2021-01-06 16:12:31 by Leonardo Taccari | Files touched by this commit (2) |
Log message:
socat: Update to 1.7.4.0
Changes:
1.7.4.0
-------
Security:
Buffer size option (-b) is internally doubled for CR-CRLF conversion,
but not checked for integer overflow. This could lead to heap based
buffer overflow, assuming the attacker could provide this parameter.
Test: BLKSIZE_INT_OVERFL
Thanks to Lê Hiếu Bùi for reporting this issue and sending an
example exploit.
Corrections:
Socats address parser read over end of string when there were unbalanced
quotes
Test: UNBALANCED_QUOTE
Removed unused usleep() call from sycls.c
Unsetenv() was conditional in sysutils.c but not in xio-openssl.c thus
building failed on Solaris 9.
Thanks to Greg Earle for reporting this issue and providing a patch.
Mitigated race condition of quickly terminating SYSTEM or EXEC child
processes.
Option o-direct might require alignment of read/write buffer to, e.g.,
512 bytes, Socat now takes care of this when allocating the buffer.
With this fix read() succeeds, however, write() still might fail when
not writing complete pages.
Test: O_DIRECT
There was a race condition in the way Socat UDP-RECVFROM and similar
addresses with option fork prevents one packet from triggering
multiple processes. The symptom was that Socat master process seemed to
hang and did not process further packets. The fix makes use of
pselect() system call.
Thanks to Fulvio Scapin for reporting this issue.
UNIX domain client addresses applied file system entry options (group
NAMED) to the server socket instead of the client (bind) socket entry.
Tests: UNIX_SENDTO_UNLINK UNIX_CONNECT_UNLINK
Thanks to Nico Williams for reporting this major issue.
Length of single address options was limited to 511 bytes. This value
is now increased to 2047 bytes.
Change suggested by Mario Camou.
Addresses of type RECVFROM with option fork looped with an error
message in case that the second address failed before consuming the
packet. The fix makes RECVFROM drop the packet when the second address
failed before reading it. Use retry or forever option with the second
address if you want to avoid data loss.
Thanks to Chunmei Xu for reporting this issue and proving the patch.
Socats DTLS implementation has been reworked and appears to work now
reasonably over UDP.
New addresses: OPENSSL-DTLS-SERVER (DTLS-L),
OPENSSL-DTLS-CLIENT (DTLS)
Tests: OPENSSL_DTLS_CLIENT OPENSSL_DTLS_SERVER
OPENSSL_METHOD_DTLS1 OPENSSL_METHOD_DTLS1.2
Thanks to Brandon Carpenter, Qing Wan, and Pavel Nakonechnyi for
sending patches.
filan did not output the socket protocol.
filan -s assumed each stream socket to be TCP and each datagram socket
to be UDP. Now it uses SO_PROTOCOL and getprotoent() for correct output.
Help text showed two parameters for UDP4-RECVFROM address, but only
<port> is allowed.
Thanks to John the Scott for reporting this issue.
Error messages from SSL_read() and SSL_write() sometimes stated
SSL_connect instead of originating function name.
Fixed some more non functional minor issues.
Porting:
In gcc version 10 the default changed from -fcommon to -fno-common.
Consequently, linking filan and procan failed with error
"multiple definition of `deny_severity'" and `allow_severity'
Fixed by removing definitions in filan.c and procan.c
Debian issue 957823
Thanks to László Böszörményi and others for reporting this issue.
Solaris 9 does not provide strndup(); added substitute code.
Thanks to Greg Earle for providing a patch.
Added configure option --enable-openssl-base to specify the location of
a non-OS OpenSSL installation
There are systems whose kernel understands SCTP but getaddrinfo does
not. As workaround after EIA_SOCKTYPE on name and service resolution
fall back to ai_socktype=0; if it fails with EAI_SERVICE, set
ai_protocol=0 and try again
Test: SCTP_SERVICENAME
Per file filesystem options were still name ext2-* and depended on
<linux/ext2_fs.h>. Now they are called fs-* and depend on <linux/fs.h>.
These fs-* options are also available on old systems with ext2_fs.h
New options openssl-min-proto-version (min-version) and
openssl-max-proto-version (max-version) give access to the related
OpenSSL set-macros and substitute deprecated version-specific methods.
Test: OPENSSL_MIN_VERSION
With OpenSSL use OPENSSL_init_SSL when available, instead of deprecated
SSL_library_init.
With OPENSSL_API_COMPAT=0x10000000L the files openssl/dh.h, openssl/bn.h
must explicitely be included.
Thanks to Rosen Penev for reporting and sending a patch.
Testing:
test.sh now produces a list of tests that could not be performed for
any reason. This helps to analyse these cases.
OpenSSL s_server appearently started to neglect TCPs half close feature.
Test OPENSSL_TCP4 has been changed to tolerate this.
OpenSSL changed its behaviour when connection is rejected. Tests
OPENSSLCERTSERVER, OPENSSL_CN_CLIENT_SECURITY, and
OPENSSL_CN_SERVER_SECURITY now tolerate this.
OpenSSL no longer allows explicit renegotiation with TLSv1.3, thus the
appropriate tests failed.
Fix: use TLSv1.2 for renegotiation tests
Tests: OPENSSLRENEG1 OPENSSLRENEG2
Ubuntu 20.04 requires 2048 bit certificates with OpenSSL
Archlinux 2020 has not which command; its ip,ss commands have modified
version strings
More testing issues solved:
* ss to pipe might omit column separator
* UDP6MULTICAST_UNIDIR fails on newer Linux kernels
* do not use sort -V
* renamed testaddrs() to testfeats(), and introduced new testaddrs()
New features:
GOPEN and UNIX-CLIENT addresses now support sockets of type SEQPACKET.
Test: GOPENUNIXSEQPACKET
Feature suggested by vi0oss.
The generic setsockopt-int and related options are, in case of
listening/accepting addresses, applied to the connected socket(s). To enable
setting options on the listening socket, a new option setsockopt-listen
has been implemented. See the documentation for info on data types.
Tests: SETSOCKOPT SETSOCKOPT_LISTEN
Thanks to Steven Danna and Korian Edeline for reporting this issue.
Filan option -S gives short description like -s but with improved
format
Socat OpenSSL client, when server was specified using IP address, did
not verify connection on certificates SubjectAltName IP entries.
Tests: OPENSSL_SERVERALTAUTH OPENSSL_SERVERALTIP4AUTH OPENSSL_SERVERALTIP6AUTH
Fixes Red Hat bug 1805132
Added options -r and -R for raw dump of transferred data to files.
Test: OPTION_RAW_DUMP
Added option ip-transparent (socket option IP_TRANSPARENT)
Thanks to Wang Shanker for sending a patch.
OPENSSL-CONNECT now automatically uses the SNI feature, option
openssl-no-sni turns it off. Option openssl-snihost overrides the value
of option openssl-commonname or the server name.
Tests: OPENSSL_SNI OPENSSL_NO_SNI
Thanks to Travis Burtrum for providing the initial patch
New option accept-timeout (listen-timeout)
Test: ACCEPTTIMEOUT
Proposed by Roland
New option ip-add-source-membership
Feature inspired by Brian (b f31415)
INCOMPATIBLE CHANGE: Address UDP-DATAGRAM now does not check peerport
of replies, as it did up to version 1.7.3.4. Use option sourceport when
you need the old behaviour.
Test: UDP_DATAGRAM_SOURCEPORT
Feature inspired by Hans Bueckler for SSDP inquiry (for UPnP)
New option proxy-authorization-file reads PROXY-CONNECT credentials
from file and makes it possible to hide this data from the process
table.
Test: PROXYAUTHFILE
Thanks to Charles Stephens for sending an initial patch.
Added AF_VSOCK support with VSOCK-CONNECT and VSOCK-LISTEN addresses.
Developed by Stefano Garzarella.
Coding:
Added printf formats for uint16_t etc.
Documentation:
Address UDP-RECV does not support option fork.
Thanks to Fulvio Scapin for reporting that mistake in docu.
TUN address documentation showed TCP for backend which may merge
consecutive packets which causes data loss.
Thanks to Tomasz Lakota for reporting this issue.
|
2020-05-18 13:19:13 by Nia Alarie | Files touched by this commit (3) |
Log message:
socat: Update to 1.7.3.4
####################### V 1.7.3.4:
Corrections:
Header of xiotermios_speed() declared parameter unsigned int instead of
speed_t, thus compiling failed on MacOS
Thanks to Joe Strout and others for reporting this bug.
Thanks to Andrew Childs and others for sending a patch.
Under certain circumstances, termios options of the first address were
applied to the second address, resulting in error
"Inappropriate ioctl for device"
This affected version 1.7.3.3 only.
Test: TERMIOS_PH_ALL
Thanks to Ivan J. for reporting this issue.
Socat failed to compile when no poll() system call was found by
configure.
Thanks to Jason White for sending a patch.
Due to use of SSL_CTX_clear_mode() Socat failed to compile on old
systems with, e.g., OpenSSL-0.9.8. Thanks to Simon Matter and Moritz B.
for reporting this problem and sending initial patches.
getaddrinfo() in IP4-SENDTO and IP6-SENDTO addresses failed with
"ai_socktype not supported" when protocol 6 was addressed.
The fix removes the possibility to use service names with SCTP.
Test: IP_SENDTO_6
Thanks to Sören for sending an initial patch.
Under certain circumstances, Socat printed the "socket ... is at EOF"
multiple times.
Test: MULTIPLE_EOF
Newer parts of test.sh used substitutions ${x,,*} or ${x^^*} that are
not implemented in older bash versions.
|
2020-02-09 14:19:55 by Jaromir Dolecek | Files touched by this commit (1) |
Log message:
actually remove the hacks.mk file
|
2020-02-09 14:19:10 by Jaromir Dolecek | Files touched by this commit (1) |
Log message:
remove the Darwin BIND 8 hack, it's using bind9 for at least a decade already
|
2020-01-18 22:51:16 by Jonathan Perkin | Files touched by this commit (1836) |
Log message:
*: Recursive revision bump for openssl 1.1.1.
|
2019-06-25 18:43:48 by Amitai Schleier | Files touched by this commit (2) |
Log message:
Use speed_t to match definition, fixing at least OS X build.
|
2018-07-04 15:40:45 by Jonathan Perkin | Files touched by this commit (423) |
Log message:
*: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
|
2017-11-11 20:43:06 by Maya Rashish | Files touched by this commit (3) |
Log message:
socat: improve our ability to run the tests, less use of /bin/bash
bump PKGREVISION in case any of those scripts are used at runtime
|
2017-02-05 21:40:32 by Leonardo Taccari | Files touched by this commit (2) |
Log message:
Update net/socat to socat-1.7.3.2
pkgsrc changes:
- Take MAINTAINERship
Changes:
1.7.3.2
-------
corrections:
- SIGSEGV and other signals could lead to a 100% CPU loop
- Failing name resolution could lead to SIGSEGV
Thanks to Max for reporting this issue.
- Include <stddef.h> for ptrdiff_t
Thanks to Jeroen Roovers for reporting this issue.
- Building with --disable-sycls failed due to missing sslcls.h defines
Socat hung when configured with --disable-sycls.
- Some minor corrections with includes etc.
- Option so-reuseport did not work. Thanks to Some Raghavendra Prabhu
for sending a patch.
- Programs invoked with EXEC, nofork, and -u or -U had stdin and stdout
incorrectly assigned
Test: EXEC_NOFORK_UNIDIR
Thanks to David Reiss for reporting this problem.
- Socat exited with status 0 even when a program invoked with SYSTEM or
EXEC failed.
Tests: SYSTEM_RC EXEC_RC
Issue reported by Felix Winkelmann.
- AddressSanitizer reported a few buffer overflows (false positives).
Nevertheless fixed Socat source.
Issue reported by Hanno Böck.
- Socat did not use option ipv6-join-group.
Test: USE_IPV6_JOIN_GROUP
Thanks to Linux Lüssing for sending a patch.
- UDP-LISTEN did not honor the max-children option.
Test: UDP4MAXCHILDREN UDP6MAXCHILDREN
Thanks to Leander Berwers for reporting this issue.
- Options so-rcvtimeo and so-sndtimeo do not work with poll()/select()
and therefore were useless.
Thanks to Steve Borenstein for reporting this issue.
- Option dhparam was documented as dhparams. Added the alias name
dhparams to fix this.
Thanks to Alexander Neumann for sending a patch.
- Options shut-down and shut-close did not work.
Thanks to Stefan Schimanski for providing a patch.
- There was a bug in printing readline log message caused by a misleading
indentation.
Thanks to Paul Wouters for reporting.
- The internal vsnprintf_r function looped or crashed on size parameter
with hexadecimal output.
- Ignore exit code of child process when it was killed by master due to
EOF
- Corrected byte order on read of IPV6_TCLASS value from ancillary
message
- Fixed type of the bool element in options. This had bug caused failures
e.g. of ignoreeof on big-endian systems when bool was not based on int.
- On systems with predefined bool type whose size differs from int some
IPv6 and TCP options (per setsockopt()) failed.
- Length of integral data in ancillary messages varies (TOS: 1 byte,
TTL: 4 bytes), the old implementation failed for TTL on big-endian
hosts.
- Fixed an issue in options processing: TUN and DNS flags had failed on
big-endian systems and the NO- forms had probable never worked.
porting:
- Type conflict between int and sig_atomic_t between declaration and
definition of diag_immediate_type and diag_immediate_exit broke
compilation on FreeBSD 10.1 with clang. Thanks to Emanuel Haupt for
reporting this bug.
- Socat failed to compile on platforms with OpenSSL without
DTLSv1_client_method or DTLSv1_server_method.
Thanks to Simon Matter for sending a patch.
- NuttX OS headers do not provide struct ip, thus socat did not compile.
Made struct ip subject to configure.
Thanks to SP for reporting this issue.
- Socat failed to compile with OpenSSL version 1.0.2d where
SSLv3_server_method and SSLv3_client_method are no longer defined.
Thanks to Mischa ter Smitten for reporting this issue and providing
a patch.
- configure checked for OpenSSL EC_KEY assuming it is a define but it
is a type, thus OpenSSL ECDHE ciphers failed even on Linux.
Thanks to Andrey Arapov for reporting this bug.
- Changes to make socat compile with OpenSSL 1.1.
Thanks to Sebastian Andrzej Siewior e.a. from the Debian team for
providing the base patch.
Debian Bug#828550
- Make Socat compatible with BoringSSL.
Thanks to Matt Braithwaite for providing a patch.
- OpenSSL: Use RAND_status to determine PRNG state
Thanks to Adam Langley for providing a patch
- AIX-7 uses an extended O_ACCMODE that does not fit socat's internal
requirements. Thanks to Garrick Trowsdale for providing a patch
- LibreSSL support: check for OPENSSL_NO_COMP
Thanks to Bernard Spil for providing a patch
testing:
- socks4echo.sh and socks4a-echo.sh hung with new bash with read -n
- test.sh: stderr; option -v (verbose); FDOUT_ERROR description
- improved proxy.sh - it now also takes hostnames
- A few corrections in test.sh
- DTLS1 test hangs on some distributions. Test is now only performed
with OpenSSL 1.0.2 or higher.
- More corrections to test.sh that reveal a mistake with IPV6_TCLASS
docu:
- Corrected source of socat man page to correctly show man references
like socket(2); removed obseolete entries from See Also
- Docu and some comments mentioned addresses SSL-LISTEN and SSL-CONNECT
that do not exist (OPENSSL-LISTEN, SSL-L; and OPENNSSL-CONNECT, SSL
are correct).
Thanks to Zhigang Wang for reporting this issue.
- Fixed a couple of English spelling and grammar mistakes.
Thanks to Jakub Wild for sending the patches.
- NOEXPAND() was not resolved 2 times.
- More minor docu corrections
legal:
- Added contributors to copyright notices. Suggested by Matt Braithwaite.
|
2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) |
Log message:
Bump PKGREVISION for security/openssl ABI bump.
|