rpms
/
socat
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c10-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
..
compare: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8

No commits in common. 'c10-beta' and 'c9' have entirely different histories.
c10-beta ... c9

5 changed files with 122 additions and 72 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/socat-1.7.4.4.tar.gz
SOURCES/socat-1.7.4.1.tar.gz

2
.socat.metadata
Unescape View File

@ -1 +1 @@
39ff9114e93476f8ce28398c38a43368b6a0ac09 SOURCES/socat-1.7.4.4.tar.gz
9fe5a0a0b13dded556a66259b68eb672b900f1d1 SOURCES/socat-1.7.4.1.tar.gz

102
SOURCES/socat-1.7.4.1-ipv6-peername-segfault.patch
Unescape View File

@ -0,0 +1,102 @@
commit 1477334905be18c08bd6dc77be5a62e36b573de4
Author: Gerhard Rieger <gerhard@dest-unreach.org>
Date: Tue Oct 26 19:26:18 2021 +0200
OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
diff --git a/test.sh b/test.sh
index 6ca21f3..c0e98a3 100755
--- a/test.sh
+++ b/test.sh
@@ -15040,6 +15040,60 @@ PORT=$((PORT+1))
N=$((N+1))
+# Bug fix, OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
+NAME=OPENSSL_CLIENT_IP6_CN
+case "$TESTS" in
+*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%ip6%*|*%socket%*|*%$NAME%*)
+TEST="$NAME: Test if OpenSSL server may be crashed by client cert with IPv6 address"
+# Socat 1.7.4.1 had a bug that caused OpenSSL server to crash with SIGSEGV when
+# it checked a client certificate containing IPv6 address in SubjectAltName and
+# no openssl-commonname option was given
+if ! eval $NUMCOND; then :;
+elif ! testfeats openssl >/dev/null; then
+ $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
+ numCANT=$((numCANT+1))
+ listCANT="$listCANT $N"
+elif ! testfeats tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
+ $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
+ numCANT=$((numCANT+1))
+ listCANT="$listCANT $N"
+else
+gentestcert testsrv
+gentestaltcert testalt
+tf="$td/test$N.stdout"
+te="$td/test$N.stderr"
+tdiff="$td/test$N.diff"
+da="test$N $(date) $RANDOM"
+CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,reuseaddr,cert=./testsrv.pem,cafile=./testalt.crt -"
+CMD1="$TRACE $SOCAT $opts -u - OPENSSL-CONNECT:localhost:$PORT,cafile=testsrv.crt,cert=testalt.pem,verify=0"
+printf "test $F_n $TEST... " $N
+$CMD0 >/dev/null >"${tf}0" 2>"${te}0" &
+pid0=$!
+waittcp4port $PORT 1
+echo "$da" |$CMD1 2>"${te}1"
+rc1=$?
+kill $pid0 2>/dev/null; wait
+if [ $rc1 -eq 0 ] && echo "$da" |diff - "${tf}0" >$tdiff; then
+ $PRINTF "$OK\n"
+ numOK=$((numOK+1))
+else
+ $PRINTF "$FAILED\n"
+ echo "$CMD0 &" >&2
+ cat "${te}0" >&2
+ echo "$CMD1" >&2
+ cat "${te}1" >&2
+ numFAIL=$((numFAIL+1))
+ listFAIL="$listFAIL $N"
+fi
+fi # NUMCOND
+ ;;
+esac
+PORT=$((PORT+1))
+N=$((N+1))
+
+
+# end of common tests
+
##################################################################################
#=================================================================================
# here come tests that might affect your systems integrity. Put normal tests
diff --git a/xio-openssl.c b/xio-openssl.c
index 94fe44e..dc47798 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1775,15 +1775,17 @@ static int openssl_handle_peer_certificate(struct single *xfd,
#if WITH_IP6
case 16: /* IPv6 */
inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
- xioip6_pton(peername, &ip6bin);
- if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
- Debug2("subjectAltName \"%s\" matches peername \"%s\"",
- aBuffer, peername);
- ok = 1;
- } else {
- Info2("subjectAltName \"%s\" does not match peername \"%s\"",
- aBuffer, peername);
- }
+ if (peername != NULL) {
+ xioip6_pton(peername, &ip6bin);
+ if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
+ Debug2("subjectAltName \"%s\" matches peername \"%s\"",
+ aBuffer, peername);
+ ok = 1;
+ } else {
+ Info2("subjectAltName \"%s\" does not match peername \"%s\"",
+ aBuffer, peername);
+ }
+ }
break;
#endif
}

32
SOURCES/socat-configure-c99.patch
Unescape View File

@ -1,32 +0,0 @@
Include <openssl/err.h> for the ERR_error_string function. This
improves compatibility with future compilers which will not accept
implicit funcction declarations by default.
diff --git a/configure b/configure
index fe4e606e91010520..694801b2a93659af 100755
--- a/configure
+++ b/configure
@@ -5199,6 +5199,8 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/ssl.h>
+ #include <openssl/err.h>
+
int
main ()
{
diff --git a/configure.ac b/configure.ac
index 09dbb7a1e8d35c84..abd599c90e3ef0d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -559,7 +559,9 @@ if test -n "$WITH_OPENSSL" -a "$sc_cv_have_openssl_ssl_h" = 'yes'; then
else
LIBS="$LIBS -lssl -lcrypto"
fi
- AC_TRY_LINK([#include <openssl/ssl.h>],
+ AC_TRY_LINK([#include <openssl/ssl.h>
+ #include <openssl/err.h>
+ ],
[SSL_library_init();ERR_error_string()],
[sc_cv_have_libssl='yes'],
[ LIBS="$LIBS -lcrypto"

56
SPECS/socat.spec
Unescape View File

@ -2,14 +2,16 @@
Summary: Bidirectional data relay between two data channels ('netcat++')
Name: socat
Version: 1.7.4.4
Release: 6%{?dist}
License: GPL-2.0-only
Version: 1.7.4.1
Release: 5%{?dist}.2
License: GPLv2
Url: http://www.dest-unreach.org/socat/
Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
Patch1: socat-1.7.3.3-warn.patch
Patch2: socat-configure-c99.patch
# https://issues.redhat.com/browse/RHEL-32914
# Based on: https://repo.or.cz/socat.git/commit/1477334905be18c08bd6dc77be5a62e36b573de4
Patch2: socat-1.7.4.1-ipv6-peername-segfault.patch
BuildRequires: make
BuildRequires: gcc
@ -45,10 +47,10 @@ mv CHANGES.utf8 CHANGES
--enable-openssl --enable-sycls --enable-filan \
--enable-retry # --enable-fips
%make_build
make %{?_smp_mflags}
%install
%make_install
make DESTDIR=%{buildroot} install
install -d %{buildroot}/%{_docdir}/socat
install -m 0644 *.sh %{buildroot}/%{_docdir}/socat/
echo ".so man1/socat.1" | gzip > %{buildroot}/%{_mandir}/man1/filan.1.gz
@ -75,41 +77,19 @@ export OD_C=/usr/bin/od
%doc %{_mandir}/man1/*
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.7.4.4-6
- Bump release for June 2024 mass rebuild
* Thu Apr 18 2024 Martin Osvald <mosvald@redhat.com> - 1.7.4.1-5.2
- Fix IPv6 peername segfault (RHEL-32914)
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Oct 02 2023 Martin Osvald <mosvald@redhat.com> - 1.7.4.4-4
- SPDX migration
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Jan 17 2023 Clemens Lang <cllang@redhat.com> - 1.7.4.4-1
- Resolves: rhbz#2038615 socat-1.7.4.4 is available
* Mon Dec 12 2022 Florian Weimer <fweimer@redhat.com> - 1.7.4.2-4
- Port configure script to C99 (#2152488)
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Nov 1 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 1.7.4.2-1
- Resolves: rhbz#2018835 socat-1.7.4.2 is available
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.7.4.1-4
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save