3 changed files with 209 additions and 14 deletions
--- a/SOURCES/socat-1.7.3.3-warn.patch
+++ b/SOURCES/socat-1.7.3.3-warn.patch
@ -0,0 +1,43 @@
 diff -Naur socat-1.7.3.3-orig/sysutils.c socat-1.7.3.3/sysutils.c
 --- socat-1.7.3.3-orig/sysutils.c	2017-01-08 05:38:53.000000000 -0500
 +++ socat-1.7.3.3/sysutils.c	2019-06-24 17:02:56.693056583 -0400
@@ -614,7 +614,7 @@
       return -1;
    }
 -   strncpy(ifr.ifr_name, ifname, IFNAMSIZ);	/* ok */
 +   strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);	/* ok */
    if (Ioctl(s, SIOCGIFINDEX, &ifr) < 0) {
       Info3("ioctl(%d, SIOCGIFINDEX, {\"%s\"}): %s",
 	     s, ifr.ifr_name, strerror(errno));
 diff -Naur socat-1.7.3.3-orig/xio-socket.c socat-1.7.3.3/xio-socket.c
 --- socat-1.7.3.3-orig/xio-socket.c	2017-01-08 04:56:00.000000000 -0500
 +++ socat-1.7.3.3/xio-socket.c	2019-06-24 17:04:48.684491835 -0400
@@ -1710,7 +1710,6 @@
 int xiocheckpeer(xiosingle_t *xfd,
 		 union sockaddr_union *pa, union sockaddr_union *la) {
    char infobuff[256];
 -   int result;
 #if WITH_IP4
    if (xfd->para.socket.dorange) {
@@ -1778,6 +1777,7 @@
 #endif /* WITH_TCP || WITH_UDP */
 #if (WITH_TCP || WITH_UDP) && WITH_LIBWRAP
 +   int result;
    result = xio_tcpwrap_check(xfd, la, pa);
    if (result < 0) {
       char infobuff[256];
 diff -Naur socat-1.7.3.3-orig/xio-tun.c socat-1.7.3.3/xio-tun.c
 --- socat-1.7.3.3-orig/xio-tun.c	2017-01-06 15:58:40.000000000 -0500
 +++ socat-1.7.3.3/xio-tun.c	2019-06-24 17:03:55.276797729 -0400
@@ -106,7 +106,7 @@
    memset(&ifr, 0,sizeof(ifr));
    if (retropt_string(opts, OPT_TUN_NAME, &tunname) == 0) {
 -      strncpy(ifr.ifr_name, tunname, IFNAMSIZ);	/* ok */
 +      strncpy(ifr.ifr_name, tunname, IFNAMSIZ - 1);	/* ok */
       free(tunname);
    } else {
       ifr.ifr_name[0] = '\0';
--- a/SOURCES/socat-1.7.4.1-ipv6-peername-segfault.patch
+++ b/SOURCES/socat-1.7.4.1-ipv6-peername-segfault.patch
@ -0,0 +1,102 @@
 commit 1477334905be18c08bd6dc77be5a62e36b573de4
 Author: Gerhard Rieger <gerhard@dest-unreach.org>
 Date:   Tue Oct 26 19:26:18 2021 +0200
    OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
 diff --git a/test.sh b/test.sh
 index 6ca21f3..c0e98a3 100755
 --- a/test.sh
 +++ b/test.sh
@@ -15040,6 +15040,60 @@ PORT=$((PORT+1))
 N=$((N+1))
 +# Bug fix, OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
 +NAME=OPENSSL_CLIENT_IP6_CN
 +case "$TESTS" in
 +*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%ip6%*|*%socket%*|*%$NAME%*)
 +TEST="$NAME: Test if OpenSSL server may be crashed by client cert with IPv6 address"
 +# Socat 1.7.4.1 had a bug that caused OpenSSL server to crash with SIGSEGV when
 +# it checked a client certificate containing IPv6 address in SubjectAltName and
 +# no openssl-commonname option was given
 +if ! eval $NUMCOND; then :;
 +elif ! testfeats openssl >/dev/null; then
 +    $PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
 +    numCANT=$((numCANT+1))
 +    listCANT="$listCANT $N"
 +elif ! testfeats tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
 +    $PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
 +    numCANT=$((numCANT+1))
 +    listCANT="$listCANT $N"
 +else
 +gentestcert testsrv
 +gentestaltcert testalt
 +tf="$td/test$N.stdout"
 +te="$td/test$N.stderr"
 +tdiff="$td/test$N.diff"
 +da="test$N $(date) $RANDOM"
 +CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,reuseaddr,cert=./testsrv.pem,cafile=./testalt.crt -"
 +CMD1="$TRACE $SOCAT $opts -u - OPENSSL-CONNECT:localhost:$PORT,cafile=testsrv.crt,cert=testalt.pem,verify=0"
 +printf "test $F_n $TEST... " $N
 +$CMD0 >/dev/null >"${tf}0" 2>"${te}0" &
 +pid0=$!
 +waittcp4port $PORT 1
 +echo "$da" |$CMD1 2>"${te}1"
 +rc1=$?
 +kill $pid0 2>/dev/null; wait
 +if [ $rc1 -eq 0 ] && echo "$da" |diff - "${tf}0" >$tdiff; then
 +    $PRINTF "$OK\n"
 +    numOK=$((numOK+1))
 +else
 +    $PRINTF "$FAILED\n"
 +    echo "$CMD0 &" >&2
 +    cat "${te}0" >&2
 +    echo "$CMD1" >&2
 +    cat "${te}1" >&2
 +    numFAIL=$((numFAIL+1))
 +    listFAIL="$listFAIL $N"
 +fi
 +fi # NUMCOND
 + ;;
 +esac
 +PORT=$((PORT+1))
 +N=$((N+1))
 +
 +
 +# end of common tests
 +
 ##################################################################################
 #=================================================================================
 # here come tests that might affect your systems integrity. Put normal tests
 diff --git a/xio-openssl.c b/xio-openssl.c
 index 94fe44e..dc47798 100644
 --- a/xio-openssl.c
 +++ b/xio-openssl.c
@@ -1775,15 +1775,17 @@ static int openssl_handle_peer_certificate(struct single *xfd,
 #if WITH_IP6
 			case 16: /* IPv6 */
 			   inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
 -			   xioip6_pton(peername, &ip6bin);
 -			   if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
 -			      Debug2("subjectAltName \"%s\" matches peername \"%s\"",
 -				    aBuffer, peername);
 -			      ok = 1;
 -			   } else {
 -			      Info2("subjectAltName \"%s\" does not match peername \"%s\"",
 -				    aBuffer, peername);
 -			   }			      
 +			   if (peername != NULL) {
 +			      xioip6_pton(peername, &ip6bin);
 +			      if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
 +			         Debug2("subjectAltName \"%s\" matches peername \"%s\"",
 +					aBuffer, peername);
 +			         ok = 1;
 +			      } else {
 +			         Info2("subjectAltName \"%s\" does not match peername \"%s\"",
 +				       aBuffer, peername);
 +			      }
 +			   }
 			   break;
 #endif
 			}
--- a/SPECS/socat.spec
+++ b/SPECS/socat.spec
@ -3,12 +3,18 @@
 Summary: Bidirectional data relay between two data channels ('netcat++')
 Name: socat
 Version: 1.7.4.1
-Release: 1%{?dist}
+Release: 5%{?dist}.2
 License: GPLv2
 Url:  http://www.dest-unreach.org/socat/
 Source: http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
 Group: Applications/Internet
 Patch1: socat-1.7.3.3-warn.patch
 # https://issues.redhat.com/browse/RHEL-32914
 # Based on: https://repo.or.cz/socat.git/commit/1477334905be18c08bd6dc77be5a62e36b573de4
 Patch2: socat-1.7.4.1-ipv6-peername-segfault.patch
 BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: openssl-devel readline-devel ncurses-devel
 BuildRequires: autoconf kernel-headers > 2.6.18
 # for make test
@ -26,6 +32,8 @@ line editor (readline), a program, or a combination of two of these.
 %setup -q
 iconv -f iso8859-1 -t utf-8 CHANGES > CHANGES.utf8
 mv CHANGES.utf8 CHANGES
 %patch1 -p1
 %patch2 -p1
 %build
 %configure  \
@ -37,7 +45,7 @@ mv CHANGES.utf8 CHANGES
        --enable-listen --enable-proxy --enable-exec \
        --enable-system --enable-pty --enable-readline \
        --enable-openssl --enable-sycls --enable-filan \
-        --enable-retry #--enable-fips
+        --enable-retry # --enable-fips
 make %{?_smp_mflags}
@ -45,15 +53,19 @@ make %{?_smp_mflags}
 make DESTDIR=%{buildroot} install
 install -d %{buildroot}/%{_docdir}/socat
 install -m 0644 *.sh %{buildroot}/%{_docdir}/socat/
 install -m 0644 *.sh %{buildroot}/%{_docdir}/socat/
 echo ".so man1/socat.1" | gzip > %{buildroot}/%{_mandir}/man1/filan.1.gz
 cp -a %{buildroot}/%{_mandir}/man1/filan.1.gz %{buildroot}/%{_mandir}/man1/procan.1.gz
 %check
 export TERM=ansi
 export OD_C=/usr/bin/od
-# intermittently, a test sometimes just fails and hangs, mostly on arm
+# intermittently, a test sometimes just fails and some just hang
-#timeout 30m make test
+# HANGS on x86_64: 93, 323
 # FAILED on x86_64:  61 215 306 307
 # FAILED on ppc64le: 58 239
 # FAILED on armv7hl: 154 155 318 319
 #sed -i 's/NUMCOND=true/NUMCOND="test \\$N -ne 93 -a \\$N -ne 323"/' test.sh
 #make test
 %files
 %doc BUGREPORTS CHANGES DEVELOPMENT EXAMPLES FAQ PORTING
@ -65,16 +77,54 @@ export OD_C=/usr/bin/od
 %doc %{_mandir}/man1/*
 %changelog
-* Tue Mar 30 2021 Paul Wouters <pwouters@redhat.com> - 1.7.4.1-1
+* Thu Apr 18 2024 Martin Osvald <mosvald@redhat.com> - 1.7.4.1-5.2
- Resolves: rhbz#1805132 socat does not recognize IP addresses of the SAN extensions in ssl mode
+- Fix IPv6 peername segfault (RHEL-32914)
- Resolves: rhbz#1870279 Transfer via socat fails with openssl enabled
+
- Resolves: rhbz#1914989 Socat udp4-recvfrom cause endless loop error when target is not vaild
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-4
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.7.4.1-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.4.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Mon Jan 11 10:35:54 EST 2021 Paul Wouters <pwouters@redhat.com> - 1.7.4.1-1
 - Resolves: rhbz#1914653 socat-1.7.4.1 is available
 * Mon Jan  4 09:34:27 EST 2021 Paul Wouters <pwouters@redhat.com> - 1.7.4.0-1
 - Resolves: rhbz#1912161 socat-1.7.4.0 is available
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Mon Jan 06 2020 Paul Wouters <pwouters@redhat.com> - 1.7.3.4-1
 - Resolves: rhbz#1787954 socat-1.7.3.4 is available
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Mon Jun 24 2019 Paul Wouters <pwouters@redhat.com> - 1.7.3.3-1
 - Resolves: rhbz#1696931 socat-1.7.3.3 is available
 - Resolves: rhbz#1612274 Man page scan results for socat
 - Disabled --enable-fips as its requires fipsld which we don't have.
 * Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.7.3.2-9
 - Rebuild for readline 8.0
-* Sun Dec 01 2019 Paul Wouters <pwouters@redhat.com> - 1.7.3.3-2
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.2-8
- Resolves: rhbz#1682464 socat changes blocked until gating tests are added
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-* Wed Nov 06 2019 Paul Wouters <pwouters@redhat.com> - 1.7.3.3-1
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.2-7
- Resolves: rhbz#1723581 socat-1.7.3.3 is available
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3.2-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild