--- libproxy-0.3.1.orig/debian/copyright +++ libproxy-0.3.1/debian/copyright @@ -0,0 +1,59 @@ +This package was debianized by Emilio Pozuelo Monfort on +Wed, 17 Dec 2008 23:25:40 +0100. + +It was downloaded from http://code.google.com/p/libproxy/downloads/list + +Upstream Authors: + + Nathaniel McCallum + Alex Panait + +Copyright: + + Copyright (C) 2006 Nathaniel McCallum + + The file pacutils.js is: + Copyright (c) Netscape Communications Corporation. 1998 + + +License: + + This package is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU Lesser General +Public License can be found in `/usr/share/common-licenses/LGPL'. + +The Debian packaging is copyright 2008, Emilio Pozuelo Monfort and +is licensed under the GPL, see `/usr/share/common-licenses/GPL'. + + +For src/plugins/xhasclient.c, the following applies: + Copyright 1989, 1998 The Open Group + + Permission to use, copy, modify, distribute, and sell this software and its + documentation for any purpose is hereby granted without fee, provided that + the above copyright notice appear in all copies and that both that + copyright notice and this permission notice appear in supporting + documentation. + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN + AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --- libproxy-0.3.1.orig/debian/control +++ libproxy-0.3.1/debian/control @@ -0,0 +1,76 @@ +# This file is autogenerated. DO NOT EDIT! +# +# Modifications should be made to debian/control.in instead. +# This file is regenerated automatically in the clean target. + +Source: libproxy +Section: libs +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Emilio Pozuelo Monfort +Uploaders: Debian GNOME Maintainers , Emilio Pozuelo Monfort , Josselin Mouette +Build-Depends: cdbs (>= 0.4.90~), + debhelper (>= 5), + gnome-pkg-tools, + autotools-dev, + python-all-dev (>= 2.6.6-3~), + network-manager-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64], + libdbus-1-dev, + kdelibs5-dev [!armel], + libqt4-dev, +# /!\ we have a build-depends loop with webkit + libwebkitgtk-dev, + gconf2, + libxmu-dev +Standards-Version: 3.8.3 +X-Python-Version: >= 2.5 +Vcs-Svn: svn://svn.debian.org/svn/pkg-gnome/packages/unstable/libproxy +Vcs-Browser: http://svn.debian.org/viewsvn/pkg-gnome/packages/unstable/libproxy +Homepage: http://code.google.com/p/libproxy/ + +Package: libproxy0 +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Suggests: libwebkitgtk-1.0-0 | libmozjs2d +Description: automatic proxy configuration management library (shared) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the shared library. + +Package: libproxy-dev +Architecture: any +Section: libdevel +Depends: ${shlibs:Depends}, + ${misc:Depends}, + libproxy0 (= ${binary:Version}) +Description: automatic proxy configuration management library (devel) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the development files. + +Package: libproxy-tools +Section: utils +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: automatic proxy configuration management library (tools) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains a program to interact with libproxy from the + command line. + +Package: python-libproxy +Architecture: all +Section: python +Depends: ${python:Depends}, + ${misc:Depends}, + libproxy0 (>= ${source:Version}) +Description: automatic proxy configuration management library (python) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the Python bindings. --- libproxy-0.3.1.orig/debian/libproxy-dev.install +++ libproxy-0.3.1/debian/libproxy-dev.install @@ -0,0 +1,3 @@ +debian/tmp/usr/include +debian/tmp/usr/lib/pkgconfig +debian/tmp/usr/lib/libproxy.so --- libproxy-0.3.1.orig/debian/rules +++ libproxy-0.3.1/debian/rules @@ -0,0 +1,20 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/class/autotools.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/rules/utils.mk +include /usr/share/cdbs/1/class/gnome.mk +include /usr/share/gnome-pkg-tools/1/rules/uploaders.mk + +SHLIBVER := 0.2.3 +libproxy := $(shell sed -nr 's/^Package:[[:space:]]*(libproxy[0-9]+)[[:space:]]*$$/\1/p' debian/control) + +DEB_DH_MAKESHLIBS_ARGS_$(libproxy) = -V '$(libproxy) (>= $(SHLIBVER))' +DEB_DH_SHLIBDEPS_ARGS_$(libproxy) := -Xmodules + +binary-install/python-libproxy:: + dh_python2 -p$(cdbs_curpkg) + +binary-install/$(libproxy):: + rm debian/$(libproxy)/usr/lib/libproxy/*/modules/wpad_dnsdevolution.so --- libproxy-0.3.1.orig/debian/python-libproxy.install +++ libproxy-0.3.1/debian/python-libproxy.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/python* --- libproxy-0.3.1.orig/debian/watch +++ libproxy-0.3.1/debian/watch @@ -0,0 +1,4 @@ +version=3 + +http://code.google.com/p/libproxy/downloads/list \ + http://libproxy.googlecode.com/files/libproxy-(.*).tar.bz2 --- libproxy-0.3.1.orig/debian/changelog +++ libproxy-0.3.1/debian/changelog @@ -0,0 +1,154 @@ +libproxy (0.3.1-2ubuntu6.1) oneiric-security; urgency=low + + * SECURITY UPDATE: possible remote code execution via buffer overflow + - debian/patches/02_CVE-2012-4505.patch: validate maximum pac size in + src/lib/pac.c. + - CVE-2012-4505 + + -- Marc Deslauriers Tue, 06 Nov 2012 09:37:33 -0500 + +libproxy (0.3.1-2ubuntu6) oneiric; urgency=low + + * Switch to dh_python2. (LP: #788514) + + -- Barry Warsaw Fri, 22 Jul 2011 19:08:12 -0400 + +libproxy (0.3.1-2ubuntu5) natty; urgency=low + + * debian/control.in: Drop libwebkitgtk-1.0-0 | libmozjs2d recommends to + suggests, as we otherwise pull in the sizable libwebkitgtk-1.0-0 into the + Kubuntu CDs. + + -- Martin Pitt Mon, 24 Jan 2011 17:37:44 +0100 + +libproxy (0.3.1-2ubuntu4) natty; urgency=low + + * debian/control.in: updated the webkit build-depends as well + + -- Sebastien Bacher Thu, 20 Jan 2011 11:06:08 +0100 + +libproxy (0.3.1-2ubuntu3) natty; urgency=low + + * debian/control.in: + - recommend libwebkitgtk-1.0-0 instead of libwebkit-1.0-2 + + -- Michael Vogt Mon, 17 Jan 2011 12:00:47 +0100 + +libproxy (0.3.1-2ubuntu2) natty; urgency=low + + * debian/control: + - Drop KDE from build-deps on ARM to workaround FTBFS due to KDE stack + being broken due to toolchain issues. This will be reverted after + Alpha 1 (LP: #683072) + + -- Michael Casadevall Mon, 29 Nov 2010 16:00:27 -0800 + +libproxy (0.3.1-2ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: (LP: #681433) + - debian/control{.in}: Drop Build-Depends on libmozjs-dev + since we don't have this package in archive. + + -- Artur Rona Thu, 25 Nov 2010 20:55:29 +0100 + +libproxy (0.3.1-2) unstable; urgency=low + + [ Emilio Pozuelo Monfort ] + * debian/patches/libproxy_link_against_libdl.patch: + - Removed, configure.ac already adds the correct check so this is not + needed anymore. + + [ Josselin Mouette ] + * 01_pac_http.patch: new patch from Julien Blache. Don’t assume HTTP + header names are case sensitive. Closes: #600196. + * Re-enable webkit support. The build-dependency loop is not a problem + for a stable release. (But the issue will arise again later.) + * Recommend libwebkit-1.0-2 | libmozjs2d. Closes: #597864. + + -- Josselin Mouette Tue, 19 Oct 2010 08:46:05 +0200 + +libproxy (0.3.1-1ubuntu1) lucid; urgency=low + + * Resync on the Debian testing version for lucid but built it using webkit + + -- Sebastien Bacher Tue, 13 Apr 2010 16:08:18 +0200 + +libproxy (0.3.1-1) unstable; urgency=low + + * New upstream release. + - Fixes crash when parsing .pac file. Closes: #550179. + - debian/patches/10_configure-check-for-dbus.patch, + debian/patches/60_am-prog-cc-c-o.patch: + + Removed, fixed upstream. + - debian/control.in: + + Build depend on gconf2 instead of libgconf2-dev. + + Build depend on kdelibs5-dev and libqt4-dev for the KDE4 plugin. + - debian/patches/50_px-wpad-fallback-env-var.patch, + debian/rules: + + Remove patch, don't install wpad_dnsdevolution.so now. + - debian/patches/70_autotools.patch: + + Removed, no longer needed. + - debian/libproxy0.install, + debian/rules: + + s/plugins/modules/ following the upstream change. + * debian/control.in: + - Update my maintainer email address. + - Standards-Version is 3.8.3, no changes needed. + - libproxy-tools is section utils. + * debian/watch: + - Look for bzip2 tarballs. + * debian/patches/libproxy_link_against_libdl.patch: + - Link with -ldl for dlopen et al. Closes: #558920. + + -- Emilio Pozuelo Monfort Sat, 12 Dec 2009 01:56:54 +0100 + +libproxy (0.2.3-4) unstable; urgency=low + + * Don't build NetworkManager support on non-Linux platforms. Thanks + Samuel Thibault. Closes: #534939. + * Standards-Version is 3.8.2, no changes needed. + + -- Emilio Pozuelo Monfort Sun, 28 Jun 2009 20:35:04 +0200 + +libproxy (0.2.3-3) unstable; urgency=low + + * Stop building the webkit plugin for now, we have a circular build- + dependency with webkit. Instead, build the mozjs one, so that we can + still read PAC files. + + -- Emilio Pozuelo Monfort Wed, 29 Apr 2009 20:55:50 +0200 + +libproxy (0.2.3-2) unstable; urgency=low + + * debian/patches/50_px-wpad-fallback-env-var.patch: + - Fix logic to not bypass the config plugin when the env variable + isn't set. We don't do wpad fallback if the env variable isn't set, + but there's not reason to ignore the config file if one is provided. + See https://launchpad.net/bugs/354475. + * Standards-Version is 3.8.1, no changes needed. + * debian/copyright: Add copyright note for pacutils.js + + -- Emilio Pozuelo Monfort Sat, 25 Apr 2009 14:25:10 +0200 + +libproxy (0.2.3-1) unstable; urgency=low + + [ Emilio Pozuelo Monfort ] + * Initial release (Closes: #509063). + * Fix if/else logic and a wrong free in 50_px-wpad-fallback-env-var. + + [ Loic Minier ] + * Set libproxy-dev Arch: any; too small win to warrant installability issues + on slow arches. + * Drop shlibs:Depends from python-libproxy as it's Arch: all. + * Drop gnome-get-source.mk include as it's not working by default. + * Rename patch configure_check_for_dbus to 10_configure-check-for-dbus. + * Run a full autoreconf instead of only autoconf. + - New patch, 60_am-prog-cc-c-o, makes newer autoconfs happier. + - New patch, 70_autotools, split autotools generated files here to force + them to be applied last and avoid timestamp skews issues. + Thanks Sébastien Bacher and Ubuntu for the above. + * New patch, 50_px-wpad-fallback-env-var, check PX_WPAD_FALLBACK env var to + decide whether to fall back to wpad:// style autodetection or not, + defaulting to not fallback when the env var isn't set. + + -- Emilio Pozuelo Monfort Tue, 03 Mar 2009 01:11:35 +0100 --- libproxy-0.3.1.orig/debian/libproxy0.install +++ libproxy-0.3.1/debian/libproxy0.install @@ -0,0 +1,2 @@ +debian/tmp/usr/lib/libproxy.so.* +debian/tmp/usr/lib/libproxy/*/modules --- libproxy-0.3.1.orig/debian/compat +++ libproxy-0.3.1/debian/compat @@ -0,0 +1 @@ +5 --- libproxy-0.3.1.orig/debian/control.in +++ libproxy-0.3.1/debian/control.in @@ -0,0 +1,71 @@ +Source: libproxy +Section: libs +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Emilio Pozuelo Monfort +Uploaders: @GNOME_TEAM@ +Build-Depends: cdbs (>= 0.4.90~), + debhelper (>= 5), + gnome-pkg-tools, + autotools-dev, + python-all-dev (>= 2.6.6-3~), + network-manager-dev [!hurd-i386 !kfreebsd-i386 !kfreebsd-amd64], + libdbus-1-dev, + kdelibs5-dev [!armel], + libqt4-dev, +# /!\ we have a build-depends loop with webkit + libwebkitgtk-dev, + gconf2, + libxmu-dev +Standards-Version: 3.8.3 +X-Python-Version: >= 2.5 +Vcs-Svn: svn://svn.debian.org/svn/pkg-gnome/packages/unstable/libproxy +Vcs-Browser: http://svn.debian.org/viewsvn/pkg-gnome/packages/unstable/libproxy +Homepage: http://code.google.com/p/libproxy/ + +Package: libproxy0 +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Suggests: libwebkitgtk-1.0-0 | libmozjs2d +Description: automatic proxy configuration management library (shared) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the shared library. + +Package: libproxy-dev +Architecture: any +Section: libdevel +Depends: ${shlibs:Depends}, + ${misc:Depends}, + libproxy0 (= ${binary:Version}) +Description: automatic proxy configuration management library (devel) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the development files. + +Package: libproxy-tools +Section: utils +Architecture: any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: automatic proxy configuration management library (tools) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains a program to interact with libproxy from the + command line. + +Package: python-libproxy +Architecture: all +Section: python +Depends: ${python:Depends}, + ${misc:Depends}, + libproxy0 (>= ${source:Version}) +Description: automatic proxy configuration management library (python) + libproxy is a lightweight library which makes it easy to develop + applications proxy-aware with a simple and stable API. + . + This package contains the Python bindings. --- libproxy-0.3.1.orig/debian/libproxy-tools.install +++ libproxy-0.3.1/debian/libproxy-tools.install @@ -0,0 +1 @@ +debian/tmp/usr/bin --- libproxy-0.3.1.orig/debian/patches/01_pac_http.patch +++ libproxy-0.3.1/debian/patches/01_pac_http.patch @@ -0,0 +1,25 @@ +diff -ru orig/libproxy-0.3.1/src/lib/pac.c libproxy-0.3.1/src/lib/pac.c +--- orig/libproxy-0.3.1/src/lib/pac.c 2009-09-29 21:52:50.000000000 +0200 ++++ libproxy-0.3.1/src/lib/pac.c 2010-10-14 16:13:58.273700566 +0200 +@@ -19,6 +19,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -145,11 +146,11 @@ + /* Check for correct mime type and content length */ + while (strcmp(line, "\r")) { + /* Check for content type */ +- if (strstr(line, "Content-Type: ") == line && strstr(line, PAC_MIME_TYPE)) ++ if (strncasecmp(line, "Content-Type:", strlen("Content-Type:")) == 0 && strstr(line, PAC_MIME_TYPE)) + correct_mime_type = true; + + /* Check for content length */ +- else if (strstr(line, "Content-Length: ") == line) ++ else if (strncasecmp(line, "Content-Length:", strlen("Content-Length:")) == 0) + content_length = atoi(line + strlen("Content-Length: ")); + + /* Get new line */ --- libproxy-0.3.1.orig/debian/patches/02_CVE-2012-4505.patch +++ libproxy-0.3.1/debian/patches/02_CVE-2012-4505.patch @@ -0,0 +1,37 @@ +Description: fix possible remote code execution via buffer overflow +Origin: vendor, https://bugzilla.redhat.com/attachment.cgi?id=625842 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4505 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690376 + +diff -Nur -x '*.orig' -x '*~' libproxy-0.3.1/src/lib/pac.c libproxy-0.3.1.new/src/lib/pac.c +--- libproxy-0.3.1/src/lib/pac.c 2012-11-06 09:37:09.070476227 -0500 ++++ libproxy-0.3.1.new/src/lib/pac.c 2012-11-06 09:37:26.242476764 -0500 +@@ -36,6 +36,9 @@ + + #define PAC_MIME_TYPE "application/x-ns-proxy-autoconfig" + ++// This is the maximum pac size (to avoid memory attacks) ++#define PAC_MAX_SIZE 102400 ++ + /** + * ProxyAutoConfig object. All fields are private. + */ +@@ -160,12 +163,15 @@ + } + + /* Get content */ +- if (!content_length || !correct_mime_type) goto error; ++ if (content_length == 0 || content_length > PAC_MAX_SIZE || !correct_mime_type) goto error; + px_free(line); line = NULL; + px_free(self->cache); + self->cache = px_malloc0(content_length+1); +- for (int recvd=0 ; recvd != content_length ; ) +- recvd += recv(sock, self->cache + recvd, content_length - recvd, 0); ++ for (int recvd=0 ; recvd != content_length ; ) { ++ int r = recv(sock, self->cache + recvd, content_length - recvd, 0); ++ if (r <= 0) goto error; ++ recvd += r; ++ } + } + else + { /* file:// url */