Arch Linux User Repository

Thanks a lot! I pushed an update adding the security fix patch for CVE-2023-44487. I did not apply @phoepsilonix patches: I'm not exactly sure of what some of the patches fix so I cannot test it, and some changes to the PKGBUILD seem to be disabling static and shared libraries which would make this package useless for me.

@rgacogne

I have added you as co-maintainer.
Feel free to:
- apply your security fix patch: https://github.com/h2o/h2o/pull/3293 ;
- apply the @phoepsilonix patches (mruby-Rakefile.patch, deps.patch, h2o-libressl-3.6.2.patch, PKGBUILD patch).

Hello, looking at it today.

I'm afraid this package is still vulnerable to CVE-2023-44487, would you accept a patch backporting the fix?

Note that the commit has now been merged into the 2.2.x branch upstream so it's no longer needed to switch to a different repository. Unfortunately there will be no new h2o releases so we would still to either apply the patch in top of 2.2.6 or build from the 2.2.x branch directly. Let me know if you are interested in a co-maintainer, by the way :-)

Hi! Would you be willing to add the commit from https://github.com/h2o/h2o/pull/3293 that is backporting a security fix to the 2.2.x branch? The maintainer of h2o has made it clear a new 2.2.x release will not happen. Thanks!

It can be built with lto enabled. Also fixed a mistake in the mruby Rakefile. Postscript, just in case.
My patch is in the public domain.

mruby-Rakefile.patch

diff --git a/deps/mruby/Rakefile b/deps/mruby/Rakefile
index 2f6fa05..6fc1192 100644
--- a/deps/mruby/Rakefile
+++ b/deps/mruby/Rakefile
@@ -37,15 +37,15 @@ load "#{MRUBY_ROOT}/tasks/gitlab.rake"
 task :default => :all

 bin_path = ENV['INSTALL_DIR'] || "#{MRUBY_ROOT}/bin"
-FileUtils.mkdir_p bin_path, { :verbose => $verbose }
+FileUtils.mkdir_p(bin_path, :verbose => $verbose)

 depfiles = MRuby.targets['host'].bins.map do |bin|
   install_path = MRuby.targets['host'].exefile("#{bin_path}/#{bin}")
   source_path = MRuby.targets['host'].exefile("#{MRuby.targets['host'].build_dir}/bin/#{bin}")

   file install_path => source_path do |t|
-    FileUtils.rm_f t.name, { :verbose => $verbose }
-    FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
+    FileUtils.rm_f(t.name, :verbose => $verbose)
+    FileUtils.cp(t.prerequisites.first, t.name, :verbose => $verbose)
   end

   install_path
@@ -78,8 +78,8 @@ MRuby.each_target do |target|
         install_path = MRuby.targets['host'].exefile("#{bin_path}/#{bin}")

         file install_path => exec do |t|
-          FileUtils.rm_f t.name, { :verbose => $verbose }
-          FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
+          FileUtils.rm_f(t.name, :verbose => $verbose)
+          FileUtils.cp(t.prerequisites.first, t.name, :verbose => $verbose)
         end
         depfiles += [ install_path ]
       elsif target == MRuby.targets['host-debug']
@@ -87,8 +87,8 @@ MRuby.each_target do |target|
           install_path = MRuby.targets['host-debug'].exefile("#{bin_path}/#{bin}")

           file install_path => exec do |t|
-            FileUtils.rm_f t.name, { :verbose => $verbose }
-            FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
+            FileUtils.rm_f(t.name, :verbose => $verbose)
+            FileUtils.cp(t.prerequisites.first, t.name, :verbose => $verbose)
           end
           depfiles += [ install_path ]
         end
@@ -127,16 +127,16 @@ end
 desc "clean all built and in-repo installed artifacts"
 task :clean do
   MRuby.each_target do |t|
-    FileUtils.rm_rf t.build_dir, { :verbose => $verbose }
+    FileUtils.rm_rf(t.build_dir, :verbose => $verbose)
   end
-  FileUtils.rm_f depfiles, { :verbose => $verbose }
+  FileUtils.rm_f(depfiles, :verbose => $verbose)
   puts "Cleaned up target build folder"
 end

 desc "clean everything!"
 task :deep_clean => ["clean"] do
   MRuby.each_target do |t|
-    FileUtils.rm_rf t.gem_clone_dir, { :verbose => $verbose }
+    FileUtils.rm_rf(t.gem_clone_dir, :verbose => $verbose)
   end
   puts "Cleaned up mrbgems build folder"
 end

deps.patch

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 436d90c..7073b27 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -81,6 +81,28 @@ OPTION(WITH_MRUBY "whether or not to build with mruby support" ${WITH_MRUBY_DEFA

 OPTION(WITH_PICOTLS "whether or not to build with picotls" "ON")

+IF (PKG_CONFIG_FOUND)
+    PKG_CHECK_MODULES(YAML yaml-0.1)
+    IF (YAML_FOUND)
+        SET(YAML_FOUND TRUE)
+        INCLUDE_DIRECTORIES(${YAML_INCLUDE_DIRS})
+        LINK_DIRECTORIES(${YAML_LIBRARY_DIRS})
+        LIST(APPEND EXTRA_LIBS ${YAML_LIBRARIES})
+        ADD_DEFINITIONS("-DYAML_FOUND")
+    ENDIF (YAML_FOUND)
+ENDIF (PKG_CONFIG_FOUND)
+
+IF (PKG_CONFIG_FOUND)
+    PKG_CHECK_MODULES(HIREDIS hiredis)
+    IF (HIREDIS_FOUND)
+        SET(HIREDIS_FOUND TRUE)
+        INCLUDE_DIRECTORIES(${HIREDIS_INCLUDE_DIRS})
+        LINK_DIRECTORIES(${HIREDIS_LIBRARY_DIRS})
+        LIST(APPEND EXTRA_LIBS ${HIREDIS_LIBRARIES})
+        ADD_DEFINITIONS("-DHIREDIS_FOUND")
+    ENDIF (HIREDIS_FOUND)
+ENDIF (PKG_CONFIG_FOUND)
+
 IF (WITH_BUNDLED_SSL)
     SET(BUNDLED_SSL_INCLUDE_DIR "${CMAKE_CURRENT_BINARY_DIR}/libressl-build/include")
     SET(BUNDLED_SSL_LIBRARIES "${CMAKE_CURRENT_BINARY_DIR}/libressl-build/lib/libssl.a" "${CMAKE_CURRENT_BINARY_DIR}/libressl-build/lib/libcrypto.a")
@@ -174,16 +196,6 @@ ENDIF ()

 SET(CMAKE_C_FLAGS "-O2 -g ${CC_WARNING_FLAGS} ${CMAKE_C_FLAGS} -DH2O_ROOT=\"${CMAKE_INSTALL_PREFIX}\" -DH2O_CONFIG_PATH=\"${CMAKE_INSTALL_SYSCONFDIR}/h2o.conf\"")

-SET(LIBYAML_SOURCE_FILES
-    deps/yaml/src/api.c
-    deps/yaml/src/dumper.c
-    deps/yaml/src/emitter.c
-    deps/yaml/src/loader.c
-    deps/yaml/src/parser.c
-    deps/yaml/src/reader.c
-    deps/yaml/src/scanner.c
-    deps/yaml/src/writer.c)
-
 SET(BROTLI_SOURCE_FILES
     deps/brotli/enc/backward_references.cc
     deps/brotli/enc/block_splitter.cc
@@ -316,7 +328,6 @@ SET(LIB_SOURCE_FILES

 SET(UNIT_TEST_SOURCE_FILES
     ${LIB_SOURCE_FILES}
-    ${LIBYAML_SOURCE_FILES}
     ${BROTLI_SOURCE_FILES}
     deps/picotest/picotest.c
     t/00unit/test.c
@@ -448,7 +459,6 @@ TARGET_LINK_LIBRARIES(examples-latency-optimization libh2o-evloop ${EXTRA_LIBS})
 # standalone server directly links to libh2o using evloop
 SET(STANDALONE_SOURCE_FILES
     ${LIB_SOURCE_FILES}
-    ${LIBYAML_SOURCE_FILES}
     ${BROTLI_SOURCE_FILES}
     deps/neverbleed/neverbleed.c
     src/main.c

h2o-libressl-3.6.2.patch

diff --git a/deps/neverbleed/neverbleed.c b/deps/neverbleed/neverbleed.c
index b6972bb..e0686b0 100644
--- a/deps/neverbleed/neverbleed.c
+++ b/deps/neverbleed/neverbleed.c
@@ -45,7 +45,7 @@
 #endif
 #include "neverbleed.h"

-#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#if (LIBRESSL_VERSION_NUMBER >= 0x3060200fL || OPENSSL_VERSION_NUMBER >= 0x1010000fL)
 #define OPENSSL_1_1_API 1
 #else
 #define OPENSSL_1_1_API 0

PKGBUILD

diff --git a/PKGBUILD b/PKGBUILD
index 24c7d3d..deaa389 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,28 +6,61 @@ pkgver=2.2.6
 pkgrel=4
 pkgdesc="Optimized HTTP server with support for HTTP/1.x and HTTP/2"
 arch=('i686' 'x86_64')
-depends=('libuv' 'libyaml' 'openssl' 'wslay' 'zlib')
+depends=('libressl' 'sh' 'libyaml' 'openssl' 'wslay' 'zlib' 'hiredis')
 makedepends=('gcc' 'bison' 'cmake' 'libtool' 'make' 'pkg-config' 'ruby')
 url="https://github.com/h2o/h2o"
 license=('MIT')
 source=($_pkgname-$pkgver.tar.gz::https://codeload.github.com/h2o/$_pkgname/tar.gz/v${pkgver/_/-}
+        deps.patch
+        mruby-Rakefile.patch
+        h2o-libressl-3.6.2.patch
         h2o.service)
 b2sums=('8474751ca9832ddae2022710654ca58a93ebf9ca01afe934950209b04357b7548b05c598c49fe92684b2910fd6309d6fc3923a0b01cdeeb4b0dc65b08842255f'
+        '9ac641e10d627d79437f0bffc5fc9232723de283a2b8f68577265db365a6ded271b1fb35cb09115cbc9edc91dc6c55f3ea4031f98e71bb28d89acea9328b997c'
+        'd492cc8cd8a7a1d5e46414b9a03174a4f7a862fbce0ddeff0843038030afb131074632a0b602cf2866d37a19aba6fdb358430c295a46975c525bdf438b0fcec4'
+        '5d870ba422798053fc751ff6d7d941df352dec6ddaa33c2a9b2c3f83b16571368eda6f8eae464b64582ccbb350a1f931ad372a134576399d1c85ee17d5d08188'
         '59b86cec57d06c3754b0634adef46da6b86ce4b251c5f864ab866e94a169ca2ed9357521a9b645ff38ea463ab168b4f07c0104a34945c4f2fb73df837312d5a7')
 backup=('etc/h2o.conf')
-options=(!lto)
+options=()
 provides=('h2o' 'libh2o')
 conflicts=('libh2o' 'h2o' 'h2o-git')

-build() {
+prepare() {
   cd "$srcdir/$_pkgname-${pkgver/_/-}"

+  patch -p1 -i ${srcdir}/deps.patch
+  patch -p1 -i ${srcdir}/mruby-Rakefile.patch
+  patch -p1 -i ${srcdir}/h2o-libressl-3.6.2.patch
+
+  if [[ "$CC" == "clang" ]] ;then
+    export LD=clang
+  fi
+
+  PKG_CONFIG_PATH=/usr/lib/libressl/pkgconfig \
+  LD_LIBRARY_PATH=/usr/lib/libressl \
   cmake \
+    -DCMAKE_INTERPROCEDURAL_OPTIMIZATION=ON \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DCMAKE_INSTALL_LIBDIR=/usr/lib \
+    -DCMAKE_INSTALL_SYSCONFDIR=/etc \
+    -DCMAKE_LINKER="$LD" \
+    -DCMAKE_C_FLAGS="$CPPFLAGS $CLAGS" \
+    -DCMAKE_CXX_FLAGS="$CPPFLAGS $CXXLAGS" \
+    -DCMAKE_EXE_LINKER_FLAGS="$LDFLAGS" \
+    -DCMAKE_MODULE_LINKER_FLAGS="$LDFLAGS" \
+    -DWITH_MRUBY=on \
+    -DWITHOUT_LIBS=off \
+    -DBUILD_SHARED_LIBS=off \
     -DWITH_BUNDLED_SSL=off \
-    -DWITH_MRUBY=off \
     .
+}
+
+build() {
+  cd "$srcdir/$_pkgname-${pkgver/_/-}"
+  if [[ "$CC" == "clang" ]] ;then
+    export LD=clang
+  fi
+
   make
   make libh2o
 }
@@ -35,8 +68,8 @@ build() {
 package() {
   cd "$srcdir/$_pkgname-${pkgver/_/-}"

-  install -Dm 644 LICENSE "$pkgdir/usr/share/licenses/$_pkgname/LICENSE"
-  install -Dm 644 README.md "$pkgdir/usr/share/doc/$_pkgname/README.md"
+  install -Dm 644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
+  install -Dm 644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"
   install -Dm 644 "$srcdir/h2o.service" "$pkgdir/usr/lib/systemd/system/h2o.service"
   install -Dm 644 examples/h2o/h2o.conf "$pkgdir/etc/h2o.conf"
   make DESTDIR="$pkgdir" install

Thanks, much appreciated!

Please use h2o-2.2 2.2.6-4.

I have added the options=(!lto). I guess we're good now.