From 410d10973fd51a02aabed4a0c0427815de445775ab6f272c2fda111ee80cb74f Mon Sep 17 00:00:00 2001 From: Dirk Stoecker Date: Mon, 18 Jul 2022 15:36:00 +0000 Subject: [PATCH] Accepting request 988945 from home:ohollmann:branches:devel:languages:perl - Fix request smuggling in HTTP::Daemon (CVE-2022-31081, bsc#1201157) * CVE-2022-31081.patch * CVE-2022-31081-2.patch OBS-URL: https://build.opensuse.org/request/show/988945 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-HTTP-Daemon?expand=0&rev=19 --- CVE-2022-31081-2.patch | 36 +++++++++++++++++++++++++++++ CVE-2022-31081.patch | 50 ++++++++++++++++++++++++++++++++++++++++ perl-HTTP-Daemon.changes | 8 +++++++ perl-HTTP-Daemon.spec | 8 +++++-- 4 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 CVE-2022-31081-2.patch create mode 100644 CVE-2022-31081.patch diff --git a/CVE-2022-31081-2.patch b/CVE-2022-31081-2.patch new file mode 100644 index 0000000..81faa40 --- /dev/null +++ b/CVE-2022-31081-2.patch @@ -0,0 +1,36 @@ +From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001 +From: Theo van Hoesel +Date: Tue, 21 Jun 2022 20:00:47 +0000 +Subject: [PATCH] Include reason in response body content + +--- + lib/HTTP/Daemon.pm | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm +index a5112b3..2d022ae 100644 +--- a/lib/HTTP/Daemon.pm ++++ b/lib/HTTP/Daemon.pm +@@ -299,16 +299,18 @@ READ_HEADER: + # check that they are all numbers (RFC: Content-Length = 1*DIGIT) + my @nums = grep { /^[0-9]+$/} @vals; + unless (@vals == @nums) { +- $self->send_error(400); +- $self->reason("Content-Length value must be a unsigned integer"); ++ my $reason = "Content-Length value must be an unsigned integer"; ++ $self->send_error(400, $reason); ++ $self->reason($reason); + return; + } + # check they are all the same + my $len = shift @nums; + foreach (@nums) { + next if $_ == $len; +- $self->send_error(400); +- $self->reason("Content-Length values are not the same"); ++ my $reason = "Content-Length values are not the same"; ++ $self->send_error(400, $reason); ++ $self->reason($reason); + return; + } + # ensure we have now a fixed header, with only 1 value diff --git a/CVE-2022-31081.patch b/CVE-2022-31081.patch new file mode 100644 index 0000000..dfd212e --- /dev/null +++ b/CVE-2022-31081.patch @@ -0,0 +1,50 @@ +From e84475de51d6fd7b29354a997413472a99db70b2 Mon Sep 17 00:00:00 2001 +From: Theo van Hoesel +Date: Thu, 16 Jun 2022 08:28:30 +0000 +Subject: [PATCH] Fix Content-Length ', '-separated string issues + +After a security issue, we ensure we comply to +RFC-7230 -- HTTP/1.1 Message Syntax and Routing +- section 3.3.2 -- Content-Length +- section 3.3.3 -- Message Body Length +--- + lib/HTTP/Daemon.pm | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm +index c0cdf76..a5112b3 100644 +--- a/lib/HTTP/Daemon.pm ++++ b/lib/HTTP/Daemon.pm +@@ -288,6 +288,32 @@ READ_HEADER: + } + elsif ($len) { + ++ # After a security issue, we ensure we comply to ++ # RFC-7230 -- HTTP/1.1 Message Syntax and Routing ++ # section 3.3.2 -- Content-Length ++ # section 3.3.3 -- Message Body Length ++ ++ # split and clean up Content-Length ', ' separated string ++ my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str } ++ split ',', $len; ++ # check that they are all numbers (RFC: Content-Length = 1*DIGIT) ++ my @nums = grep { /^[0-9]+$/} @vals; ++ unless (@vals == @nums) { ++ $self->send_error(400); ++ $self->reason("Content-Length value must be a unsigned integer"); ++ return; ++ } ++ # check they are all the same ++ my $len = shift @nums; ++ foreach (@nums) { ++ next if $_ == $len; ++ $self->send_error(400); ++ $self->reason("Content-Length values are not the same"); ++ return; ++ } ++ # ensure we have now a fixed header, with only 1 value ++ $r->header('Content-Length' => $len); ++ + # Plain body specified by "Content-Length" + my $missing = $len - length($buf); + while ($missing > 0) { diff --git a/perl-HTTP-Daemon.changes b/perl-HTTP-Daemon.changes index 7494abc..192f1d2 100644 --- a/perl-HTTP-Daemon.changes +++ b/perl-HTTP-Daemon.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Jul 13 09:04:49 UTC 2022 - Otto Hollmann + +- Fix request smuggling in HTTP::Daemon + (CVE-2022-31081, bsc#1201157) + * CVE-2022-31081.patch + * CVE-2022-31081-2.patch + ------------------------------------------------------------------- Fri Mar 4 03:07:35 UTC 2022 - Tina Müller diff --git a/perl-HTTP-Daemon.spec b/perl-HTTP-Daemon.spec index 28e8d90..795097b 100644 --- a/perl-HTTP-Daemon.spec +++ b/perl-HTTP-Daemon.spec @@ -20,11 +20,15 @@ Name: perl-HTTP-Daemon Version: 6.14 Release: 0 -License: Artistic-1.0 OR GPL-1.0-or-later Summary: Simple http server class +License: Artistic-1.0 OR GPL-1.0-or-later URL: https://metacpan.org/release/%{cpan_name} Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +# PATCH-FIX-SECURITY bsc#1201157 otto.hollmann@suse.com +# Fix request smuggling in HTTP::Daemon +Patch0: CVE-2022-31081.patch +Patch1: CVE-2022-31081-2.patch BuildArch: noarch BuildRequires: perl BuildRequires: perl-macros @@ -65,7 +69,7 @@ method on this object will read data from the client and return an back various responses. %prep -%autosetup -n %{cpan_name}-%{version} +%autosetup -n %{cpan_name}-%{version} -p1 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 %build