From 014b88a23073be74c73a106bb9dbfb84e20582e6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 18:48:34 +0000 Subject: import http-parser-2.8.0-5.el8 --- diff --git a/SOURCES/CVE-2018-12121.patch b/SOURCES/CVE-2018-12121.patch new file mode 100644 index 0000000..fb0019d --- /dev/null +++ b/SOURCES/CVE-2018-12121.patch @@ -0,0 +1,69 @@ +diff --git a/http_parser.c b/http_parser.c +index f9991c3..aef4437 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -25,6 +25,8 @@ + #include + #include + ++static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE; ++ + #ifndef ULLONG_MAX + # define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */ + #endif +@@ -137,20 +139,20 @@ do { \ + } while (0) + + /* Don't allow the total size of the HTTP headers (including the status +- * line) to exceed HTTP_MAX_HEADER_SIZE. This check is here to protect ++ * line) to exceed max_header_size. This check is here to protect + * embedders against denial-of-service attacks where the attacker feeds + * us a never-ending header that the embedder keeps buffering. + * + * This check is arguably the responsibility of embedders but we're doing + * it on the embedder's behalf because most won't bother and this way we +- * make the web a little safer. HTTP_MAX_HEADER_SIZE is still far bigger ++ * make the web a little safer. max_header_size is still far bigger + * than any reasonable request or response so this should never affect + * day-to-day operation. + */ + #define COUNT_HEADER_SIZE(V) \ + do { \ + parser->nread += (V); \ +- if (UNLIKELY(parser->nread > (HTTP_MAX_HEADER_SIZE))) { \ ++ if (UNLIKELY(parser->nread > (max_header_size))) { \ + SET_ERRNO(HPE_HEADER_OVERFLOW); \ + goto error; \ + } \ +@@ -1471,7 +1473,7 @@ reexecute: + const char* p_lf; + size_t limit = data + len - p; + +- limit = MIN(limit, HTTP_MAX_HEADER_SIZE); ++ limit = MIN(limit, max_header_size); + + p_cr = (const char*) memchr(p, CR, limit); + p_lf = (const char*) memchr(p, LF, limit); +@@ -2438,3 +2440,8 @@ http_parser_version(void) { + HTTP_PARSER_VERSION_MINOR * 0x00100 | + HTTP_PARSER_VERSION_PATCH * 0x00001; + } ++ ++void ++http_parser_set_max_header_size(uint32_t size) { ++ max_header_size = size; ++} +diff --git a/http_parser.h b/http_parser.h +index 1fbf30e..ea7bafe 100644 +--- a/http_parser.h ++++ b/http_parser.h +@@ -427,6 +427,9 @@ void http_parser_pause(http_parser *parser, int paused); + /* Checks if this is the final chunk of the body. */ + int http_body_is_final(const http_parser *parser); + ++/* Change the maximum header size provided at compile time. */ ++void http_parser_set_max_header_size(uint32_t size); ++ + #ifdef __cplusplus + } + #endif diff --git a/SOURCES/remove-unused-functions-from-test-runner.patch b/SOURCES/remove-unused-functions-from-test-runner.patch new file mode 100644 index 0000000..57fb24a --- /dev/null +++ b/SOURCES/remove-unused-functions-from-test-runner.patch @@ -0,0 +1,54 @@ +commit 705e519bf56e5904c761a411b38a66e84bf7fc2d +Author: Ben Noordhuis +Date: Tue Feb 27 22:59:00 2018 +0100 + + Remove unused functions from test runner. + + PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 + Reviewed-By: Сковорода Никита Андреевич + Reviewed-By: Colin Ihrig + Reviewed-By: Evan Lucas + Reviewed-By: Fedor Indutny + Reviewed-By: James M Snell + Reviewed-By: Rod Vagg + +diff --git a/test.c b/test.c +index bc4e664..0cbe544 100644 +--- a/test.c ++++ b/test.c +@@ -27,9 +27,7 @@ + #include + + #if defined(__APPLE__) +-# undef strlcat + # undef strlncpy +-# undef strlcpy + #endif /* defined(__APPLE__) */ + + #undef TRUE +@@ -1993,12 +1991,6 @@ strlncat(char *dst, size_t len, const char *src, size_t n) + return slen + dlen; + } + +-size_t +-strlcat(char *dst, const char *src, size_t len) +-{ +- return strlncat(dst, len, src, (size_t) -1); +-} +- + size_t + strlncpy(char *dst, size_t len, const char *src, size_t n) + { +@@ -2017,12 +2009,6 @@ strlncpy(char *dst, size_t len, const char *src, size_t n) + return slen; + } + +-size_t +-strlcpy(char *dst, const char *src, size_t len) +-{ +- return strlncpy(dst, len, src, (size_t) -1); +-} +- + int + request_url_cb (http_parser *p, const char *buf, size_t len) + { diff --git a/SPECS/http-parser.spec b/SPECS/http-parser.spec index d5921d9..7376967 100644 --- a/SPECS/http-parser.spec +++ b/SPECS/http-parser.spec @@ -1,6 +1,8 @@ +%bcond_without check + Name: http-parser Version: 2.8.0 -Release: 2%{?dist} +Release: 5%{?dist} Summary: HTTP request/response parser for C License: MIT @@ -10,7 +12,9 @@ Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz BuildRequires: meson BuildRequires: gcc -Patch0001: CVE-2018-7159.patch +Patch01: CVE-2018-7159.patch +Patch02: CVE-2018-12121.patch +Patch03: remove-unused-functions-from-test-runner.patch %description This is a parser for HTTP messages written in C. It parses both requests and @@ -28,7 +32,11 @@ Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Development headers and libraries for http-parser. %prep -%autosetup -p3 +%setup -q +%patch01 -p3 +%patch02 -p1 +%patch03 -p1 + # TODO: try to send upstream? cat > meson.build << EOF project('%{name}', 'c', version : '%{version}') @@ -54,8 +62,10 @@ EOF %install %meson_install +%if %{with check} %check %meson_test +%endif %ldconfig_scriptlets @@ -71,6 +81,16 @@ EOF %{_libdir}/libhttp_parser_strict.so %changelog +* Mon Aug 12 2019 Sergio Correia - 2.8.0-5 +- Resolves: rhbz#1686488: 'make test' fails with stringop-overflow error + +* Thu Aug 08 2019 Sergio Correia - 2.8.0-4 +- Resolves: rhbz#1666382: CVE-2018-12121 http-parser: nodejs: Denial of + Service with large HTTP headers [rhel-8] + +* Thu Apr 11 2019 Daniel Kopecek - 2.8.0-3 +- spec: make the check phase conditional + * Mon Dec 3 2018 Jakub Hrozek - 2.8.0-2 - Resolves: #rhbz1654223: CVE-2018-7159 http-parser: nodejs: HTTP parser allowed for spaces inside Content-Length header