Package: http-parser Severity: normal Tags: security patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu kinetic ubuntu-patch X-Debbugs-Cc: scho...@ubuntu.com
Hi, In Ubuntu, the attached patch was applied to achieve the following: * d/p/cve-2020-8287.patch: cherry-picked from upstream PR to address CVE-2020-8287 The upstream PR in question: https://github.com/nodejs/http-parser/pull/530/ Thanks for considering the patch. Cheers, Simon -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports'), (50, 'jammy-proposed') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-43-lowlatency (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_USER, TAINT_OOT_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru http-parser-2.9.4/debian/patches/cve-2020-8287.patch http-parser-2.9.4/debian/patches/cve-2020-8287.patch --- http-parser-2.9.4/debian/patches/cve-2020-8287.patch 1970-01-01 01:00:00.000000000 +0100 +++ http-parser-2.9.4/debian/patches/cve-2020-8287.patch 2022-08-05 12:24:59.000000000 +0200 @@ -0,0 +1,76 @@ +From b89c40dee9817e0ceb53e12937f7609b217278ed Mon Sep 17 00:00:00 2001 +From: Fedor Indutny <fe...@indutny.com> +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` +Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530 + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny <fedor.indu...@gmail.com> +--- + http_parser.c | 7 +++++++ + test.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/http_parser.c b/http_parser.c +index 9be003e7..e9b2b9e8 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +diff --git a/test.c b/test.c +index 3f7c77b3..2e5a9ebd 100644 +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff -Nru http-parser-2.9.4/debian/patches/series http-parser-2.9.4/debian/patches/series --- http-parser-2.9.4/debian/patches/series 2020-12-20 10:29:46.000000000 +0100 +++ http-parser-2.9.4/debian/patches/series 2022-08-05 12:21:07.000000000 +0200 @@ -5,5 +5,7 @@ cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch +cve-2020-8287.patch + # Debian-specific debian.improve-installation.patch