Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hello stable release team,
for the next upcoming bullseye stable point release, I've just uploaded
src:http-parser ("parser for HTTP messages written in C") as version
2.9.4-4+deb11u1.
This fixes a "no-dsa" security issue.
* Handle duplicate "Transfer-Encoding" header properly
Type: upstream bug
Debian bug: https://bugs.debian.org/1016690
Security tracker: https://security-tracker.debian.org/tracker/CVE-2020-8287
Fixed in in unstable and testing in 2.9.4-5 around ten days ago.
Regards,
Christoph
diff -Nru http-parser-2.9.4/debian/changelog http-parser-2.9.4/debian/changelog --- http-parser-2.9.4/debian/changelog 2021-01-02 17:07:49.000000000 +0100 +++ http-parser-2.9.4/debian/changelog 2022-08-05 20:33:28.000000000 +0200 @@ -1,3 +1,10 @@ +http-parser (2.9.4-4+deb11u1) bullseye; urgency=medium + + * unset F_CHUNKED on new Transfer-Encoding. + Closes: #1016690 [CVE-2020-8287] + + -- Christoph Biedl <debian.a...@manchmal.in-ulm.de> Fri, 05 Aug 2022 20:33:28 +0200 + http-parser (2.9.4-4) unstable; urgency=medium * Packaging cleanup diff -Nru http-parser-2.9.4/debian/patches/CVE-2020-8287.patch http-parser-2.9.4/debian/patches/CVE-2020-8287.patch --- http-parser-2.9.4/debian/patches/CVE-2020-8287.patch 1970-01-01 01:00:00.000000000 +0100 +++ http-parser-2.9.4/debian/patches/CVE-2020-8287.patch 2022-08-05 20:33:28.000000000 +0200 @@ -0,0 +1,67 @@ +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` +Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530 +From: Fedor Indutny <fe...@indutny.com> +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Date: 2022-08-05 + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny <fedor.indu...@gmail.com> +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff -Nru http-parser-2.9.4/debian/patches/series http-parser-2.9.4/debian/patches/series --- http-parser-2.9.4/debian/patches/series 2020-12-20 10:29:46.000000000 +0100 +++ http-parser-2.9.4/debian/patches/series 2022-08-05 20:33:28.000000000 +0200 @@ -4,6 +4,7 @@ cherry-pick.v2.9.4-7-g4b99e42.test-content-length-header-parsing.patch cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch +CVE-2020-8287.patch # Debian-specific debian.improve-installation.patch
signature.asc
Description: PGP signature
