=== modified file 'debian/changelog' --- debian/changelog 2014-01-24 08:45:40 +0000 +++ debian/changelog 2014-05-13 18:29:26 +0000 @@ -1,3 +1,19 @@ +openwsman (2.4.3-0ubuntu4.1) trusty-security; urgency=low + + * Add security fixes from upstream openwsman-2.4.4 (LP: #1319089) + * ws_xml_make_default_prefix() can overflow buf parameter via sprintf() + * wsmc_create_request() potential buf[20] overflow via WSMAN_ACTION_RENEW + * LocalSubscriptionOpUpdate() unchecked fopen() + * Incorrect order of sanity guards in wsman_get_fault_status_from_doc() + * Unchecked memory allocation in wsman_init_plugins(), p->ifc + * Unchecked memory allocation in mem_double(), newptr + * Unchecked memory allocation in dictionary_new(), d, d->val, d->key, + d->hash + * Unchecked memory allocation in u_error_new(), *error + * sighup_handler() in wsmand.c uses unsafe functions in a signal handler + + -- Kent Baxley Tue, 13 May 2014 10:32:02 -0500 + openwsman (2.4.3-0ubuntu4) trusty; urgency=low * debian/control: fix the breaks and replaces version numbers === modified file 'debian/patches/series' --- debian/patches/series 2014-01-13 12:11:37 +0000 +++ debian/patches/series 2014-05-13 18:29:26 +0000 @@ -1,1 +1,2 @@ cmake-python-includes.patch +upstream-security-fixes.patch === added file 'debian/patches/upstream-security-fixes.patch' --- debian/patches/upstream-security-fixes.patch 1970-01-01 00:00:00 +0000 +++ debian/patches/upstream-security-fixes.patch 2014-05-13 18:29:26 +0000 @@ -0,0 +1,525 @@ +Description: Add security fixes from upstream + Upstream patched several parts of the code per recommendations from Ubuntu + Security team. It would be good to go ahead and include those in the 14.04 + LTS version of openwsman. + . + openwsman (2.4.3-0ubuntu5) trusty; urgency=medium + . + * Add security fixes from upstream openwsman-2.4.4 (LP: #1319089) + * ws_xml_make_default_prefix() can overflow buf parameter via sprintf() + * wsmc_create_request() potential buf[20] overflow via WSMAN_ACTION_RENEW + * LocalSubscriptionOpUpdate() unchecked fopen() + * Incorrect order of sanity guards in wsman_get_fault_status_from_doc() + * Unchecked memory allocation in wsman_init_plugins(), p->ifc + * Unchecked memory allocation in mem_double(), newptr + * Unchecked memory allocation in dictionary_new(), d, d->val, d->key, d->hash + * Unchecked memory allocation in u_error_new(), *error + * sighup_handler() in wsmand.c uses unsafe functions in a signal handler +Author: Kent Baxley +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1319089 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: upstream, https://github.com/Openwsman/openwsman/commits/638b9c8acfa6ded84c94c01e137c61c29d65d62e/src + +--- openwsman-2.4.3.orig/src/lib/u/iniparser.c ++++ openwsman-2.4.3/src/lib/u/iniparser.c +@@ -152,6 +152,10 @@ static void * mem_double(void * ptr, int + void *newptr; + + newptr = calloc(2*size, 1); ++ if (newptr == NULL) { ++ fprintf(stderr, "mem_double: allocation failed\n"); ++ return NULL; ++ } + memcpy(newptr, ptr, size); + free(ptr); + return newptr ; +@@ -214,11 +218,16 @@ static dictionary * dictionary_new(int s + if (sizesize = size ; +- d->val = (char **)calloc(size, sizeof(char*)); +- d->key = (char **)calloc(size, sizeof(char*)); +- d->hash = (unsigned int *)calloc(size, sizeof(unsigned)); +- ++ if (d != NULL) { ++ d->size = size ; ++ d->val = (char **)calloc(size, sizeof(char*)); ++ d->key = (char **)calloc(size, sizeof(char*)); ++ d->hash = (unsigned int *)calloc(size, sizeof(unsigned)); ++ } ++ if ((d == NULL) || (d->val == NULL) || (d->key == NULL) || (d->hash == NULL)) { ++ fprintf(stderr, "dictionary_new: memory allocation failure\n"); ++ d = NULL; ++ } + return d; + } + +@@ -346,8 +355,14 @@ static void dictionary_set(dictionary * + + /* Reached maximum size: reallocate blackboard */ + d->val = (char **)mem_double(d->val, d->size * sizeof(char*)) ; ++ if (d->val == NULL) ++ exit(1); + d->key = (char **)mem_double(d->key, d->size * sizeof(char*)) ; ++ if (d->key == NULL) ++ exit(1); + d->hash = (unsigned int *)mem_double(d->hash, d->size * sizeof(unsigned)) ; ++ if (d->hash == NULL) ++ exit(1); + + /* Double size */ + d->size *= 2 ; +@@ -874,6 +889,8 @@ dictionary * iniparser_new(char *ininame + * Initialize a new dictionary entry + */ + d = dictionary_new(0); ++ if (d == NULL) ++ return d; + lineno = 0 ; + while (fgets(lin, ASCIILINESZ, ini)!=NULL) { + lineno++ ; +--- openwsman-2.4.3.orig/src/lib/u/uerr.c ++++ openwsman-2.4.3/src/lib/u/uerr.c +@@ -44,6 +44,10 @@ void u_error_new(u_error_t **error, int + return; + + *error = u_malloc(sizeof(u_error_t)); ++ if (*error == NULL) { ++ fprintf(stderr, "u_error_new: memory allocation failure\n"); ++ return; ++ } + (*error)->code = code; + va_start(args, format); + (*error)->message = u_strdup_vprintf(format, args); +--- openwsman-2.4.3.orig/src/lib/wsman-client.c ++++ openwsman-2.4.3/src/lib/wsman-client.c +@@ -855,7 +855,6 @@ wsmc_create_request(WsManClient * cl, co + WsXmlNodeH header; + WsXmlNodeH node; + char *_action = NULL; +- char buf[20]; + if (action == WSMAN_ACTION_IDENTIFY) { + request = ws_xml_create_envelope(); + } else { +@@ -964,14 +963,18 @@ wsmc_create_request(WsManClient * cl, co + } + break; + case WSMAN_ACTION_RENEW: ++ { ++ char buf[20]; + node = ws_xml_add_child(body, + XML_NS_EVENTING, WSEVENT_RENEW, NULL); +- sprintf(buf, "PT%fS", options->expires); ++ /* %f default precision is 6 -> [-]ddd.ddd */ ++ snprintf(buf, 20, "PT%fS", options->expires); + ws_xml_add_child(node, XML_NS_EVENTING, WSEVENT_EXPIRES, buf); + if(data) { + if(((char *)data)[0] != 0) + add_subscription_context(ws_xml_get_soap_header(request), (char *)data); + } ++ } + break; + case WSMAN_ACTION_NONE: + case WSMAN_ACTION_TRANSFER_CREATE: +--- openwsman-2.4.3.orig/src/lib/wsman-faults.c ++++ openwsman-2.4.3/src/lib/wsman-faults.c +@@ -607,22 +607,37 @@ void + wsman_get_fault_status_from_doc (WsXmlDocH doc, WsmanStatus *status) + { + int i; +- char *subcode_value=ws_xml_get_xpath_value(doc, FAULT_SUBCODE_VALUE_XPATH); +- char *subcode_value_msg =calloc(1,strlen(subcode_value)); +- char *start_pos = strchr(subcode_value,':'); +- strcpy(subcode_value_msg, start_pos+1); +- if (strlen(subcode_value)== 0 ) return ; ++ char *subcode_value = ws_xml_get_xpath_value(doc, FAULT_SUBCODE_VALUE_XPATH); ++ char *subcode_value_msg; ++ char *start_pos; ++ ++ if (strlen(subcode_value) == 0) ++ return; ++ ++ subcode_value_msg = calloc(1, strlen(subcode_value)); ++ if (subcode_value_msg == NULL) { ++ error("Out of memory"); ++ status->fault_code = WSMAN_INTERNAL_ERROR; ++ /* some default values */ ++ status->fault_detail_code = OWSMAN_SYSTEM_ERROR; ++ status->fault_msg = NULL; ++ return; ++ } ++ ++ start_pos = strchr(subcode_value, ':'); ++ if (start_pos != NULL) { ++ strcpy(subcode_value_msg, start_pos+1); + +- int nfaults = sizeof (fault_code_table) / sizeof (fault_code_table[0]); +- for (i = 0; i < nfaults; i++) { +- if (strcmp (subcode_value_msg , fault_code_table[i].subCode) == 0) { +- status->fault_code = fault_code_table[i].fault_code; +- //some default values +- status->fault_detail_code = 0; +- status->fault_msg='\0'; +- return; ++ int nfaults = sizeof (fault_code_table) / sizeof (fault_code_table[0]); ++ for (i = 0; i < nfaults; i++) { ++ if (strcmp (subcode_value_msg , fault_code_table[i].subCode) == 0) { ++ status->fault_code = fault_code_table[i].fault_code; ++ /* some default values */ ++ status->fault_detail_code = 0; ++ status->fault_msg = NULL; ++ return; ++ } + } +- + } + return; + } +--- openwsman-2.4.3.orig/src/lib/wsman-server.c ++++ openwsman-2.4.3/src/lib/wsman-server.c +@@ -102,6 +102,10 @@ WsContextH wsman_init_plugins(WsManListe + + p->ifc = (WsDispatchInterfaceInfo *) + malloc(sizeof(WsDispatchInterfaceInfo)); ++ if (p->ifc == NULL) { ++ error("Memory allocation error while loading plugin"); ++ return NULL; ++ } + ifcinfo = p->ifc; + ifcinfo->extraData = p->data; + p->set_config = dlsym(p->p_handle, "set_config"); +--- openwsman-2.4.3.orig/src/lib/wsman-subscription-repository.c ++++ openwsman-2.4.3/src/lib/wsman-subscription-repository.c +@@ -49,16 +49,25 @@ + #include "wsman-xml-binding.h" + + int LocalSubscriptionOpInit (char * uri_repository, void *opaqueData); +-int LocalSubscriptionOpFinalize(char * uri_repository, void *opaqueData); +-int LocalSubscriptionOpGet(char * uri_repository, char * uuid, unsigned char **subscriptionDoc, int *len); +-int LocalSubscriptionOpSearch(char * uri_repository, char * uuid); ++int LocalSubscriptionOpFinalize (char * uri_repository, void *opaqueData); ++int LocalSubscriptionOpGet (char * uri_repository, char * uuid, unsigned char **subscriptionDoc, int *len); ++int LocalSubscriptionOpSearch (char * uri_repository, char * uuid); + int LocalSubscriptionOpLoad (char * uri_repository, list_t * subscription_list); + int LocalSubscriptionOpSave (char * uri_repository, char * uuid, unsigned char *subscriptionDoc); +-int LocalSubscriptionOpUpdate(char * uri_repository, char * uuid, char *expire); ++int LocalSubscriptionOpUpdate (char * uri_repository, char * uuid, char *expire); + int LocalSubscriptionOpDelete (char * uri_repository, char * uuid); + + +-struct __SubsRepositoryOpSet subscription_repository_op_set = {LocalSubscriptionOpInit, LocalSubscriptionOpFinalize, LocalSubscriptionOpLoad, LocalSubscriptionOpGet, LocalSubscriptionOpSearch, LocalSubscriptionOpSave, LocalSubscriptionOpUpdate, LocalSubscriptionOpDelete}; ++struct __SubsRepositoryOpSet subscription_repository_op_set = { ++ LocalSubscriptionOpInit, ++ LocalSubscriptionOpFinalize, ++ LocalSubscriptionOpLoad, ++ LocalSubscriptionOpGet, ++ LocalSubscriptionOpSearch, ++ LocalSubscriptionOpSave, ++ LocalSubscriptionOpUpdate, ++ LocalSubscriptionOpDelete ++}; + + static int LocalSubscriptionInitFlag = 0; + +@@ -76,8 +85,7 @@ int LocalSubscriptionOpInit (char * uri_ + + int LocalSubscriptionOpFinalize(char * uri_repository, void *opaqueData) + { +- if(LocalSubscriptionInitFlag == 0) return -1; +- return 0; ++ return (LocalSubscriptionInitFlag == 0) ? -1 : 0; + } + + int LocalSubscriptionOpGet(char * uri_repository, char * uuid, unsigned char **subscriptionDoc, int *len) +@@ -86,24 +94,32 @@ int LocalSubscriptionOpGet(char * uri_re + unsigned char *buf = NULL; + int count,m; + int pre_count; ++ char *subs_path; ++ FILE *fp; ++ + count = m = 0; + *subscriptionDoc = NULL; +- if(LocalSubscriptionInitFlag == 0) return -1; +- char *subs_path = u_strdup_printf ("%s/uuid:%s", uri_repository, uuid); +- FILE *fp = fopen(subs_path, "r"); ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; ++ subs_path = u_strdup_printf ("%s/uuid:%s", uri_repository, uuid); ++ fp = fopen(subs_path, "r"); ++ if (fp == NULL) { ++ error("Can't open %s: %s", subs_path, strerror(errno)); ++ u_free(subs_path); ++ return -1; ++ } + u_free(subs_path); +- if(fp == NULL) return -1; +- while(!feof(fp)) { +- memset(block, 0, 512); +- m = fread(block, 1, 511, fp); +- if(m > 0) { +- debug("read [%s] from file, len = %d",block, m); +- pre_count = count; +- count += m; +- debug("buf = %0x, count = %d", buf, count); +- buf = u_realloc(buf, count); +- memcpy(buf+pre_count, block, m); +- } ++ while (!feof(fp)) { ++ memset(block, 0, 512); ++ m = fread(block, 1, 511, fp); ++ if (m > 0) { ++ debug("read [%s] from file, len = %d",block, m); ++ pre_count = count; ++ count += m; ++ debug("buf = %0x, count = %d", buf, count); ++ buf = u_realloc(buf, count); ++ memcpy(buf+pre_count, block, m); ++ } + } + fclose(fp); + *subscriptionDoc = buf; +@@ -113,11 +129,18 @@ int LocalSubscriptionOpGet(char * uri_re + + int LocalSubscriptionOpSearch(char * uri_repository, char * uuid) + { +- if(LocalSubscriptionInitFlag == 0) return -1; +- char *subs_path = u_strdup_printf ("%s/uuid:%s", uri_repository, uuid); +- FILE *fp = fopen(subs_path, "r"); ++ char *subs_path; ++ FILE *fp; ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; ++ subs_path = u_strdup_printf ("%s/uuid:%s", uri_repository, uuid); ++ fp = fopen(subs_path, "r"); ++ if (fp == NULL) { ++ error("Can't open %s: %s", subs_path, strerror(errno)); ++ u_free(subs_path); ++ return -1; ++ } + u_free(subs_path); +- if(fp == NULL) return -1; + fclose(fp); + return 0; + } +@@ -129,29 +152,38 @@ int LocalSubscriptionOpLoad (char * uri_ + int pre_count; + char block[512]; + unsigned char *buf = NULL; +- if(LocalSubscriptionInitFlag == 0) return -1; +- if(subscription_list == NULL) +- return -1; +- if (0 > (n = scandir (uri_repository, &namelist, 0, alphasort))) +- { +- return -1; +- } else { +- while (n--) +- { ++ ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; ++ if (subscription_list == NULL) ++ return -1; ++ if (0 > (n = scandir (uri_repository, &namelist, 0, alphasort))) { ++ return -1; ++ } ++ else { ++ while (n--) { ++ char *subs_path; ++ FILE *subs; + lnode_t *node; +- if(strstr(namelist[n]->d_name,"uuid") == NULL || strlen(namelist[n]->d_name) < 41) { ++ ++ if (strstr(namelist[n]->d_name,"uuid") == NULL || strlen(namelist[n]->d_name) < 41) { + u_free(namelist[n]); + continue; + } +- char *subs_path = u_strdup_printf ("%s/%s", uri_repository, namelist[n]->d_name); +- FILE *subs = fopen(subs_path, "r"); ++ subs_path = u_strdup_printf ("%s/%s", uri_repository, namelist[n]->d_name); ++ subs = fopen(subs_path, "r"); ++ if (subs == NULL) { ++ error("Can't open %s: %s", subs_path, strerror(errno)); ++ u_free(subs_path); ++ return -1; ++ } + u_free(subs_path); + count = 0; + buf = NULL; +- while(!feof(subs)) { ++ while (!feof(subs)) { + memset(block, 0, 512); + m = fread(block, 1, 511, subs); +- if(m > 0) { ++ if (m > 0) { + pre_count = count; + count += m; + buf = u_realloc(buf, count); +@@ -160,7 +192,7 @@ int LocalSubscriptionOpLoad (char * uri_ + } + fclose(subs); + SubsRepositoryEntryH entry = u_malloc(sizeof(*entry)); +- if(entry) { ++ if (entry) { + entry->strdoc = buf; + entry->len = count; + entry->uuid = u_strdup(namelist[n]->d_name); +@@ -170,37 +202,52 @@ int LocalSubscriptionOpLoad (char * uri_ + } + u_free(namelist[n]); + } +- u_free(namelist); ++ u_free(namelist); + } + return 0; + } ++ + int LocalSubscriptionOpSave (char * uri_repository, char * uuid, unsigned char *subscriptionDoc) + { + char buf[U_NAME_MAX]; +- if(LocalSubscriptionInitFlag == 0) return -1; ++ FILE *subsfile; ++ ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; + snprintf(buf, U_NAME_MAX, "%s/uuid:%s", uri_repository, uuid); +- FILE *subsfile = fopen(buf, "w"); +- if(subsfile == NULL) return -1; ++ subsfile = fopen(buf, "w"); ++ if (subsfile == NULL) { ++ error("Can't open %s: %s", buf, strerror(errno)); ++ return -1; ++ } + fprintf(subsfile, "%s", subscriptionDoc); + fclose(subsfile); + return 0; + } ++ + int LocalSubscriptionOpUpdate(char * uri_repository, char * uuid, char *expire) + { + char buf[U_NAME_MAX]; +- if(LocalSubscriptionInitFlag == 0) return -1; +- snprintf(buf, U_NAME_MAX, "%s/uuid:%s", uri_repository, uuid); + WsXmlDocH doc= NULL; + char *temp; + int len = 0; ++ ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; ++ snprintf(buf, U_NAME_MAX, "%s/uuid:%s", uri_repository, uuid); + doc = xml_parser_file_to_doc( buf, "UTF-8", 0); +- if(doc) { ++ if (doc) { ++ FILE *subsfile; + WsXmlNodeH node = ws_xml_get_child(ws_xml_get_soap_body(doc), + 0, XML_NS_EVENTING, WSEVENT_SUBSCRIBE); + node = ws_xml_get_child(node, 0, XML_NS_EVENTING, WSEVENT_EXPIRES); + ws_xml_set_node_text(node, expire); + ws_xml_dump_memory_enc(doc, &temp, &len, "UTF-8"); +- FILE *subsfile = fopen(buf, "w"); ++ subsfile = fopen(buf, "w"); ++ if (subsfile == NULL) { ++ error("Can't open %s: %s", buf, strerror(errno)); ++ return -1; ++ } + fprintf(subsfile, "%s", temp); + fclose(subsfile); + ws_xml_free_memory(temp); +@@ -208,13 +255,15 @@ int LocalSubscriptionOpUpdate(char * uri + } + return 0; + } ++ + int LocalSubscriptionOpDelete (char * uri_repository, char * uuid) + { + char buf[U_NAME_MAX]; +- if(LocalSubscriptionInitFlag == 0) return -1; ++ ++ if (LocalSubscriptionInitFlag == 0) ++ return -1; + snprintf(buf, U_NAME_MAX, "%s/uuid:%s", uri_repository, uuid); +- int r = unlink(buf); +- if(r) { ++ if (unlink(buf)) { + debug("unlink %s failed! %s", buf, strerror(errno)); + } + return 0; +--- openwsman-2.4.3.orig/src/lib/wsman-xml.c ++++ openwsman-2.4.3/src/lib/wsman-xml.c +@@ -94,13 +94,13 @@ ws_xml_make_default_prefix(WsXmlNodeH no + for (i = 0; g_wsNsData[i].uri != NULL; i++) { + WsXmlNsData *nsd = &g_wsNsData[i]; + if (strcmp(uri, nsd->uri) == 0 && nsd->prefix) { +- sprintf(buf, "%s", nsd->prefix ); ++ snprintf(buf, bufsize, "%s", nsd->prefix ); + return; + } + } + } + if(g_wsNsData[i].uri == NULL && bufsize >= 12) +- sprintf(buf, "n%lu", ++doc->prefixIndex); ++ snprintf(buf, bufsize, "n%lu", ++doc->prefixIndex); + else + buf[0] = 0; + } +--- openwsman-2.4.3.orig/src/plugins/redirect/redirect.c ++++ openwsman-2.4.3/src/plugins/redirect/redirect.c +@@ -99,7 +99,10 @@ int init( void *self, void **data ) + dictionary *ini, *inc_ini; + filename = (char *) wsmand_options_get_config_file(); + ini = iniparser_new(filename); +- ++ if (ini == NULL) { ++ error("redirect: iniparser_new failed"); ++ return 0; ++ } + redirect_data = malloc (sizeof(struct __Redirect_Data)); + if (redirect_data == NULL){ + error("Failed while allocating memory for redirect_data"); +--- openwsman-2.4.3.orig/src/server/wsmand-listener.c ++++ openwsman-2.4.3/src/server/wsmand-listener.c +@@ -674,21 +674,21 @@ WsManListenerH *wsmand_start_server(dict + WsManListenerH *listener = wsman_dispatch_list_new(); + listener->config = ini; + WsContextH cntx = wsman_init_plugins(listener); +- int num_threads=0; +- int max_threads=wsmand_options_get_max_threads(); ++ int num_threads = 0; ++ int max_threads = wsmand_options_get_max_threads(); + int max_connections_per_thread = wsmand_options_get_max_connections_per_thread(); +- if(max_threads && !max_connections_per_thread){ ++ if (max_threads && !max_connections_per_thread) { + error("max_threads: %d and max_connections_per_thread : %d", max_threads, max_connections_per_thread); + return listener; + } + ++ if (cntx == NULL) { ++ return listener; ++ } + #ifdef ENABLE_EVENTING_SUPPORT + wsman_event_init(cntx->soap); + #endif + +- if (cntx == NULL) { +- return listener; +- } + #ifndef HAVE_SSL + if (use_ssl) { + error("Server configured without SSL support"); +--- openwsman-2.4.3.orig/src/server/wsmand.c ++++ openwsman-2.4.3/src/server/wsmand.c +@@ -141,8 +141,6 @@ static void signal_handler(int sig_num) + + static void sighup_handler(int sig_num) + { +- debug("SIGHUP received; reloading data"); +- + if (wsmand_options_get_debug_level() == 0) { + int fd; +