!27 [sync] PR-24: Fix CVE-2023-27371

From: @openeuler-sync-bot 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

0001-gnutls-utilize-system-crypto-policy.patch

@@ -0,0 +1,25 @@
+From 0f8920325cc523883df9e5073bd20ddc9c3d1b71 Mon Sep 17 00:00:00 2001
+From: xigaoxinyan <xigaoxinyan@huawei.com>
+Date: Thu, 13 Jan 2022 17:33:26 +0800
+Subject: [PATCH] gnutls-utilize-system-crypto-policy.patch
+
+---
+ src/microhttpd/daemon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/microhttpd/daemon.c b/src/microhttpd/daemon.c
+index 5ca612e..6c0947a 100644
+--- a/src/microhttpd/daemon.c
++++ b/src/microhttpd/daemon.c
+@@ -6498,7 +6498,7 @@ MHD_start_daemon_va (unsigned int flags,
+   if (0 != (*pflags & MHD_USE_TLS))
+   {
+     gnutls_priority_init (&daemon->priority_cache,
+-                          "NORMAL",
++                          "@SYSTEM",
+                           NULL);
+   }
+ #endif /* HTTPS_SUPPORT */
+-- 
+2.27.0
+

CVE-2023-27371.patch

@@ -0,0 +1,81 @@
+From 6d6846e20bfdf4b3eb1b592c97520a532f724238 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: [PATCH] fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ ChangeLog                      | 14 +++++++++-----
+ src/microhttpd/postprocessor.c |  2 +-
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2292219c1..5d50c60c7 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,7 @@
++Sun Feb 26 05:49:30 PM CET 2023
++    Fix potential DoS vector in MHD_PostProcessor discovered
++    by Gynvael Coldwind and Dejan Alvadzijevic. -CG
++
+ Sun 26 Dec 2021 20:30:00 MSK
+     Releasing GNU libmicrohttpd 0.9.75 -EG
+ 
+@@ -23,7 +27,7 @@ December 2021
+     Some code improvements for new test test_client_put_stop.
+     Added special log message if thread creation failed due to system limits.
+     Fully restructured new_connection_process_() to correctly handle errors,
+-    fixed missing decrement of number of daemon connections if any error 
++    fixed missing decrement of number of daemon connections if any error
+     encountered, fixed app notification of connection termination when app has
+     not been notified about connection start, fixed (highly unlikely) reset of
+     the list of connections if reached daemon's connections limit.
+@@ -67,7 +71,7 @@ November 2021
+     for testing of MHD.
+     Renamed 'early_response' connection flag to 'discard_request' and reworked
+     handling of connection's flags.
+-    Clarified request termination reasons doxy, fixed reporting of 
++    Clarified request termination reasons doxy, fixed reporting of
+     MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used
+     in reporting).
+     Enforce all libcurl tests exit code to be zero or one.
+@@ -76,7 +80,7 @@ November 2021
+     of the last LF in termination chunk, handle correctly chunk sizes with more
+     than 16 digits (leading zeros are valid according to HTTP RFC), fixed
+     handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report
+-    error when invalid chunk format is received without waiting to receive 
++    error when invalid chunk format is received without waiting to receive
+     (possibly missing) end of the line, reply to the client with special error
+     if chunk size is too large to be handled by MHD (>16 EiB).
+     Added error reply if client used too large request payload (>16 EiB).
+@@ -92,7 +96,7 @@ October 2021
+     Added test family test_toolarge to check correct handling of the buffers
+     when the size of data is larger than free space.
+     Fixed missing updated of read and write buffers sizes.
+-    Added detection and use of supported "noreturn" keyword for function 
++    Added detection and use of supported "noreturn" keyword for function
+     declaration. It should help compiler and static analyser.
+     Added support for leak sanitizer.
+     Fixed analyser errors on W32.
+@@ -290,7 +294,7 @@ June 2021
+     used for the next request data.
+     Fixed completely broken calculation of request header size.
+     Chunked response: do not ask app callback for more data then
+-    it is possible to process (more than 16 MBytes). 
++    it is possible to process (more than 16 MBytes).
+     Check and report if app used wrong response code (>999 or <100)
+     Refuse to add second "Transfer-Encoding" header.
+     HTTPS tests: check whether all libcurl function succeeded.
+diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+index 990742150..c00605c77 100644
+--- a/src/microhttpd/postprocessor.c
++++ b/src/microhttpd/postprocessor.c
+@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection,
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid boundary */
+     if ( (boundary[0] == '"') &&

fix-libmicrohttpd-tutorial-info.patch

@@ -0,0 +1,39 @@
+From 398397ad7122fd46b34ab0d6bea79433feb7c84a Mon Sep 17 00:00:00 2001
+From: caodongxia <315816521@qq.com>
+Date: Thu, 5 Aug 2021 19:37:27 +0800
+Subject: [PATCH] init
+
+---
+ doc/libmicrohttpd-tutorial.info | 2 +-
+ doc/libmicrohttpd-tutorial.texi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/libmicrohttpd-tutorial.info b/doc/libmicrohttpd-tutorial.info
+index 9454640..28ba70e 100644
+--- a/doc/libmicrohttpd-tutorial.info
++++ b/doc/libmicrohttpd-tutorial.info
+@@ -15,7 +15,7 @@ April 2016.
+      section entitled "GNU Free Documentation License".
+ INFO-DIR-SECTION Software libraries
+ START-INFO-DIR-ENTRY
+-* libmicrohttpdtutorial: (libmicrohttpd).       A tutorial for GNU libmicrohttpd.
++* libmicrohttpdtutorial: (libmicrohttpd-tutorial).       A tutorial for GNU libmicrohttpd.
+ END-INFO-DIR-ENTRY
+ 
+ 
+diff --git a/doc/libmicrohttpd-tutorial.texi b/doc/libmicrohttpd-tutorial.texi
+index 8fd7b56..dc0eb91 100644
+--- a/doc/libmicrohttpd-tutorial.texi
++++ b/doc/libmicrohttpd-tutorial.texi
+@@ -15,7 +15,7 @@
+ 
+ @dircategory Software libraries
+ @direntry
+-* libmicrohttpdtutorial: (libmicrohttpd).       A tutorial for GNU libmicrohttpd.
++* libmicrohttpdtutorial: (libmicrohttpd-tutorial).       A tutorial for GNU libmicrohttpd.
+ @end direntry
+ 
+ @copying
+-- 
+2.27.0
+

fixed-missing-websocket.inc-in-dist-files.patch

@@ -0,0 +1,41 @@
+diff -Nur a/doc/libmicrohttpd-tutorial.texi b/doc/libmicrohttpd-tutorial.texi
+--- a/doc/libmicrohttpd-tutorial.texi	2021-12-27 01:30:00.000000000 +0800
++++ b/doc/libmicrohttpd-tutorial.texi	2022-08-27 10:39:16.578248526 +0800
+@@ -68,7 +68,6 @@
+ * Improved processing of POST data::
+ * Session management::
+ * Adding a layer of security::
+-* Websockets::
+ * Bibliography::
+ * License text::
+ * Example programs::
+@@ -110,10 +109,6 @@
+ @chapter Adding a layer of security
+ @include chapters/tlsauthentication.inc
+ 
+-@node Websockets
+-@chapter Websockets
+-@include chapters/websocket.inc
+-
+ @node Bibliography
+ @appendix Bibliography
+ @include chapters/bibliography.inc
+@@ -133,7 +128,6 @@
+ * largepost.c::
+ * sessions.c::
+ * tlsauthentication.c::
+-* websocket.c::
+ @end menu
+ 
+ @node hellobrowser.c
+@@ -184,10 +178,4 @@
+ @verbatiminclude examples/tlsauthentication.c
+ @end smalldisplay
+ 
+-@node websocket.c
+-@section websocket.c
+-@smalldisplay
+-@verbatiminclude examples/websocket.c
+-@end smalldisplay
+-
+ @bye

gnutls-utilize-system-crypto-policy.patch

@@ -1,11 +0,0 @@
---- libmicrohttpd-0.9.53/src/microhttpd/daemon.c.orig	2017-04-12 08:31:18.243540128 +0200
-+++ libmicrohttpd-0.9.53/src/microhttpd/daemon.c	2017-04-12 08:34:19.851158371 +0200
-@@ -5415,7 +5415,7 @@
-   if (0 != (*pflags & MHD_USE_TLS))
-     {
-       gnutls_priority_init (&daemon->priority_cache,
--			    "NORMAL",
-+			    "@SYSTEM",
- 			    NULL);
-     }
- #endif /* HTTPS_SUPPORT */

libmicrohttpd.spec

@@ -1,12 +1,15 @@
 Name:           libmicrohttpd
-Version:        0.9.59
+Version:        0.9.75
 Release:        4
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
 URL:            http://www.gnu.org/software/libmicrohttpd/
 Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
-Patch0001:      gnutls-utilize-system-crypto-policy.patch
+Patch0001:      0001-gnutls-utilize-system-crypto-policy.patch
+Patch0002:      fix-libmicrohttpd-tutorial-info.patch
+Patch0003:      fixed-missing-websocket.inc-in-dist-files.patch
+Patch0004:      CVE-2023-27371.patch
 
 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires(post): info
@@ -37,7 +40,6 @@ The help package contains manual pages and doc files for libmicrohttpd
 %autosetup -p1
 
 %build
-autoreconf --install --force
 %configure --disable-static --with-gnutls --enable-https=yes
 %make_build
 make -C doc/doxygen full
@@ -88,5 +90,19 @@ fi
 %{_infodir}/libmicrohttpd_performance_data.png.gz
 
 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.75-4
+- Fix CVE-2023-27371
+
+* Sat Aug 27 2022 wulei <wulei80@h-partners.com> - 1:0.9.75-3
+- Fixed missing websocket.inc in dist files
+
+* Fri Aug 5 2022 liyanan <liyanan32@h-partners.com> - 1:0.9.75-2
+- Fixed missing websocket.inc in dist files
+
+* Fri Jan 14 2022 xigaoxinyan<xigaoxinyan@huawei.com> - 0.9.75-1
+- update to 0.9.75
+* Thu Aug 05 2021 caodongxia<caodongxia@huawei.com> - 0.9.59-5
+- Fix libmicrohttpd-tutorial info
+
 * Thu Nov 21 2019 wangye<wangye54@huawei.com> - 0.9.59-4
-- Package init
+- Package init