection: " header before we free c->request
* If it its 'keep-alive', then do not close the connection
*/
- do_close = (c->ch.connection.v_vec.len >= vec.len &&
+ do_close = c->rem.flags & FLAG_CLOSED ||
+ (c->ch.connection.v_vec.len >= vec.len &&
!_shttpd_strncasecmp(vec.ptr,c->ch.connection.v_vec.ptr,vec.len)) ||
(c->major_version < 1 ||
(c->major_version >= 1 && c->minor_version < 1));
@@ -1021,7 +1022,7 @@ connection_desctructor(struct llhead *lp
io_clear(&c->loc.io);
c->birth_time = _shttpd_current_time;
if (io_data_len(&c->rem.io) > 0)
- process_connection(c, 0, 0);
+ return 1;
} else {
if (c->rem.io_class != NULL)
c->rem.io_class->close(&c->rem);
@@ -1032,6 +1033,8 @@ connection_desctructor(struct llhead *lp
free(c);
}
+
+ return 0;
}
static void
@@ -1039,7 +1042,7 @@ worker_destructor(struct llhead *lp)
{
struct worker *worker = LL_ENTRY(lp, struct worker, link);
- free_list(&worker->connections, connection_desctructor);
+ free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
free(worker);
}
@@ -1072,6 +1075,8 @@ add_to_set(int fd, fd_set *set, int *max
static void
process_connection(struct conn *c, int remote_ready, int local_ready)
{
+again:
+
/* Read from remote end if it is ready */
if (remote_ready && io_space_len(&c->rem.io))
read_stream(&c->rem);
@@ -1100,7 +1105,11 @@ process_connection(struct conn *c, int r
if ((_shttpd_current_time > c->expire_time) ||
(c->rem.flags & FLAG_CLOSED) ||
((c->loc.flags & FLAG_CLOSED) && !io_data_len(&c->loc.io)))
- connection_desctructor(&c->link);
+ if (connection_desctructor(&c->link)) {
+ remote_ready = 0;
+ local_ready = 0;
+ goto again;
+ }
}
static int
@@ -1642,7 +1651,7 @@ worker_function(void *param)
while (worker->exit_flag == 0)
poll_worker(worker, 1000 * 10);
- free_list(&worker->connections, connection_desctructor);
+ free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
free(worker);
}

View File

@ -3,7 +3,7 @@
Name: openwsman
Version: 2.6.8
Release: 4%{?dist}
Release: 5%{?dist}
Summary: Open source Implementation of WS-Management
License: BSD
@ -20,6 +20,8 @@ Patch2: openwsman-2.4.12-ruby-binding-build.patch
Patch3: openwsman-2.6.2-openssl-1.1-fix.patch
Patch4: openwsman-2.6.5-http-status-line.patch
Patch5: openwsman-2.6.5-libcurl-error-codes-update.patch
Patch6: openwsman-2.6.8-CVE-2019-3816.patch
Patch7: openwsman-2.6.8-CVE-2019-3833.patch
BuildRequires: swig
BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel
BuildRequires: python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter
@ -127,6 +129,8 @@ You can use it to send shell commands to a remote Windows hosts.
%patch3 -p1 -b .openssl-1.1-fix
%patch4 -p1 -b .http-status-line
%patch5 -p1 -b .libcurl-error-codes-update
%patch6 -p1 -b .CVE-2019-3816
%patch7 -p1 -b .CVE-2019-3833
%build
# Removing executable permissions on .c and .h files to fix rpmlint warnings.
@ -280,6 +284,13 @@ rm -f /var/log/wsmand.log
%{_bindir}/winrs
%changelog
* Wed Mar 13 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.8-5
- Fix CVE-2019-3816
Resolves: #1687760
- Fix CVE-2019-3833
Resolves: #1687762
- Remove Dist Tag from the oldest changelog entry
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org>
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
@ -610,5 +621,5 @@ rm -f /var/log/wsmand.log
* Mon Sep 22 2008 Matt Domsch <Matt_Domsch@dell.com> - 2.1.0-1
- update to 2.1.0, resolves security issues
* Tue Aug 19 2008 <srinivas_ramanatha@dell.com> - 2.0.0-1%{?dist}
* Tue Aug 19 2008 <srinivas_ramanatha@dell.com> - 2.0.0-1
- Modified the spec file to adhere to fedora packaging guidelines.