From b92ca81e97caafa3f794fff74a61f1f8d52cfa7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 28 Nov 2024 16:25:36 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 python-Twisted revision 827d7bbefe1f586185e6ce7cfb05657c --- CVE-2024-41671.patch | 323 +++++++++++++++++++++++++++++++++++++++++ CVE-2024-41810.patch | 85 +++++++++++ python-Twisted.changes | 9 ++ python-Twisted.spec | 4 + 4 files changed, 421 insertions(+) create mode 100644 CVE-2024-41671.patch create mode 100644 CVE-2024-41810.patch diff --git a/CVE-2024-41671.patch b/CVE-2024-41671.patch new file mode 100644 index 0000000..5541994 --- /dev/null +++ b/CVE-2024-41671.patch @@ -0,0 +1,323 @@ +Index: Twisted-22.10.0/src/twisted/web/http.py +=================================================================== +--- Twisted-22.10.0.orig/src/twisted/web/http.py ++++ Twisted-22.10.0/src/twisted/web/http.py +@@ -1897,6 +1897,10 @@ class _ChunkedTransferDecoder: + self.finishCallback = finishCallback + self._buffer = bytearray() + self._start = 0 ++ self._trailerHeaders: List[bytearray] = [] ++ self._maxTrailerHeadersSize = 2**16 ++ self._receivedTrailerHeadersSize = 0 ++ + + def _dataReceived_CHUNK_LENGTH(self) -> bool: + """ +@@ -1973,23 +1977,44 @@ class _ChunkedTransferDecoder: + + def _dataReceived_TRAILER(self) -> bool: + """ +- Await the carriage return and line feed characters that follow the +- terminal zero-length chunk. Then invoke C{finishCallback} and switch to +- state C{'FINISHED'}. ++ Collect trailer headers if received and finish at the terminal zero-length ++ chunk. Then invoke C{finishCallback} and switch to state C{'FINISHED'}. + + @returns: C{False}, as there is either insufficient data to continue, + or no data remains. +- +- @raises _MalformedChunkedDataError: when anything other than CRLF is +- received. + """ +- if len(self._buffer) < 2: ++ eolIndex = self._buffer.find(b"\r\n", self._start) ++ ++ if eolIndex == -1: ++ # Still no end of network line marker found. ++ # ++ # Check if we've run up against the trailer size limit: if the next ++ # read contains the terminating CRLF then we'll have this many bytes ++ # of trailers (including the CRLFs). ++ minTrailerSize = ( ++ self._receivedTrailerHeadersSize ++ + len(self._buffer) ++ + (1 if self._buffer.endswith(b"\r") else 2) ++ ) ++ if minTrailerSize > self._maxTrailerHeadersSize: ++ raise _MalformedChunkedDataError("Trailer headers data is too long.") ++ # Continue processing more data. + return False + +- if not self._buffer.startswith(b"\r\n"): +- raise _MalformedChunkedDataError("Chunk did not end with CRLF") ++ if eolIndex > 0: ++ # A trailer header was detected. ++ self._trailerHeaders.append(self._buffer[0:eolIndex]) ++ del self._buffer[0 : eolIndex + 2] ++ self._start = 0 ++ self._receivedTrailerHeadersSize += eolIndex + 2 ++ if self._receivedTrailerHeadersSize > self._maxTrailerHeadersSize: ++ raise _MalformedChunkedDataError("Trailer headers data is too long.") ++ return True ++ ++ # eolIndex in this part of code is equal to 0 + + data = memoryview(self._buffer)[2:].tobytes() ++ + del self._buffer[:] + self.state = "FINISHED" + self.finishCallback(data) +@@ -2307,8 +2332,8 @@ class HTTPChannel(basic.LineReceiver, po + self.__header = line + + def _finishRequestBody(self, data): +- self.allContentReceived() + self._dataBuffer.append(data) ++ self.allContentReceived() + + def _maybeChooseTransferDecoder(self, header, data): + """ +Index: Twisted-22.10.0/src/twisted/web/newsfragments/12248.bugfix +=================================================================== +--- /dev/null ++++ Twisted-22.10.0/src/twisted/web/newsfragments/12248.bugfix +@@ -0,0 +1 @@ ++The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure (CVE-2024-41671/GHSA-c8m8-j448-xjx7) +Index: Twisted-22.10.0/src/twisted/web/test/test_http.py +=================================================================== +--- Twisted-22.10.0.orig/src/twisted/web/test/test_http.py ++++ Twisted-22.10.0/src/twisted/web/test/test_http.py +@@ -135,7 +135,7 @@ class DummyHTTPHandler(http.Request): + data = self.content.read() + length = self.getHeader(b"content-length") + if length is None: +- length = networkString(str(length)) ++ length = str(length).encode() + request = b"'''\n" + length + b"\n" + data + b"'''\n" + self.setResponseCode(200) + self.setHeader(b"Request", self.uri) +@@ -566,17 +566,23 @@ class HTTP0_9Tests(HTTP1_0Tests): + + class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin): + """ +- Tests that multiple pipelined requests with bodies are correctly buffered. ++ Pipelined requests get buffered and executed in the order received, ++ not processed in parallel. + """ + + requests = ( + b"POST / HTTP/1.1\r\n" + b"Content-Length: 10\r\n" + b"\r\n" +- b"0123456789POST / HTTP/1.1\r\n" +- b"Content-Length: 10\r\n" +- b"\r\n" + b"0123456789" ++ # Chunk encoded request. ++ b"POST / HTTP/1.1\r\n" ++ b"Transfer-Encoding: chunked\r\n" ++ b"\r\n" ++ b"a\r\n" ++ b"0123456789\r\n" ++ b"0\r\n" ++ b"\r\n" + ) + + expectedResponses = [ +@@ -593,14 +599,16 @@ class PipeliningBodyTests(unittest.TestC + b"Request: /", + b"Command: POST", + b"Version: HTTP/1.1", +- b"Content-Length: 21", +- b"'''\n10\n0123456789'''\n", ++ b"Content-Length: 23", ++ b"'''\nNone\n0123456789'''\n", + ), + ] + +- def test_noPipelining(self): ++ def test_stepwiseTinyTube(self): + """ +- Test that pipelined requests get buffered, not processed in parallel. ++ Imitate a slow connection that delivers one byte at a time. ++ The request handler (L{DelayedHTTPHandler}) is puppeted to ++ step through the handling of each request. + """ + b = StringTransport() + a = http.HTTPChannel() +@@ -609,10 +617,9 @@ class PipeliningBodyTests(unittest.TestC + # one byte at a time, to stress it. + for byte in iterbytes(self.requests): + a.dataReceived(byte) +- value = b.value() + + # So far only one request should have been dispatched. +- self.assertEqual(value, b"") ++ self.assertEqual(b.value(), b"") + self.assertEqual(1, len(a.requests)) + + # Now, process each request one at a time. +@@ -621,8 +628,95 @@ class PipeliningBodyTests(unittest.TestC + request = a.requests[0].original + request.delayedProcess() + +- value = b.value() +- self.assertResponseEquals(value, self.expectedResponses) ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_stepwiseDumpTruck(self): ++ """ ++ Imitate a fast connection where several pipelined ++ requests arrive in a single read. The request handler ++ (L{DelayedHTTPHandler}) is puppeted to step through the ++ handling of each request. ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DelayedHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ a.dataReceived(self.requests) ++ ++ # So far only one request should have been dispatched. ++ self.assertEqual(b.value(), b"") ++ self.assertEqual(1, len(a.requests)) ++ ++ # Now, process each request one at a time. ++ while a.requests: ++ self.assertEqual(1, len(a.requests)) ++ request = a.requests[0].original ++ request.delayedProcess() ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateTinyTube(self): ++ """ ++ Imitate a slow connection that delivers one byte at a time. ++ ++ (L{DummyHTTPHandler}) immediately responds, but no more ++ than one ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy # "sync" ++ a.makeConnection(b) ++ ++ # one byte at a time, to stress it. ++ for byte in iterbytes(self.requests): ++ a.dataReceived(byte) ++ # There is never more than one request dispatched at a time: ++ self.assertLessEqual(len(a.requests), 1) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateDumpTruck(self): ++ """ ++ Imitate a fast connection where several pipelined ++ requests arrive in a single read. The request handler ++ (L{DummyHTTPHandler}) immediately responds. ++ ++ This doesn't check the at-most-one pending request ++ invariant but exercises otherwise uncovered code paths. ++ See GHSA-c8m8-j448-xjx7. ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ # All bytes at once to ensure there's stuff to buffer. ++ a.dataReceived(self.requests) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses) ++ ++ def test_immediateABiggerTruck(self): ++ """ ++ Imitate a fast connection where a so many pipelined ++ requests arrive in a single read that backpressure is indicated. ++ The request handler (L{DummyHTTPHandler}) immediately responds. ++ ++ This doesn't check the at-most-one pending request ++ invariant but exercises otherwise uncovered code paths. ++ See GHSA-c8m8-j448-xjx7. ++ ++ @see: L{http.HTTPChannel._optimisticEagerReadSize} ++ """ ++ b = StringTransport() ++ a = http.HTTPChannel() ++ a.requestFactory = DummyHTTPHandlerProxy ++ a.makeConnection(b) ++ ++ overLimitCount = a._optimisticEagerReadSize // len(self.requests) * 10 ++ a.dataReceived(self.requests * overLimitCount) ++ ++ self.assertResponseEquals(b.value(), self.expectedResponses * overLimitCount) + + def test_pipeliningReadLimit(self): + """ +@@ -1385,20 +1479,6 @@ class ChunkedTransferEncodingTests(unitt + http._MalformedChunkedDataError, p.dataReceived, b"3\r\nabc!!!!" + ) + +- def test_malformedChunkEndFinal(self): +- r""" +- L{_ChunkedTransferDecoder.dataReceived} raises +- L{_MalformedChunkedDataError} when the terminal zero-length chunk is +- followed by characters other than C{\r\n}. +- """ +- p = http._ChunkedTransferDecoder( +- lambda b: None, +- lambda b: None, # pragma: nocov +- ) +- self.assertRaises( +- http._MalformedChunkedDataError, p.dataReceived, b"3\r\nabc\r\n0\r\n!!" +- ) +- + def test_finish(self): + """ + L{_ChunkedTransferDecoder.dataReceived} interprets a zero-length +@@ -1473,6 +1553,44 @@ class ChunkedTransferEncodingTests(unitt + self.assertEqual(errors, []) + self.assertEqual(successes, [True]) + ++ def test_tooLongTrailerHeader(self): ++ r""" ++ L{_ChunkedTransferDecoder.dataReceived} raises ++ L{_MalformedChunkedDataError} when the trailing headers data is too long. ++ """ ++ p = http._ChunkedTransferDecoder( ++ lambda b: None, ++ lambda b: None, # pragma: nocov ++ ) ++ p._maxTrailerHeadersSize = 10 ++ self.assertRaises( ++ http._MalformedChunkedDataError, ++ p.dataReceived, ++ b"3\r\nabc\r\n0\r\nTotal-Trailer: header;greater-then=10\r\n\r\n", ++ ) ++ ++ def test_unfinishedTrailerHeader(self): ++ r""" ++ L{_ChunkedTransferDecoder.dataReceived} raises ++ L{_MalformedChunkedDataError} when the trailing headers data is too long ++ and doesn't have final CRLF characters. ++ """ ++ p = http._ChunkedTransferDecoder( ++ lambda b: None, ++ lambda b: None, # pragma: nocov ++ ) ++ p._maxTrailerHeadersSize = 10 ++ # 9 bytes are received so far, in 2 packets. ++ # For now, all is ok. ++ p.dataReceived(b"3\r\nabc\r\n0\r\n01234567") ++ p.dataReceived(b"\r") ++ # Once the 10th byte is received, the processing fails. ++ self.assertRaises( ++ http._MalformedChunkedDataError, ++ p.dataReceived, ++ b"A", ++ ) ++ + + class ChunkingTests(unittest.TestCase, ResponseTestMixin): + diff --git a/CVE-2024-41810.patch b/CVE-2024-41810.patch new file mode 100644 index 0000000..25ad50e --- /dev/null +++ b/CVE-2024-41810.patch @@ -0,0 +1,85 @@ +diff --git a/src/twisted/web/_template_util.py b/src/twisted/web/_template_util.py +index f4c4aba3540..501941ad121 100644 +--- a/src/twisted/web/_template_util.py ++++ b/src/twisted/web/_template_util.py +@@ -92,7 +92,7 @@ def render_GET(self, request): + + + """ % { +- b"url": URL ++ b"url": escape(URL.decode("utf-8")).encode("utf-8") + } + return content + +diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix +new file mode 100644 +index 00000000000..b3982ca0fb5 +--- /dev/null ++++ b/src/twisted/web/newsfragments/12263.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. +\ No newline at end of file +diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix +new file mode 100644 +index 00000000000..1e2e7f72986 +--- /dev/null ++++ b/src/twisted/web/newsfragments/9839.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). +diff --git a/src/twisted/web/test/test_util.py b/src/twisted/web/test/test_util.py +index 1e763009ca9..9847dcbb8b5 100644 +--- a/src/twisted/web/test/test_util.py ++++ b/src/twisted/web/test/test_util.py +@@ -5,7 +5,6 @@ + Tests for L{twisted.web.util}. + """ + +- + import gc + + from twisted.internet import defer +@@ -64,6 +63,44 @@ def test_redirectToUnicodeURL(self): + targetURL = "http://target.example.com/4321" + self.assertRaises(TypeError, redirectTo, targetURL, request) + ++ def test_legitimateRedirect(self): ++ """ ++ Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo(b"https://twisted.org/", request) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ ++ def test_maliciousRedirect(self): ++ """ ++ Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body ++ """ ++ request = DummyRequest([b""]) ++ html = redirectTo( ++ b'https://twisted.org/">', request ++ ) ++ expected = b""" ++ ++ ++ ++ ++ ++ click here ++ ++ ++""" ++ self.assertEqual(html, expected) ++ + + class ParentRedirectTests(SynchronousTestCase): + """ diff --git a/python-Twisted.changes b/python-Twisted.changes index 1880fdf..b36f8a0 100644 --- a/python-Twisted.changes +++ b/python-Twisted.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Jul 31 08:38:53 UTC 2024 - Daniel Garcia + +- Add a couple of upstream patches to fix http process information + disclosure (CVE-2024-41671, bsc#1228549) and XSS via html injection + (CVE-2024-41810, bsc#1228552): + * CVE-2024-41671.patch gh#twisted/twisted@4a930de12fb6 + * CVE-2024-41810.patch gh#twisted/twisted@046a164f89a0 + ------------------------------------------------------------------- Wed Nov 15 13:48:33 UTC 2023 - Matej Cepl diff --git a/python-Twisted.spec b/python-Twisted.spec index c2d168c..efe7521 100644 --- a/python-Twisted.spec +++ b/python-Twisted.spec @@ -59,6 +59,10 @@ Patch10: remove-pynacl-optional-dependency.patch # PATCH-FIX-UPSTREAM CVE-2023-46137-HTTP-pipeline-response.patch bsc#1216588 mcepl@suse.com # disordered HTTP pipeline response in twisted.web Patch11: CVE-2023-46137-HTTP-pipeline-response.patch +# PATCH-FIX-UPSTREAM CVE-2024-41671.patch gh#twisted/twisted@4a930de12fb6 +Patch12: CVE-2024-41671.patch +# PATCH-FIX-UPSTREAM CVE-2024-41810.patch gh#twisted/twisted@046a164f89a0 +Patch13: CVE-2024-41810.patch BuildRequires: %{python_module incremental >= 21.3.0} BuildRequires: %{python_module setuptools} BuildRequires: fdupes