New release?

[hhartzer]

This is very cool. I'm looking to make a FreeBSD port for this. Looks like there's some useful new features since 1.13. Are you planning on releasing a new version that I can use in the port?

Thank you!

[hhartzer]

Here is the port, if you are curious: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262234

[emikulic]

That's a nice and concise Makefile. I'll do a release soon.

[hhartzer]

Great, thank you!

[ffontaine]

FYI, it seems that CVE-2020-25691 was assigned to darkhttpd. It would be great to fix this issue before making a new release (if it is not already fixed).

[hhartzer]

I'm assuming this was fixed given the age of the CVE, but can't tell for sure. @emikulic would you be able to confirm?

[emikulic]

I can't find a patch or repro instructions for the CVE.

I tried to come up with a reproducer so I passed time=9223372036854775807 to strftime, and that crashes inside glibc:

#0  0x00007ffff7e65207 in __strftime_internal (s=0x7fffffffe060 "", maxsize=30, format=0x555555556018 "%a, %d %b %Y %H:%M:%S GMT", tp=0x0, 
    yr_spec=yr_spec@entry=0, tzset_called=tzset_called@entry=0x7fffffffdf67, loc=0x7ffff7f8c560 <_nl_global_locale>)
    at ./time/strftime_l.c:476
#1  0x00007ffff7e67398 in __GI___strftime_l (s=<optimized out>, maxsize=<optimized out>, format=<optimized out>, tp=<optimized out>, 
    loc=<optimized out>) at ./time/strftime_l.c:460
#2  0x0000555555555211 in rfc1123_date (dest=0x7fffffffe060 "", when=9223372036854775807) at darkhttpd.c:1458

[emikulic]

Done: https://github.com/emikulic/darkhttpd/releases/tag/v1.14