From 4c49fc7ae8aa8bd23d4b9c48bcddc875d21c5532 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2019 16:32:28 +0000 Subject: import http-parser-2.8.0-2.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ee2cd04 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/http-parser-2.8.0.tar.gz diff --git a/.http-parser.metadata b/.http-parser.metadata new file mode 100644 index 0000000..b4c812c --- /dev/null +++ b/.http-parser.metadata @@ -0,0 +1 @@ +deb0ce507a267a592e0f70dee45c62ce53b6a1a6 SOURCES/http-parser-2.8.0.tar.gz diff --git a/SOURCES/CVE-2018-7159.patch b/SOURCES/CVE-2018-7159.patch new file mode 100644 index 0000000..0e63bb6 --- /dev/null +++ b/SOURCES/CVE-2018-7159.patch @@ -0,0 +1,118 @@ +From c39167dc260953184a1ccd45292947808b94507d Mon Sep 17 00:00:00 2001 +From: Ben Noordhuis +Date: Tue, 27 Mar 2018 16:45:33 +0200 +Subject: [PATCH] deps: reject interior blanks in Content-Length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Original commit message follows: + + Before this commit `Content-Length: 4 2` was accepted as a valid + header and recorded as `parser->content_length = 42`. Now it is + a parse error that fails with error `HPE_INVALID_CONTENT_LENGTH`. + + Downstream users that inspect `parser->content_length` and naively + parse the string value using `strtoul()` might get confused by the + discrepancy between the two values. Resolve that by simply not + letting it happen. + +Fixes: https://github.com/nodejs-private/security/issues/178 +PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 +Reviewed-By: Сковорода Никита Андреевич +Reviewed-By: Colin Ihrig +Reviewed-By: Evan Lucas +Reviewed-By: Fedor Indutny +Reviewed-By: James M Snell +Reviewed-By: Rod Vagg +--- + deps/http_parser/http_parser.c | 19 ++++++++++++++++++- + deps/http_parser/test.c | 21 +++++++++++++++++++++ + 2 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/deps/http_parser/http_parser.c b/deps/http_parser/http_parser.c +index 7a9c688b1ca7..6522618671d0 100644 +--- a/deps/http_parser/http_parser.c ++++ b/deps/http_parser/http_parser.c +@@ -370,6 +370,8 @@ enum header_states + + , h_connection + , h_content_length ++ , h_content_length_num ++ , h_content_length_ws + , h_transfer_encoding + , h_upgrade + +@@ -1406,6 +1408,7 @@ size_t http_parser_execute (http_parser *parser, + + parser->flags |= F_CONTENTLENGTH; + parser->content_length = ch - '0'; ++ parser->header_state = h_content_length_num; + break; + + case h_connection: +@@ -1493,10 +1496,18 @@ size_t http_parser_execute (http_parser *parser, + break; + + case h_content_length: ++ if (ch == ' ') break; ++ h_state = h_content_length_num; ++ /* FALLTHROUGH */ ++ ++ case h_content_length_num: + { + uint64_t t; + +- if (ch == ' ') break; ++ if (ch == ' ') { ++ h_state = h_content_length_ws; ++ break; ++ } + + if (UNLIKELY(!IS_NUM(ch))) { + SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); +@@ -1519,6 +1530,12 @@ size_t http_parser_execute (http_parser *parser, + break; + } + ++ case h_content_length_ws: ++ if (ch == ' ') break; ++ SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); ++ parser->header_state = h_state; ++ goto error; ++ + /* Transfer-Encoding: chunked */ + case h_matching_transfer_encoding_chunked: + parser->index++; +diff --git a/deps/http_parser/test.c b/deps/http_parser/test.c +index bc4e664f5253..cb445cea8607 100644 +--- a/deps/http_parser/test.c ++++ b/deps/http_parser/test.c +@@ -4168,6 +4168,27 @@ main (void) + test_invalid_header_field_token_error(HTTP_RESPONSE); + test_invalid_header_field_content_error(HTTP_RESPONSE); + ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 42 \r\n" // Note the surrounding whitespace. ++ "\r\n", ++ HPE_OK, ++ HTTP_REQUEST); ++ ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 4 2\r\n" ++ "\r\n", ++ HPE_INVALID_CONTENT_LENGTH, ++ HTTP_REQUEST); ++ ++ test_simple_type( ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: 13 37\r\n" ++ "\r\n", ++ HPE_INVALID_CONTENT_LENGTH, ++ HTTP_REQUEST); ++ + //// RESPONSES + + test_simple_type("HTP/1.1 200 OK\r\n\r\n", HPE_INVALID_VERSION, HTTP_RESPONSE); diff --git a/SPECS/http-parser.spec b/SPECS/http-parser.spec new file mode 100644 index 0000000..d5921d9 --- /dev/null +++ b/SPECS/http-parser.spec @@ -0,0 +1,176 @@ +Name: http-parser +Version: 2.8.0 +Release: 2%{?dist} +Summary: HTTP request/response parser for C + +License: MIT +URL: https://github.com/nodejs/http-parser +Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz + +BuildRequires: meson +BuildRequires: gcc + +Patch0001: CVE-2018-7159.patch + +%description +This is a parser for HTTP messages written in C. It parses both requests and +responses. The parser is designed to be used in performance HTTP applications. +It does not make any syscalls nor allocations, it does not buffer data, it can +be interrupted at anytime. Depending on your architecture, it only requires +about 40 bytes of data per message stream (in a web server that is per +connection). + +%package devel +Summary: Development headers and libraries for http-parser +Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} + +%description devel +Development headers and libraries for http-parser. + +%prep +%autosetup -p3 +# TODO: try to send upstream? +cat > meson.build << EOF +project('%{name}', 'c', version : '%{version}') +install_headers('http_parser.h') +foreach x : [['http_parser', ['-DHTTP_PARSER_STRICT=0']], + ['http_parser_strict', ['-DHTTP_PARSER_STRICT=1']]] + lib = library(x.get(0), 'http_parser.c', + c_args : x.get(1), + version : '%{version}', + install : true) + test('test-@0@'.format(x.get(0)), + executable('test-@0@'.format(x.get(0)), 'test.c', + c_args : x.get(1), + link_with : lib), + timeout : 60) +endforeach +EOF + +%build +%meson +%meson_build + +%install +%meson_install + +%check +%meson_test + +%ldconfig_scriptlets + +%files +%license LICENSE-MIT +%doc AUTHORS README.md +%{_libdir}/libhttp_parser.so.* +%{_libdir}/libhttp_parser_strict.so.* + +%files devel +%{_includedir}/http_parser.h +%{_libdir}/libhttp_parser.so +%{_libdir}/libhttp_parser_strict.so + +%changelog +* Mon Dec 3 2018 Jakub Hrozek - 2.8.0-2 +- Resolves: #rhbz1654223: CVE-2018-7159 http-parser: nodejs: HTTP parser + allowed for spaces inside Content-Length header + values [rhel-8] + +* Sat Feb 10 2018 Igor Gnatenko - 2.8.0-1 +- Update to 2.8.0 +- Switch to meson buildsystem + +* Wed Feb 07 2018 Fedora Release Engineering - 2.7.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 2.7.1-8 +- Switch to %%ldconfig_scriptlets + +* Wed Aug 02 2017 Fedora Release Engineering - 2.7.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.7.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 21 2016 Igor Gnatenko - 2.7.1-4 +- Use CMake buildsystem + +* Tue Oct 25 2016 Nathaniel McCallum - 2.7.1-3 +- Add (upstreamed) status code patch + +* Tue Aug 16 2016 Stephen Gallagher - 2.7.1-2 +- Upgrade to version 2.7.1 + +* Wed Feb 03 2016 Fedora Release Engineering - 2.6.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Dec 01 2015 Stephen Gallagher 2.6.0-1 +- Upgrade to version 2.6.0 +- Change to new upstream at https://github.com/nodejs/http-parser/ + +* Wed Jun 17 2015 Fedora Release Engineering - 2.0-9.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 2.0-8.20121128gitcd01361 +- Rebuilt for GCC 5 C++11 ABI change + +* Sat Aug 16 2014 Fedora Release Engineering - 2.0-7.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 2.0-6.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 2.0-5.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 2.0-4.20121128gitcd01361 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sun Dec 02 2012 T.C. Hollingsworth - 2.0-3.20121128gitcd01361 +- latest git snapshot +- fixes buffer overflow in tests + +* Tue Nov 27 2012 T.C. Hollingsworth - 2.0-2.20121110git245f6f0 +- latest git snapshot +- fixes tests +- use SMP make flags +- build as Release instead of Debug +- ship new strict variant + +* Sat Oct 13 2012 T.C. Hollingsworth - 2.0-1 +- new upstream release 2.0 +- migrate to GYP buildsystem + +* Thu Jul 19 2012 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Aug 22 2011 T.C. Hollingsworth - 1.0-1 +- New upstream release 1.0 +- Remove patches, no longer needed for nodejs +- Fix typo in -devel description +- use github tarball instead of checkout + +* Wed Feb 09 2011 Fedora Release Engineering - 0.3-6.20100911git +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Jan 11 2011 Lubomir Rintel - 0.3-5.20100911git +- Add support for methods used by node.js + +* Thu Nov 4 2010 Dan Horák - 0.3-4.20100911git +- build with -fsigned-char + +* Wed Sep 29 2010 jkeating - 0.3-3.20100911git +- Rebuilt for gcc bug 634757 + +* Mon Sep 20 2010 Lubomir Rintel - 0.3-2.20100911git +- Call ldconfig (Peter Lemenkov) + +* Fri Sep 17 2010 Lubomir Rintel - 0.3-1.20100911git +- Initial packaging +