From 49fba54f41660b43b9a70bd7796027cd5b177c88 Mon Sep 17 00:00:00 2001 From: Davide Madrisan Date: Fri, 5 Jan 2024 23:43:40 +0100 Subject: [PATCH] update to 3.2.0b6 security fixes [release 3.2.0b6-1mamba;Tue Dec 01 2009] --- README.md | 6 ++ htdig-3.2.0b6-CAN_2005_0085.patch | 26 +++++++ htdig-3.2.0b6-CVE_2007_6110.patch | 24 ++++++ htdig-3.2.0b6-compile-fix.patch | 15 ++++ htdig-3.2.0b6-overflow.patch | 12 +++ htdig-3.2.0b6-segv.patch | 13 ++++ htdig.spec | 122 ++++++++++++++++++++++++++++++ 7 files changed, 218 insertions(+) create mode 100644 htdig-3.2.0b6-CAN_2005_0085.patch create mode 100644 htdig-3.2.0b6-CVE_2007_6110.patch create mode 100644 htdig-3.2.0b6-compile-fix.patch create mode 100644 htdig-3.2.0b6-overflow.patch create mode 100644 htdig-3.2.0b6-segv.patch create mode 100644 htdig.spec diff --git a/README.md b/README.md index 6b54e95..ef0d6c9 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,8 @@ # htdig +The ht://Dig system is a complete world wide web indexing and searching system for a domain or intranet. +This system is not meant to replace the need for powerful internet-wide search systems like Lycos, Infoseek, Google and AltaVista. +Instead it is meant to cover the search needs for a single company, campus, or even a particular sub section of a web site. +As opposed to some WAIS-based or web-server based search engines, ht://Dig can easily span several web servers. +The type of these different web servers doesn't matter as long as they understand common protocols like HTTP. + diff --git a/htdig-3.2.0b6-CAN_2005_0085.patch b/htdig-3.2.0b6-CAN_2005_0085.patch new file mode 100644 index 0000000..9ade3c1 --- /dev/null +++ b/htdig-3.2.0b6-CAN_2005_0085.patch @@ -0,0 +1,26 @@ +diff -ru htdig-3.2.0b6/htsearch/htsearch.cc htdig-3.2.0b6-fix/htsearch/htsearch.cc +--- htdig-3.2.0b6/htsearch/htsearch.cc 2004-05-28 15:15:24.000000000 +0200 ++++ htdig-3.2.0b6-fix/htsearch/htsearch.cc 2009-12-01 21:24:38.000000000 +0100 +@@ -211,8 +211,7 @@ + } + if (access((char*)configFile, R_OK) < 0) + { +- reportError(form("Unable to read configuration file '%s'", +- configFile.get())); ++ reportError("Unable to read configuration file"); + } + config->Read(configFile); + +diff -ru htdig-3.2.0b6/htsearch/qtest.cc htdig-3.2.0b6-fix/htsearch/qtest.cc +--- htdig-3.2.0b6/htsearch/qtest.cc 2004-05-28 15:15:25.000000000 +0200 ++++ htdig-3.2.0b6-fix/htsearch/qtest.cc 2009-12-01 21:25:17.000000000 +0100 +@@ -132,8 +132,7 @@ + + if (access((char*)configFile, R_OK) < 0) + { +- reportError(form("Unable to find configuration file '%s'", +- configFile.get())); ++ reportError("Unable to find configuration file"); + } + + config->Read(configFile); diff --git a/htdig-3.2.0b6-CVE_2007_6110.patch b/htdig-3.2.0b6-CVE_2007_6110.patch new file mode 100644 index 0000000..1ee5f28 --- /dev/null +++ b/htdig-3.2.0b6-CVE_2007_6110.patch @@ -0,0 +1,24 @@ +diff -ru htdig-3.2.0b6/htsearch/Display.cc htdig-3.2.0b6-fix/htsearch/Display.cc +--- htdig-3.2.0b6/htsearch/Display.cc 2004-05-28 15:15:24.000000000 +0200 ++++ htdig-3.2.0b6-fix/htsearch/Display.cc 2009-12-01 21:29:25.000000000 +0100 +@@ -137,7 +137,7 @@ + // Must temporarily stash the message in a String, since + // displaySyntaxError will overwrite the static temp used in form. + +- String s(form("No such sort method: `%s'", (const char*)config->Find("sort"))); ++ String s("invalid sort method"); + + displaySyntaxError(s); + return; +diff -ru htdig-3.2.0b6/libhtdig/ResultFetch.cc htdig-3.2.0b6-fix/libhtdig/ResultFetch.cc +--- htdig-3.2.0b6/libhtdig/ResultFetch.cc 2004-05-28 15:15:28.000000000 +0200 ++++ htdig-3.2.0b6-fix/libhtdig/ResultFetch.cc 2009-12-01 21:30:26.000000000 +0100 +@@ -142,7 +142,7 @@ + // Must temporarily stash the message in a String, since + // displaySyntaxError will overwrite the static temp used in form. + +- String s(form("No such sort method: `%s'", (const char *) config->Find("sort"))); ++ String s("invalid sort method"); + + displaySyntaxError(s); + //return; diff --git a/htdig-3.2.0b6-compile-fix.patch b/htdig-3.2.0b6-compile-fix.patch new file mode 100644 index 0000000..e464cb8 --- /dev/null +++ b/htdig-3.2.0b6-compile-fix.patch @@ -0,0 +1,15 @@ +diff -ru htdig-3.2.0b6/htsearch/Collection.h htdig-3.2.0b6-fix/htsearch/Collection.h +--- htdig-3.2.0b6/htsearch/Collection.h 2004-05-28 15:15:24.000000000 +0200 ++++ htdig-3.2.0b6-fix/htsearch/Collection.h 2009-12-01 21:16:14.000000000 +0100 +@@ -36,9 +36,9 @@ + const char *docExcerpt); + ~Collection(); + +- void Collection::Open(); ++ void Open(); + +- void Collection::Close(); ++ void Close(); + + char *getWordFile() { return wordFile.get(); } + DocumentRef *getDocumentRef(int id); diff --git a/htdig-3.2.0b6-overflow.patch b/htdig-3.2.0b6-overflow.patch new file mode 100644 index 0000000..d0a8809 --- /dev/null +++ b/htdig-3.2.0b6-overflow.patch @@ -0,0 +1,12 @@ +diff -ru htdig-3.2.0b6/htword/WordDBPage.cc htdig-3.2.0b6-fix/htword/WordDBPage.cc +--- htdig-3.2.0b6/htword/WordDBPage.cc 2004-05-28 15:15:26.000000000 +0200 ++++ htdig-3.2.0b6-fix/htword/WordDBPage.cc 2009-12-01 21:13:37.000000000 +0100 +@@ -82,7 +82,7 @@ + if(debuglevel>2)printf("TOTAL SIZE: %6d %8f\n",size,size/8.0); + // argh! compare failed somthing went wrong + // display the compress/decompress sequence and fail +- if(cmp || size>8*1024*1000000000) ++ if(cmp || size>8*1024) + { + if(size>8*1024) + { diff --git a/htdig-3.2.0b6-segv.patch b/htdig-3.2.0b6-segv.patch new file mode 100644 index 0000000..6c420c6 --- /dev/null +++ b/htdig-3.2.0b6-segv.patch @@ -0,0 +1,13 @@ +diff -ru htdig-3.2.0b6/httools/htstat.cc htdig-3.2.0b6-fix/httools/htstat.cc +--- htdig-3.2.0b6/httools/htstat.cc 2004-05-28 15:15:25.000000000 +0200 ++++ htdig-3.2.0b6-fix/httools/htstat.cc 2009-12-01 21:21:06.000000000 +0100 +@@ -158,7 +158,8 @@ + if(words.Open(config->Find("word_db"), O_RDONLY) == OK) + { + cout << "htstat: Total words: " << words.WordRefs()->Count() << endl; +- cout << "htstat: Total unique words: " << words.Words()->Count() << endl; ++ if (words.WordRefs()->Count() != 0) ++ cout << "htstat: Total unique words: " << words.Words()->Count() << endl; + words.Close(); + } + diff --git a/htdig.spec b/htdig.spec new file mode 100644 index 0000000..b47026c --- /dev/null +++ b/htdig.spec @@ -0,0 +1,122 @@ +%define groupid 65038 +%define userid 65038 + +Name: htdig +Version: 3.2.0b6 +Release: 1mamba +Summary: A complete world wide web indexing and searching system for a domain or intranet +Group: Applications/Web +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +URL: http://www.htdig.org/ +Source: http://downloads.sourceforge.net/project/htdig/htdig/%{version}/htdig-%{version}.tar.bz2 +Patch1: %{name}-3.2.0b6-CAN_2005_0085.patch +Patch2: %{name}-3.2.0b6-overflow.patch +Patch3: %{name}-3.2.0b6-compile-fix.patch +Patch4: %{name}-3.2.0b6-segv.patch +Patch5: %{name}-3.2.0b6-CVE_2007_6110.patch +License: GPL +BuildRoot: %{_tmppath}/%{name}-%{version}-root + +%description +The ht://Dig system is a complete world wide web indexing and searching system for a domain or intranet. +This system is not meant to replace the need for powerful internet-wide search systems like Lycos, Infoseek, Google and AltaVista. +Instead it is meant to cover the search needs for a single company, campus, or even a particular sub section of a web site. +As opposed to some WAIS-based or web-server based search engines, ht://Dig can easily span several web servers. +The type of these different web servers doesn't matter as long as they understand common protocols like HTTP. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +%configure \ + --enable-shared \ + --enable-tests \ + --enable-bigfile \ + --with-config-dir=%{_sysconfdir}/htdig \ + --with-default-config-file=%{_sysconfdir}/htdig/htdig.conf \ + --with-cgi-bin-dir=/var/www/cgi-bin \ + --with-image-dir=/var/www/html/htdig \ + --with-search-dir=/var/www/html/htdig \ + --with-common-dir=%{_datadir}/htdig \ + --with-database-dir=/var/lib/htdig \ + --with-apache=/usr/sbin/httpd \ + --with-zlib=/usr \ + --with-ssl + +%make + +%install +[ "%{buildroot}" != / ] && rm -rf %{buildroot} +install -d %{buildroot}%{_sysconfdir}/htdig +%makeinstall + +cp %{buildroot}/var/www/cgi-bin/htsearch %{buildroot}%{_bindir} +chmod 644 %{buildroot}/var/www/html/htdig/* +ln -sf ./search.html %{buildroot}/var/www/html/htdig/index.html + +# remove unpackaged files +rm -fr %{buildroot}%{_includedir} +rm -rf %{buildroot}%{_libdir}/htdig/*.a +rm -rf %{buildroot}%{_libdir}/htdig/*.la +rm -rf %{buildroot}%{_libdir}/htdig_db/*.a +rm -rf %{buildroot}%{_libdir}/htdig_db/*.la + +%clean +[ "%{buildroot}" != / ] && rm -rf %{buildroot} + +%pre +groupadd htdig -g %{groupid} 2>/dev/null +useradd -u %{userid} -c 'Htdig user' -d /var/lib/htdig -g htdig \ + -s /bin/false htdig 2>/dev/null +exit 0 + +%preun +# erase +if [ $1 -eq 0 ]; then + userdel htdig 2>/dev/null + groupdel htdig 2>/dev/null +fi +exit 0 + +%files +%defattr(-,root,root) +%{_bindir}/* +%dir %attr(-,htdig,root) %{_datadir}/htdig +%{_datadir}/htdig/* +%dir %attr(-,htdig,htdig) /var/lib/htdig +%{_libdir}/htdig +%{_libdir}/htdig_db +%dir %{_sysconfdir}/htdig +%config(noreplace) %{_sysconfdir}/htdig/htdig.conf +%config(noreplace) %{_sysconfdir}/htdig/cookies.txt +%{_sysconfdir}/htdig/HtFileType-magic.mime +%{_sysconfdir}/htdig/mime.types +/var/www/cgi-bin/* +%dir /var/www/html/htdig +/var/www/html/htdig/* +%{_mandir}/man1/* +%{_mandir}/man8/* +%doc COPYING ChangeLog README + +%changelog +* Tue Dec 01 2009 Davide Madrisan 3.2.0b6-1mamba +- update to 3.2.0b6 +- security fixes + +* Mon Jun 26 2006 Davide Madrisan 3.1.6-3qilnx +- own %{_datadir}/htdig +- fixed directory and files permissions +- added %%pre and %%preun scriplets + +* Fri Apr 01 2005 Davide Madrisan 3.1.6-2qilnx +- fixed security flaw QSA-2005-034 (CAN-2005-0085) + +* Tue Oct 19 2004 Silvan Calarco 3.1.6-1qilnx +- package created by autospec