[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]
|
From: |
guix-commits |
|
Subject: |
01/02: gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]. |
|
Date: |
Wed, 24 Feb 2021 04:31:53 -0500 (EST) |
jlicht pushed a commit to branch master
in repository guix.
commit 66fa2d318a1e4da3679fa1c5a70cd3972dc0efbf
Author: Jelle Licht <jlicht@fsfe.org>
AuthorDate: Tue Feb 16 23:28:58 2021 +0100
gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287].
Fixes CVE-2020-8287.
* gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee.
[source]: Add patch to mitigate CVE.
* gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file.
* gnu/local.mk [dist_patch_DATA]: New patch.
---
gnu/local.mk | 1 +
.../patches/http-parser-CVE-2020-8287.patch | 75 ++++++++++++
gnu/packages/web.scm | 136 +++++++++++----------
3 files changed, 146 insertions(+), 66 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index ae5a65c..ab0c1b0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1164,6 +1164,7 @@ dist_patch_DATA =
\
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/http-parser-CVE-2020-8287.patch \
%D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-cross.patch \
diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch
b/gnu/packages/patches/http-parser-CVE-2020-8287.patch
new file mode 100644
index 0000000..580f773
--- /dev/null
+++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch
@@ -0,0 +1,75 @@
+From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001
+From: Fedor Indutny <fedor@indutny.com>
+Date: Wed, 18 Nov 2020 20:50:21 -0800
+Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
+
+Duplicate `Transfer-Encoding` header should be a treated as a single,
+but with original header values concatenated with a comma separator. In
+the light of this, even if the past `Transfer-Encoding` ended with
+`chunked`, we should be not let the `F_CHUNKED` to leak into the next
+header, because mere presence of another header indicates that `chunked`
+is not the last transfer-encoding token.
+
+CVE-ID: CVE-2020-8287
+PR-URL: https://github.com/nodejs-private/node-private/pull/235
+Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
+---
+ http_parser.c | 7 +++++++
+ test.c | 26 ++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/http_parser.c b/http_parser.c
+index 9be003e7322..e9b2b9e83b9 100644
+--- a/http_parser.c
++++ b/http_parser.c
+@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
+ } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+ parser->header_state = h_transfer_encoding;
+ parser->uses_transfer_encoding = 1;
++
++ /* Multiple `Transfer-Encoding` headers should be treated as
++ * one, but with values separate by a comma.
++ *
++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++ */
++ parser->flags &= ~F_CHUNKED;
+ }
+ break;
+
+diff --git a/test.c b/test.c
+index 3f7c77b3494..2e5a9ebd678 100644
+--- a/test.c
++++ b/test.c
+@@ -2154,6 +2154,32 @@ const struct message responses[] =
+ ,.body= "2\r\nOK\r\n0\r\n\r\n"
+ ,.num_chunks_complete= 0
+ }
++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
++ ,.type= HTTP_RESPONSE
++ ,.raw= "HTTP/1.1 200 OK\r\n"
++ "Transfer-Encoding: chunked\r\n"
++ "Transfer-Encoding: identity\r\n"
++ "\r\n"
++ "2\r\n"
++ "OK\r\n"
++ "0\r\n"
++ "\r\n"
++ ,.should_keep_alive= FALSE
++ ,.message_complete_on_eof= TRUE
++ ,.http_major= 1
++ ,.http_minor= 1
++ ,.status_code= 200
++ ,.response_status= "OK"
++ ,.content_length= -1
++ ,.num_headers= 2
++ ,.headers=
++ { { "Transfer-Encoding", "chunked" }
++ , { "Transfer-Encoding", "identity" }
++ }
++ ,.body= "2\r\nOK\r\n0\r\n\r\n"
++ ,.num_chunks_complete= 0
++ }
+ };
+
+ /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index e4ba0d5..010e01d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP
server in a separate thread
(license license:expat)))
(define-public http-parser
- (package
- (name "http-parser")
- (version "2.9.4")
- (home-page "https://github.com/nodejs/http-parser";)
- (source
- (origin
- (method git-fetch)
- (uri (git-reference (url home-page)
- (commit (string-append "v" version))))
- (sha256
- (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c"))
- (file-name (git-file-name name version))
- (patches
- (list
- (origin
- ;; Treat an empty port (e.g. `http://hostname:/`) when parsing
- ;; URLs as if no port were specified. This patch is applied
- ;; to Fedora's http-parser and to libgit2's bundled version.
- (method url-fetch)
- (uri (string-append
- "https://src.fedoraproject.org/rpms/http-parser/raw/";
- "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
- "f/0001-url-treat-empty-port-as-default.patch"))
- (sha256
- (base32
- "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))
- (build-system gnu-build-system)
- (arguments
- `(#:test-target "test"
- #:make-flags
- (list (string-append "PREFIX="
- (assoc-ref %outputs "out"))
- "library"
- ,@(if (%current-target-system)
- '()
- '("CC=gcc")))
- #:phases
- (modify-phases %standard-phases
- ,@(match (%current-system)
+ (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d")
+ (revision "1"))
+ (package
+ (name "http-parser")
+ (version (git-version "2.9.4" revision commit))
+ (home-page "https://github.com/nodejs/http-parser";)
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference (url home-page)
+ (commit commit)))
+ (sha256
+ (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i"))
+ (file-name (git-file-name name version))
+ (patches
+ (append
+ (search-patches "http-parser-CVE-2020-8287.patch")
+ (list
+ (origin
+ ;; Treat an empty port (e.g. `http://hostname:/`) when parsing
+ ;; URLs as if no port were specified. This patch is applied
+ ;; to Fedora's http-parser and to libgit2's bundled version.
+ (method url-fetch)
+ (uri (string-append
+ "https://src.fedoraproject.org/rpms/http-parser/raw/";
+ "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
+ "f/0001-url-treat-empty-port-as-default.patch"))
+ (sha256
+ (base32
+ "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:test-target "test"
+ #:make-flags
+ (list (string-append "PREFIX="
+ (assoc-ref %outputs "out"))
+ "library"
+ ,@(if (%current-target-system)
+ '()
+ '("CC=gcc")))
+ #:phases
+ (modify-phases %standard-phases
+ ,@(match (%current-system)
+ ("armhf-linux"
+ '((add-before 'check 'apply-assertion.patch
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((patch (assoc-ref inputs "assertion.patch")))
+ (invoke "patch" "-p1" "-i" patch)
+ #t)))))
+ (_ '()))
+ ,@(if (%current-target-system)
+ '((replace 'configure
+ (lambda* (#:key target #:allow-other-keys)
+ (substitute* (find-files "." "Makefile")
+ (("CC\\?=.*$")
+ (string-append "CC=" target "-gcc\n"))
+ (("AR\\?=.*$")
+ (string-append "AR=" target "-ar\n")))
+ #t)))
+ '((delete 'configure))))))
+ (native-inputs
+ `(,@(match (%current-system)
("armhf-linux"
- '((add-before 'check 'apply-assertion.patch
- (lambda* (#:key inputs #:allow-other-keys)
- (let ((patch (assoc-ref inputs "assertion.patch")))
- (invoke "patch" "-p1" "-i" patch)
- #t)))))
- (_ '()))
- ,@(if (%current-target-system)
- '((replace 'configure
- (lambda* (#:key target #:allow-other-keys)
- (substitute* (find-files "." "Makefile")
- (("CC\\?=.*$")
- (string-append "CC=" target "-gcc\n"))
- (("AR\\?=.*$")
- (string-append "AR=" target "-ar\n")))
- #t)))
- '((delete 'configure))))))
- (native-inputs
- `(,@(match (%current-system)
- ("armhf-linux"
- ;; A fix for <https://issues.guix.gnu.org/40604> which in turn
- ;; breaks i686-linux builds.
- `(("assertion.patch"
- ,@(search-patches "http-parser-fix-assertion-on-armhf.patch"))))
- (_ '()))))
- (synopsis "HTTP request/response parser for C")
- (description "This is a parser for HTTP messages written in C. It parses
+ ;; A fix for <https://issues.guix.gnu.org/40604> which in turn
+ ;; breaks i686-linux builds.
+ `(("assertion.patch"
+ ,@(search-patches
"http-parser-fix-assertion-on-armhf.patch"))))
+ (_ '()))))
+ (synopsis "HTTP request/response parser for C")
+ (description "This is a parser for HTTP messages written in C. It parses
both requests and responses. The parser is designed to be used in
high-performance HTTP applications. It does not make any syscalls nor
allocations, it does not buffer data, it can be interrupted at anytime.
Depending on your architecture, it only requires about 40 bytes of data per
message stream (in a web server that is per connection).")
- (license license:expat)))
+ (license license:expat))))
(define-public python-httpretty
(package