Re: Bug#953950: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie (security) is broken
Le 2020-03-19 13:01, Simon McVittie a écrit :
On Thu, 19 Mar 2020 at 12:33:09 +0100, Etienne Allovon wrote:
Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie
(security) is broken
... Please contact the debian-lts
mailing list <debian-lts@lists.debian.org> if you encounter
regressions
in jessie or jessie-security packages.
Ok, thanks for redirecting me to the correct list.
***So this is for the the LTS team:***
On 2020-03-17 a new version (14.0.2-3+deb8u1) of twisted packages was
accepted into oldoldstable repo [1]
=> this new version breaks the usage of twisted
**To reproduce:**
- on a debian jessie install python-twisted version 14.0.2-3+debu8
- then run the following (using sample python script [2] from
twisted.web examples [3]):
mkdir /tmp/twistedtest
cd /tmp/twistedtest
# download sample code hello.rpy.py
wget
https://twistedmatrix.com/documents/current/_downloads/5df64bdeb6c170c8edd20c2aab819a70/hello.rpy.py
mv hello.rpy.py hello.rpy
# launch twistd
twistd -n web --path /tmp/twistedtest
# And now open http://localhost:8080/hello.rpy in a web browser
# => in twistd you get the following backtrace
**Expected behavior (with twisted 14.0.2-3):**
- now, if you downgrade to twisted 14.0.2-3 (from the jessie main repo)
you can do the folowing and it works
# downgrade
apt-get install python-twisted=14.0.2-3 python-twisted-bin=14.0.2-3
python-twisted-conch=1:14.0.2-3 python-twisted-core=14.0.2-3
python-twisted-lore=14.0.2-3 python-twisted-mail=14.0.2-3
python-twisted-names=14.0.2-3 python-twisted-news=14.0.2-3
python-twisted-runner=14.0.2-3 python-twisted-web=14.0.2-3
python-twisted-words=14.0.2-3
# launch twistd
twistd -n web --path /tmp/twistedtest
# And now open http://localhost:8080/hello.rpy in a web browser
# => it works (no backtrace)
**Findings:**
As explained in bug #953950 [4] I think that the problem is because
the new package contains a non-working patch :
To investigate I downloaded the twisted-python sources and see that two
patches were added :
1) debian/patches/CVE-2020-10108_CVE-2020-10108.patch
2) debian/patches/CVE-2020-10108_CVE-2020-10109.patch
(side note: patch #2 is void)
Patch #1 which is supposed to fix CVE-2020-10108 is, AFAIU, incorrect:
- it adds a method _maybeChooseTransferDecoder in class HTTPFactory
- and it adds in headerReceived method of class HTTPChannel a call to
self._maybeChooseTransferDecoder
- but HTTPChannel has no _maybeChooseTransferDecoder method (indeed the
patch adds it to HTTPFactory class which, AFAIU, has no dependency
whatsoever with HTTPChannel)
=> therefore this call is broken
After digging in twisted git repo[5] it seems that this
debian/patches/CVE-2020-10108_CVE-2020-10108.patch patch was more or
less taken from this upstream commit 4a7d22e49[6]
But in this upstream commit the _maybeChooseTransferDecoder method is
(supposedly rightly) added in the HTTPChannel class.
Please, can you revert this patch and re-publish the working (but
security flawed) 14.0.2-3 twisted version ?
Or fix this patch ?
Many thanks for taking into account this report,
Etienne
[1]
https://tracker.debian.org/news/1109874/accepted-twisted-1402-3deb8u1-source-all-amd64-into-oldoldstable/
[2]
https://twistedmatrix.com/documents/current/_downloads/5df64bdeb6c170c8edd20c2aab819a70/hello.rpy.py
[3] https://twistedmatrix.com/documents/current/web/examples/index.html
[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953950
[5]
https://github.com/twisted/twisted/commits/trunk/src/twisted/web/http.py
[6]
https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281#diff-a31693cfdecc4bc57f3dd9ce31445237
Reply to: