From 6899e056976998b2d9fdc7ed3100a6ba077d48e2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 08:49:56 +0000 Subject: import http-parser-2.8.0-9.el8 --- diff --git a/SOURCES/CVE-2018-12121.patch b/SOURCES/CVE-2018-12121.patch index fb0019d..584fbe6 100644 --- a/SOURCES/CVE-2018-12121.patch +++ b/SOURCES/CVE-2018-12121.patch @@ -1,3 +1,13 @@ +From 05da7fb51cda374ae351829f67018924f931f18b Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 18 Feb 2020 09:10:18 -0300 +Subject: [PATCH] CVE-2018-12121 + +--- + http_parser.c | 15 +++++++++++---- + http_parser.h | 3 +++ + 2 files changed, 14 insertions(+), 4 deletions(-) + diff --git a/http_parser.c b/http_parser.c index f9991c3..aef4437 100644 --- a/http_parser.c @@ -67,3 +77,6 @@ index 1fbf30e..ea7bafe 100644 #ifdef __cplusplus } #endif +-- +2.18.2 + diff --git a/SOURCES/CVE-2018-7159.patch b/SOURCES/CVE-2018-7159.patch index 0e63bb6..ee94f15 100644 --- a/SOURCES/CVE-2018-7159.patch +++ b/SOURCES/CVE-2018-7159.patch @@ -1,4 +1,4 @@ -From c39167dc260953184a1ccd45292947808b94507d Mon Sep 17 00:00:00 2001 +From 5756942f51426a24add619377da15b18ecae91ef Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Tue, 27 Mar 2018 16:45:33 +0200 Subject: [PATCH] deps: reject interior blanks in Content-Length @@ -26,14 +26,14 @@ Reviewed-By: Fedor Indutny Reviewed-By: James M Snell Reviewed-By: Rod Vagg --- - deps/http_parser/http_parser.c | 19 ++++++++++++++++++- - deps/http_parser/test.c | 21 +++++++++++++++++++++ + http_parser.c | 19 ++++++++++++++++++- + test.c | 21 +++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) -diff --git a/deps/http_parser/http_parser.c b/deps/http_parser/http_parser.c -index 7a9c688b1ca7..6522618671d0 100644 ---- a/deps/http_parser/http_parser.c -+++ b/deps/http_parser/http_parser.c +diff --git a/http_parser.c b/http_parser.c +index 5b5657b..f9991c3 100644 +--- a/http_parser.c ++++ b/http_parser.c @@ -370,6 +370,8 @@ enum header_states , h_connection @@ -43,7 +43,7 @@ index 7a9c688b1ca7..6522618671d0 100644 , h_transfer_encoding , h_upgrade -@@ -1406,6 +1408,7 @@ size_t http_parser_execute (http_parser *parser, +@@ -1406,6 +1408,7 @@ reexecute: parser->flags |= F_CONTENTLENGTH; parser->content_length = ch - '0'; @@ -51,7 +51,7 @@ index 7a9c688b1ca7..6522618671d0 100644 break; case h_connection: -@@ -1493,10 +1496,18 @@ size_t http_parser_execute (http_parser *parser, +@@ -1493,10 +1496,18 @@ reexecute: break; case h_content_length: @@ -71,7 +71,7 @@ index 7a9c688b1ca7..6522618671d0 100644 if (UNLIKELY(!IS_NUM(ch))) { SET_ERRNO(HPE_INVALID_CONTENT_LENGTH); -@@ -1519,6 +1530,12 @@ size_t http_parser_execute (http_parser *parser, +@@ -1519,6 +1530,12 @@ reexecute: break; } @@ -84,10 +84,10 @@ index 7a9c688b1ca7..6522618671d0 100644 /* Transfer-Encoding: chunked */ case h_matching_transfer_encoding_chunked: parser->index++; -diff --git a/deps/http_parser/test.c b/deps/http_parser/test.c -index bc4e664f5253..cb445cea8607 100644 ---- a/deps/http_parser/test.c -+++ b/deps/http_parser/test.c +diff --git a/test.c b/test.c +index bc4e664..cb445ce 100644 +--- a/test.c ++++ b/test.c @@ -4168,6 +4168,27 @@ main (void) test_invalid_header_field_token_error(HTTP_RESPONSE); test_invalid_header_field_content_error(HTTP_RESPONSE); @@ -116,3 +116,6 @@ index bc4e664f5253..cb445cea8607 100644 //// RESPONSES test_simple_type("HTP/1.1 200 OK\r\n\r\n", HPE_INVALID_VERSION, HTTP_RESPONSE); +-- +2.18.2 + diff --git a/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch b/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch index f11b866..8ac24b7 100644 --- a/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch +++ b/SOURCES/CVE-2019-15605-HTTP-request-smuggling.patch @@ -1,4 +1,4 @@ -From c8703a57d4c3c45251c08f20b433421c72032c57 Mon Sep 17 00:00:00 2001 +From b41d69bedcdbb8fe0cd790d0bcccbb457d6170d3 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Wed, 26 Feb 2020 17:03:26 -0300 Subject: [PATCH] CVE-2019-15605 - HTTP request smuggling diff --git a/SOURCES/remove-unused-functions-from-test-runner.patch b/SOURCES/remove-unused-functions-from-test-runner.patch index 57fb24a..690fcbf 100644 --- a/SOURCES/remove-unused-functions-from-test-runner.patch +++ b/SOURCES/remove-unused-functions-from-test-runner.patch @@ -1,19 +1,26 @@ -commit 705e519bf56e5904c761a411b38a66e84bf7fc2d -Author: Ben Noordhuis -Date: Tue Feb 27 22:59:00 2018 +0100 +From d22c4c1e3ab9ffe5faaa08bacd993c814ca1c92e Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 18 Feb 2020 09:11:05 -0300 +Subject: [PATCH] Remove unused functions from test runner. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit - Remove unused functions from test runner. - - PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 - Reviewed-By: Сковорода Никита Андреевич - Reviewed-By: Colin Ihrig - Reviewed-By: Evan Lucas - Reviewed-By: Fedor Indutny - Reviewed-By: James M Snell - Reviewed-By: Rod Vagg +Upstream: 705e519bf56e5904c761a411b38a66e84bf7fc2d + +PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1 +Reviewed-By: Сковорода Никита Андреевич +Reviewed-By: Colin Ihrig +Reviewed-By: Evan Lucas +Reviewed-By: Fedor Indutny +Reviewed-By: James M Snell +Reviewed-By: Rod Vagg +--- + test.c | 14 -------------- + 1 file changed, 14 deletions(-) diff --git a/test.c b/test.c -index bc4e664..0cbe544 100644 +index cb445ce..a1fa0d3 100644 --- a/test.c +++ b/test.c @@ -27,9 +27,7 @@ @@ -52,3 +59,6 @@ index bc4e664..0cbe544 100644 int request_url_cb (http_parser *p, const char *buf, size_t len) { +-- +2.18.2 + diff --git a/SPECS/http-parser.spec b/SPECS/http-parser.spec index d0b13cb..506e968 100644 --- a/SPECS/http-parser.spec +++ b/SPECS/http-parser.spec @@ -2,7 +2,7 @@ Name: http-parser Version: 2.8.0 -Release: 5%{?dist}.2 +Release: 9%{?dist} Summary: HTTP request/response parser for C License: MIT @@ -33,11 +33,7 @@ Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release} Development headers and libraries for http-parser. %prep -%setup -q -%patch01 -p3 -%patch02 -p1 -%patch03 -p1 -%patch04 -p1 +%autosetup -p1 # TODO: try to send upstream? cat > meson.build << EOF @@ -83,12 +79,19 @@ EOF %{_libdir}/libhttp_parser_strict.so %changelog -* Wed Feb 26 2020 Sergio Correia - 2.8.0-5.2 +* Wed Feb 26 2020 Sergio Correia - 2.8.0-9 - Do not break ABI with CVE-2019-15605 fix -* Thu Feb 20 2020 Sergio Correia - 2.8.0-5.1 +* Wed Feb 19 2020 Sergio Correia - 2.8.0-8 +- Update gating tests due to CVE-2019-15605 + +* Tue Feb 18 2020 Sergio Corrreia - 2.8.0-7 - Resolves: CVE-2019-15605 http-parser: nodejs: HTTP request - smuggling using malformed Transfer-Encoding header + smuggling using malformed Transfer-Encoding header + +* Tue Oct 29 2019 Sergio Correia - 2.8.0-6 +- Provide -devel package + Resolves: rhbz#1748765: http-parser-devel package not available in CRB * Mon Aug 12 2019 Sergio Correia - 2.8.0-5 - Resolves: rhbz#1686488: 'make test' fails with stringop-overflow error