- security update to socat-1.7.3.0, addresses CVE-2015-1379

http://www.dest-unreach.org/socat/contrib/socat-secadv6.txt ok nigel@ (MAINTAINER)
2015-04-13 14:43:28 +00:00 · 2015-04-13 14:43:28 +00:00 · da6deee1dc
commit da6deee1dc
parent 4e18617262
11 changed files with 59 additions and 65 deletions
--- a/net/socat/Makefile
+++ b/net/socat/Makefile
@ -1,9 +1,8 @@
-# $OpenBSD: Makefile,v 1.18 2014/07/12 14:30:20 pascal Exp $
+# $OpenBSD: Makefile,v 1.19 2015/04/13 14:43:28 jasper Exp $

 COMMENT=	relay for bidirectional data transfer

-DISTNAME=	socat-1.7.2.4
-REVISION=	1
+DISTNAME=	socat-1.7.3.0
 CATEGORIES=	net

 HOMEPAGE=	http://www.dest-unreach.org/socat/
@ -33,9 +32,6 @@ post-install:
 	${INSTALL_DATA} ${WRKSRC}/${file} ${PREFIX}/share/doc/socat
 .endfor
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/socat
-.for file in EXAMPLES testcert.conf *.sh
-	${INSTALL_DATA} ${WRKSRC}/${file} ${PREFIX}/share/examples/socat
-.endfor
-
+	${INSTALL_DATA} ${WRKSRC}/*.sh ${PREFIX}/share/examples/socat

 .include <bsd.port.mk>
--- a/net/socat/distinfo
+++ b/net/socat/distinfo
@ -1,2 +1,2 @@
-SHA256 (socat-1.7.2.4.tar.gz) = 4pyw73WrkDyU61cOIIHUMc+5HPJMFdkzaqj1+dc5ekI=
-SIZE (socat-1.7.2.4.tar.gz) = 583762
+SHA256 (socat-1.7.3.0.tar.gz) = +N5KKqrbQGouR10YzzufKeMi1OWAPYEGcWoB/U5ksYY=
+SIZE (socat-1.7.3.0.tar.gz) = 601022
--- a/net/socat/patches/patch-doc_socat_1
+++ b/net/socat/patches/patch-doc_socat_1
@ -1,7 +1,7 @@
-$OpenBSD: patch-doc_socat_1,v 1.6 2014/04/24 15:17:08 sthen Exp $
--- doc/socat.1.orig	Sun Mar  9 20:23:08 2014
-+++ doc/socat.1	Sat Apr 19 17:49:36 2014
-@@ -2884,10 +2884,6 @@ in this file\&.
+$OpenBSD: patch-doc_socat_1,v 1.7 2015/04/13 14:43:28 jasper Exp $
+--- doc/socat.1.orig	Sat Jan 24 17:30:52 2015
+++ doc/socat.1	Mon Apr 13 14:58:09 2015
+@@ -2904,10 +2904,6 @@ in this file\&.
 Specifies the directory with the trusted (root) certificates\&. The directory
 must contain certificates in PEM format and their hashes (see OpenSSL
 documentation) 
@ -12,7 +12,7 @@ $OpenBSD: patch-doc_socat_1,v 1.6 2014/04/24 15:17:08 sthen Exp $
 .IP "\fB\f(CWpseudo\fP\fP"
 On systems where openssl cannot find an entropy source and where no entropy
 gathering daemon can be utilized, this option activates a mechanism for
-@@ -3365,11 +3361,11 @@ connection, invokes a shell\&. This shell has its stdi
+@@ -3397,11 +3393,11 @@ connection, invokes a shell\&. This shell has its stdi
 connected to the TCP socket (nofork)\&.  The shell starts filan and lets it print the socket addresses to
 stderr (your terminal window)\&.
 .IP 
@ -26,7 +26,7 @@ $OpenBSD: patch-doc_socat_1,v 1.6 2014/04/24 15:17:08 sthen Exp $
 to make the squid executable from Cygwin run under Windows, actual per May 2004)\&.
 .IP 
 .IP "\fB\f(CWsocat \- tcp:www\&.blackhat\&.org:31337,readbytes=1000\fP\fP"
-@@ -3492,11 +3488,11 @@ error\&. 
+@@ -3524,11 +3520,11 @@ error\&. 
 .SH "FILES"
 
 .PP 
--- a/net/socat/patches/patch-doc_socat_html
+++ b/net/socat/patches/patch-doc_socat_html
@ -1,7 +1,7 @@
-$OpenBSD: patch-doc_socat_html,v 1.1 2014/04/24 15:17:08 sthen Exp $
--- doc/socat.html.orig	Sun Mar  9 20:23:09 2014
-+++ doc/socat.html	Sat Apr 19 17:50:36 2014
-@@ -2783,10 +2783,6 @@ These options apply to the <a href="socat.html#ADDRESS
+$OpenBSD: patch-doc_socat_html,v 1.2 2015/04/13 14:43:28 jasper Exp $
+--- doc/socat.html.orig	Sat Jan 24 17:31:04 2015
+++ doc/socat.html	Mon Apr 13 14:58:09 2015
+@@ -2781,10 +2781,6 @@ These options apply to the <a href="socat.html#ADDRESS
    Specifies the directory with the trusted (root) certificates. The directory
    must contain certificates in PEM format and their hashes (see OpenSSL
    documentation) 
@ -12,7 +12,7 @@ $OpenBSD: patch-doc_socat_html,v 1.1 2014/04/24 15:17:08 sthen Exp $
 <a name="OPTION_OPENSSL_PSEUDO"></a><p><dt><strong><strong><code>pseudo</code></strong></strong><dd>
    On systems where openssl cannot find an entropy source and where no entropy
    gathering daemon can be utilized, this option activates a mechanism for
-@@ -3299,10 +3295,10 @@ connection, invokes a shell. This shell has its stdin 
+@@ -3309,10 +3305,10 @@ connection, invokes a shell. This shell has its stdin 
 connected to the TCP socket (<a href="socat.html#OPTION_NOFORK">nofork</a>).  The shell starts filan and lets it print the socket addresses to
 stderr (your terminal window).
 <p>
@ -25,7 +25,7 @@ $OpenBSD: patch-doc_socat_html,v 1.1 2014/04/24 15:17:08 sthen Exp $
 to make the squid executable from Cygwin run under Windows, actual per May 2004).
 <p>
 <p><dt><strong><strong><code>socat - tcp:www.blackhat.org:31337,readbytes=1000</code></strong></strong><dd>
-@@ -3420,9 +3416,9 @@ error. 
+@@ -3430,9 +3426,9 @@ error. 
 <a name="FILES"></a>
 <h2>FILES</h2>
 <p>
--- a/net/socat/patches/patch-sslcls_c
+++ b/net/socat/patches/patch-sslcls_c
@ -1,7 +1,7 @@
-$OpenBSD: patch-sslcls_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
--- sslcls.c.orig	Sat Feb  8 20:23:33 2014
-+++ sslcls.c	Sat Jul 12 16:01:25 2014
-@@ -275,14 +275,6 @@ void sycSSL_free(SSL *ssl) {
+$OpenBSD: patch-sslcls_c,v 1.3 2015/04/13 14:43:28 jasper Exp $
+--- sslcls.c.orig	Sat Jan 24 11:15:22 2015
+++ sslcls.c	Mon Apr 13 14:58:09 2015
+@@ -331,14 +331,6 @@ void sycSSL_free(SSL *ssl) {
    return;
 }
 
@ -16,7 +16,7 @@ $OpenBSD: patch-sslcls_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
    DH *result;
    Debug4("PEM_read_bio_DHparams(%p, %p, %p, %p)",
-@@ -319,7 +311,7 @@ int sycFIPS_mode_set(int onoff) {
+@@ -375,7 +367,7 @@ int sycFIPS_mode_set(int onoff) {
 }
 #endif /* WITH_FIPS */
 
--- a/net/socat/patches/patch-sslcls_h
+++ b/net/socat/patches/patch-sslcls_h
@ -1,7 +1,7 @@
-$OpenBSD: patch-sslcls_h,v 1.2 2014/07/12 14:30:20 pascal Exp $
--- sslcls.h.orig	Sun Jun 23 08:16:48 2013
-+++ sslcls.h	Sat Jul 12 15:59:58 2014
-@@ -41,7 +41,6 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl);
+$OpenBSD: patch-sslcls_h,v 1.3 2015/04/13 14:43:28 jasper Exp $
+--- sslcls.h.orig	Sat Jan 24 11:15:22 2015
+++ sslcls.h	Mon Apr 13 14:58:09 2015
+@@ -47,7 +47,6 @@ X509 *sycSSL_get_peer_certificate(SSL *ssl);
 int sycSSL_shutdown(SSL *ssl);
 void sycSSL_CTX_free(SSL_CTX *ctx);
 void sycSSL_free(SSL *ssl);
@ -9,7 +9,7 @@ $OpenBSD: patch-sslcls_h,v 1.2 2014/07/12 14:30:20 pascal Exp $
 
 DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
 
-@@ -49,7 +48,7 @@ BIO *sycBIO_new_file(const char *filename, const char 
+@@ -55,7 +54,7 @@ BIO *sycBIO_new_file(const char *filename, const char 
 
 int sycFIPS_mode_set(int onoff);
 
@ -18,7 +18,7 @@ $OpenBSD: patch-sslcls_h,v 1.2 2014/07/12 14:30:20 pascal Exp $
 const COMP_METHOD *sycSSL_get_current_compression(SSL *ssl);
 const COMP_METHOD *sycSSL_get_current_expansion(SSL *ssl);
 const char *sycSSL_COMP_get_name(const COMP_METHOD *comp);
-@@ -92,7 +91,6 @@ const char *sycSSL_COMP_get_name(const COMP_METHOD *co
+@@ -98,7 +97,6 @@ const char *sycSSL_COMP_get_name(const COMP_METHOD *co
 #define sycSSL_shutdown(s) SSL_shutdown(s)
 #define sycSSL_CTX_free(c) SSL_CTX_free(c)
 #define sycSSL_free(s) SSL_free(s)
--- a/net/socat/patches/patch-test_sh
+++ b/net/socat/patches/patch-test_sh
@ -1,7 +1,7 @@
-$OpenBSD: patch-test_sh,v 1.1 2014/04/24 15:17:08 sthen Exp $
--- test.sh.orig	Sun Mar  9 14:51:39 2014
-+++ test.sh	Sat Apr 19 16:01:35 2014
-@@ -523,9 +523,6 @@ filloptionvalues() {
+$OpenBSD: patch-test_sh,v 1.2 2015/04/13 14:43:28 jasper Exp $
+--- test.sh.orig	Sat Jan 24 11:15:22 2015
+++ test.sh	Mon Apr 13 14:58:09 2015
+@@ -576,9 +576,6 @@ filloptionvalues() {
     *,dh,*) OPTS=$(echo "$OPTS" |sed "s/,dh,/,dh=/tmp/hugo,/g");;
     esac
     case "$OPTS" in
--- a/net/socat/patches/patch-xio-openssl_c
+++ b/net/socat/patches/patch-xio-openssl_c
@ -1,7 +1,7 @@
-$OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
--- xio-openssl.c.orig	Sun Mar  2 20:26:45 2014
-+++ xio-openssl.c	Sat Jul 12 16:00:50 2014
-@@ -102,7 +102,6 @@ const struct optdesc opt_openssl_key         = { "open
+$OpenBSD: patch-xio-openssl_c,v 1.3 2015/04/13 14:43:28 jasper Exp $
+--- xio-openssl.c.orig	Sat Jan 24 15:33:42 2015
+++ xio-openssl.c	Mon Apr 13 14:59:12 2015
+@@ -108,7 +108,6 @@ const struct optdesc opt_openssl_key         = { "open
 const struct optdesc opt_openssl_dhparam     = { "openssl-dhparam",     "dh",    OPT_OPENSSL_DHPARAM,     GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
 const struct optdesc opt_openssl_cafile      = { "openssl-cafile",     "cafile", OPT_OPENSSL_CAFILE,      GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
 const struct optdesc opt_openssl_capath      = { "openssl-capath",     "capath", OPT_OPENSSL_CAPATH,      GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
@ -9,7 +9,7 @@ $OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
 const struct optdesc opt_openssl_pseudo      = { "openssl-pseudo",     "pseudo", OPT_OPENSSL_PSEUDO,      GROUP_OPENSSL, PH_SPEC, TYPE_BOOL,     OFUNC_SPEC };
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
 const struct optdesc opt_openssl_compress    = { "openssl-compress",   "compress", OPT_OPENSSL_COMPRESS,  GROUP_OPENSSL, PH_SPEC, TYPE_STRING,   OFUNC_SPEC };
-@@ -140,7 +139,7 @@ int xio_reset_fips_mode(void) {
+@@ -147,7 +146,7 @@ int xio_reset_fips_mode(void) {
 static void openssl_conn_loginfo(SSL *ssl) {
    Notice1("SSL connection using %s", SSL_get_cipher(ssl));
 
@ -18,7 +18,7 @@ $OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
    {
       const COMP_METHOD *comp, *expansion;
 
-@@ -697,7 +696,6 @@ int
+@@ -722,7 +721,6 @@ int
    char *opt_dhparam = NULL;	/* file name of DH params */
    char *opt_cafile = NULL;	/* certificate authority file */
    char *opt_capath = NULL;	/* certificate authority directory */
@ -26,7 +26,7 @@ $OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
    char *opt_compress = NULL;	/* compression method */
 #endif
-@@ -716,7 +714,6 @@ int
+@@ -741,7 +739,6 @@ int
    retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath);
    retropt_string(opts, OPT_OPENSSL_KEY, &opt_key);
    retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam);
@ -34,7 +34,7 @@ $OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
    retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo);
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
    retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress);
-@@ -796,10 +793,6 @@ int
+@@ -877,10 +874,6 @@ int
       }
    }
 
@ -45,12 +45,12 @@ $OpenBSD: patch-xio-openssl_c,v 1.2 2014/07/12 14:30:20 pascal Exp $
    if (opt_pseudo) {
       long int randdata;
       /* initialize libc random from actual microseconds */
-@@ -979,7 +972,7 @@ static int openssl_SSL_ERROR_SSL(int level, const char
-    if (e == ((ERR_LIB_RAND<<24)|
- 	     (RAND_F_SSLEAY_RAND_BYTES<<12)|
- 	     (RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
-      Error("too few entropy; use options \"egd\" or \"pseudo\"");
-+      Error("too few entropy; use options \"pseudo\"");
-       return STAT_NORETRY;
-    } else {
-       Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf));
+@@ -1098,7 +1091,7 @@ static int openssl_SSL_ERROR_SSL(int level, const char
+       if (e == ((ERR_LIB_RAND<<24)|
+ 		(RAND_F_SSLEAY_RAND_BYTES<<12)|
+ 		(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
+-	 Error("too few entropy; use options \"egd\" or \"pseudo\"");
+	 Error("too few entropy; use option \"pseudo\"");
+ 	 stat = STAT_NORETRY;
+       } else {
+ 	 Msg2(level, "%s(): %s", funcname, ERR_error_string(e, buf));
--- a/net/socat/patches/patch-xioopts_c
+++ b/net/socat/patches/patch-xioopts_c
@ -1,7 +1,7 @@
-$OpenBSD: patch-xioopts_c,v 1.1 2014/04/24 15:17:08 sthen Exp $
--- xioopts.c.orig	Sun Mar  9 14:51:39 2014
-+++ xioopts.c	Sat Apr 19 15:43:29 2014
-@@ -409,7 +409,6 @@ const struct optname optionnames[] = {
+$OpenBSD: patch-xioopts_c,v 1.2 2015/04/13 14:43:28 jasper Exp $
+--- xioopts.c.orig	Sat Jan 24 11:15:22 2015
+++ xioopts.c	Mon Apr 13 14:58:09 2015
+@@ -412,7 +412,6 @@ const struct optname optionnames[] = {
 #ifdef ECHOPRT
 	IF_TERMIOS("echoprt",	&opt_echoprt)
 #endif
@ -9,7 +9,7 @@ $OpenBSD: patch-xioopts_c,v 1.1 2014/04/24 15:17:08 sthen Exp $
 	IF_ANY    ("end-close",	&opt_end_close)
 	IF_TERMIOS("eof",	&opt_veof)
 	IF_TERMIOS("eol",	&opt_veol)
-@@ -1098,7 +1097,6 @@ const struct optname optionnames[] = {
+@@ -1102,7 +1101,6 @@ const struct optname optionnames[] = {
 	IF_OPENSSL("openssl-compress",	&opt_openssl_compress)
 #endif
 	IF_OPENSSL("openssl-dhparam",	&opt_openssl_dhparam)
--- a/net/socat/patches/patch-xioopts_h
+++ b/net/socat/patches/patch-xioopts_h
@ -1,7 +1,7 @@
-$OpenBSD: patch-xioopts_h,v 1.1 2014/04/24 15:17:08 sthen Exp $
--- xioopts.h.orig	Sun Jun 23 07:16:48 2013
-+++ xioopts.h	Sat Apr 19 15:55:57 2014
-@@ -477,7 +477,6 @@ enum e_optcode {
+$OpenBSD: patch-xioopts_h,v 1.2 2015/04/13 14:43:28 jasper Exp $
+--- xioopts.h.orig	Sat Jan 24 11:15:22 2015
+++ xioopts.h	Mon Apr 13 14:58:09 2015
+@@ -478,7 +478,6 @@ enum e_optcode {
    OPT_OPENSSL_COMPRESS,
 #endif
    OPT_OPENSSL_DHPARAM,
--- a/net/socat/pkg/PLIST
+++ b/net/socat/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.4 2012/05/14 20:58:14 sthen Exp $
+@comment $OpenBSD: PLIST,v 1.5 2015/04/13 14:43:28 jasper Exp $
@bin bin/filan
@bin bin/procan
@bin bin/socat
@ -15,7 +15,6 @@ share/doc/socat/socat-tun.html
 share/doc/socat/socat.html
 share/doc/socat/xio.help
 share/examples/socat/
-share/examples/socat/EXAMPLES
 share/examples/socat/daemon.sh
 share/examples/socat/ftp.sh
 share/examples/socat/gatherinfo.sh
@ -28,4 +27,3 @@ share/examples/socat/socat_buildscript_for_android.sh
 share/examples/socat/socks4a-echo.sh
 share/examples/socat/socks4echo.sh
 share/examples/socat/test.sh
-share/examples/socat/testcert.conf