Bug#1016690: http-parser: Apply nodejs 10.x patch for CVE-2020-8287

Fri, 05 Aug 2022 03:57:20 -0700 

Package: http-parser
Severity: normal
Tags: security patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu kinetic ubuntu-patch
X-Debbugs-Cc: scho...@ubuntu.com

Hi,
In Ubuntu, the attached patch was applied to achieve the following:

  * d/p/cve-2020-8287.patch: cherry-picked from upstream PR to address
    CVE-2020-8287

The upstream PR in question: https://github.com/nodejs/http-parser/pull/530/

Thanks for considering the patch.

Cheers,
Simon

-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports'), (50, 'jammy-proposed')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-43-lowlatency (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_USER, TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru http-parser-2.9.4/debian/patches/cve-2020-8287.patch 
http-parser-2.9.4/debian/patches/cve-2020-8287.patch
--- http-parser-2.9.4/debian/patches/cve-2020-8287.patch        1970-01-01 
01:00:00.000000000 +0100
+++ http-parser-2.9.4/debian/patches/cve-2020-8287.patch        2022-08-05 
12:24:59.000000000 +0200
@@ -0,0 +1,76 @@
+From b89c40dee9817e0ceb53e12937f7609b217278ed Mon Sep 17 00:00:00 2001
+From: Fedor Indutny <fe...@indutny.com>
+Date: Wed, 18 Nov 2020 20:50:21 -0800
+Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
+Origin: Upstream PR (from nodejs) 
https://github.com/nodejs/http-parser/pull/530
+
+Duplicate `Transfer-Encoding` header should be a treated as a single,
+but with original header values concatenated with a comma separator. In
+the light of this, even if the past `Transfer-Encoding` ended with
+`chunked`, we should be not let the `F_CHUNKED` to leak into the next
+header, because mere presence of another header indicates that `chunked`
+is not the last transfer-encoding token.
+
+CVE-ID: CVE-2020-8287
+PR-URL: https://github.com/nodejs-private/node-private/pull/235
+Reviewed-By: Fedor Indutny <fedor.indu...@gmail.com>
+---
+ http_parser.c |  7 +++++++
+ test.c        | 26 ++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/http_parser.c b/http_parser.c
+index 9be003e7..e9b2b9e8 100644
+--- a/http_parser.c
++++ b/http_parser.c
+@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
+               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+                 parser->header_state = h_transfer_encoding;
+                 parser->uses_transfer_encoding = 1;
++
++                /* Multiple `Transfer-Encoding` headers should be treated as
++                 * one, but with values separate by a comma.
++                 *
++                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++                 */
++                parser->flags &= ~F_CHUNKED;
+               }
+               break;
+ 
+diff --git a/test.c b/test.c
+index 3f7c77b3..2e5a9ebd 100644
+--- a/test.c
++++ b/test.c
+@@ -2154,6 +2154,32 @@ const struct message responses[] =
+   ,.body= "2\r\nOK\r\n0\r\n\r\n"
+   ,.num_chunks_complete= 0
+   }
++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
++  ,.type= HTTP_RESPONSE
++  ,.raw= "HTTP/1.1 200 OK\r\n"
++         "Transfer-Encoding: chunked\r\n"
++         "Transfer-Encoding: identity\r\n"
++         "\r\n"
++         "2\r\n"
++         "OK\r\n"
++         "0\r\n"
++         "\r\n"
++  ,.should_keep_alive= FALSE
++  ,.message_complete_on_eof= TRUE
++  ,.http_major= 1
++  ,.http_minor= 1
++  ,.status_code= 200
++  ,.response_status= "OK"
++  ,.content_length= -1
++  ,.num_headers= 2
++  ,.headers=
++    { { "Transfer-Encoding", "chunked" }
++    , { "Transfer-Encoding", "identity" }
++    }
++  ,.body= "2\r\nOK\r\n0\r\n\r\n"
++  ,.num_chunks_complete= 0
++  }
+ };
+ 
+ /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
diff -Nru http-parser-2.9.4/debian/patches/series 
http-parser-2.9.4/debian/patches/series
--- http-parser-2.9.4/debian/patches/series     2020-12-20 10:29:46.000000000 
+0100
+++ http-parser-2.9.4/debian/patches/series     2022-08-05 12:21:07.000000000 
+0200
@@ -5,5 +5,7 @@
 
cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch
 cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch
 
+cve-2020-8287.patch
+
 # Debian-specific
 debian.improve-installation.patch

Reply via email to