[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1017502: marked as done (bullseye-pu: package http-parser/2.9.4-4+deb11u1)

Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1017502,
regarding bullseye-pu: package http-parser/2.9.4-4+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1017502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017502
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Hello stable release team,

for the next upcoming bullseye stable point release, I've just uploaded
src:http-parser ("parser for HTTP messages written in C") as version
2.9.4-4+deb11u1.

This fixes a "no-dsa" security issue.

* Handle duplicate "Transfer-Encoding" header properly

Type: upstream bug
Debian bug: https://bugs.debian.org/1016690
Security tracker: https://security-tracker.debian.org/tracker/CVE-2020-8287
Fixed in in unstable and testing in 2.9.4-5 around ten days ago.

Regards,

    Christoph


diff -Nru http-parser-2.9.4/debian/changelog http-parser-2.9.4/debian/changelog
--- http-parser-2.9.4/debian/changelog	2021-01-02 17:07:49.000000000 +0100
+++ http-parser-2.9.4/debian/changelog	2022-08-05 20:33:28.000000000 +0200
@@ -1,3 +1,10 @@
+http-parser (2.9.4-4+deb11u1) bullseye; urgency=medium
+
+  * unset F_CHUNKED on new Transfer-Encoding.
+    Closes: #1016690 [CVE-2020-8287]
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Fri, 05 Aug 2022 20:33:28 +0200
+
 http-parser (2.9.4-4) unstable; urgency=medium
 
   * Packaging cleanup
diff -Nru http-parser-2.9.4/debian/patches/CVE-2020-8287.patch http-parser-2.9.4/debian/patches/CVE-2020-8287.patch
--- http-parser-2.9.4/debian/patches/CVE-2020-8287.patch	1970-01-01 01:00:00.000000000 +0100
+++ http-parser-2.9.4/debian/patches/CVE-2020-8287.patch	2022-08-05 20:33:28.000000000 +0200
@@ -0,0 +1,67 @@
+Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
+Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530
+From: Fedor Indutny <fedor@indutny.com>
+Date: Wed, 18 Nov 2020 20:50:21 -0800
+Date: 2022-08-05
+
+Duplicate `Transfer-Encoding` header should be a treated as a single,
+but with original header values concatenated with a comma separator. In
+the light of this, even if the past `Transfer-Encoding` ended with
+`chunked`, we should be not let the `F_CHUNKED` to leak into the next
+header, because mere presence of another header indicates that `chunked`
+is not the last transfer-encoding token.
+
+CVE-ID: CVE-2020-8287
+PR-URL: https://github.com/nodejs-private/node-private/pull/235
+Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
+--- a/http_parser.c
++++ b/http_parser.c
+@@ -1344,6 +1344,13 @@
+               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+                 parser->header_state = h_transfer_encoding;
+                 parser->uses_transfer_encoding = 1;
++
++                /* Multiple `Transfer-Encoding` headers should be treated as
++                 * one, but with values separate by a comma.
++                 *
++                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++                 */
++                parser->flags &= ~F_CHUNKED;
+               }
+               break;
+ 
+--- a/test.c
++++ b/test.c
+@@ -2154,6 +2154,32 @@
+   ,.body= "2\r\nOK\r\n0\r\n\r\n"
+   ,.num_chunks_complete= 0
+   }
++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
++  ,.type= HTTP_RESPONSE
++  ,.raw= "HTTP/1.1 200 OK\r\n"
++         "Transfer-Encoding: chunked\r\n"
++         "Transfer-Encoding: identity\r\n"
++         "\r\n"
++         "2\r\n"
++         "OK\r\n"
++         "0\r\n"
++         "\r\n"
++  ,.should_keep_alive= FALSE
++  ,.message_complete_on_eof= TRUE
++  ,.http_major= 1
++  ,.http_minor= 1
++  ,.status_code= 200
++  ,.response_status= "OK"
++  ,.content_length= -1
++  ,.num_headers= 2
++  ,.headers=
++    { { "Transfer-Encoding", "chunked" }
++    , { "Transfer-Encoding", "identity" }
++    }
++  ,.body= "2\r\nOK\r\n0\r\n\r\n"
++  ,.num_chunks_complete= 0
++  }
+ };
+ 
+ /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
diff -Nru http-parser-2.9.4/debian/patches/series http-parser-2.9.4/debian/patches/series
--- http-parser-2.9.4/debian/patches/series	2020-12-20 10:29:46.000000000 +0100
+++ http-parser-2.9.4/debian/patches/series	2022-08-05 20:33:28.000000000 +0200
@@ -4,6 +4,7 @@
 cherry-pick.v2.9.4-7-g4b99e42.test-content-length-header-parsing.patch
 cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch
 cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch
+CVE-2020-8287.patch
 
 # Debian-specific
 debian.improve-installation.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---
Reply to: