Accepting request 988945 from home:ohollmann:branches:devel:languages:perl

- Fix request smuggling in HTTP::Daemon
  (CVE-2022-31081, bsc#1201157)
  * CVE-2022-31081.patch
  * CVE-2022-31081-2.patch

OBS-URL: https://build.opensuse.org/request/show/988945
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-HTTP-Daemon?expand=0&rev=19
This commit is contained in:
Dirk Stoecker 2022-07-18 15:36:00 +00:00 committed by Git OBS Bridge
parent 92b96b534e
commit 410d10973f
4 changed files with 100 additions and 2 deletions

36
CVE-2022-31081-2.patch Normal file
View File

@ -0,0 +1,36 @@
From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001
From: Theo van Hoesel <tvanhoesel@perceptyx.com>
Date: Tue, 21 Jun 2022 20:00:47 +0000
Subject: [PATCH] Include reason in response body content
---
lib/HTTP/Daemon.pm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
index a5112b3..2d022ae 100644
--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
@@ -299,16 +299,18 @@ READ_HEADER:
# check that they are all numbers (RFC: Content-Length = 1*DIGIT)
my @nums = grep { /^[0-9]+$/} @vals;
unless (@vals == @nums) {
- $self->send_error(400);
- $self->reason("Content-Length value must be a unsigned integer");
+ my $reason = "Content-Length value must be an unsigned integer";
+ $self->send_error(400, $reason);
+ $self->reason($reason);
return;
}
# check they are all the same
my $len = shift @nums;
foreach (@nums) {
next if $_ == $len;
- $self->send_error(400);
- $self->reason("Content-Length values are not the same");
+ my $reason = "Content-Length values are not the same";
+ $self->send_error(400, $reason);
+ $self->reason($reason);
return;
}
# ensure we have now a fixed header, with only 1 value

50
CVE-2022-31081.patch Normal file
View File

@ -0,0 +1,50 @@
From e84475de51d6fd7b29354a997413472a99db70b2 Mon Sep 17 00:00:00 2001
From: Theo van Hoesel <tvanhoesel@perceptyx.com>
Date: Thu, 16 Jun 2022 08:28:30 +0000
Subject: [PATCH] Fix Content-Length ', '-separated string issues
After a security issue, we ensure we comply to
RFC-7230 -- HTTP/1.1 Message Syntax and Routing
- section 3.3.2 -- Content-Length
- section 3.3.3 -- Message Body Length
---
lib/HTTP/Daemon.pm | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
index c0cdf76..a5112b3 100644
--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
@@ -288,6 +288,32 @@ READ_HEADER:
}
elsif ($len) {
+ # After a security issue, we ensure we comply to
+ # RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+ # section 3.3.2 -- Content-Length
+ # section 3.3.3 -- Message Body Length
+
+ # split and clean up Content-Length ', ' separated string
+ my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
+ split ',', $len;
+ # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+ my @nums = grep { /^[0-9]+$/} @vals;
+ unless (@vals == @nums) {
+ $self->send_error(400);
+ $self->reason("Content-Length value must be a unsigned integer");
+ return;
+ }
+ # check they are all the same
+ my $len = shift @nums;
+ foreach (@nums) {
+ next if $_ == $len;
+ $self->send_error(400);
+ $self->reason("Content-Length values are not the same");
+ return;
+ }
+ # ensure we have now a fixed header, with only 1 value
+ $r->header('Content-Length' => $len);
+
# Plain body specified by "Content-Length"
my $missing = $len - length($buf);
while ($missing > 0) {

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Jul 13 09:04:49 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
- Fix request smuggling in HTTP::Daemon
(CVE-2022-31081, bsc#1201157)
* CVE-2022-31081.patch
* CVE-2022-31081-2.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 4 03:07:35 UTC 2022 - Tina Müller <timueller+perl@suse.de> Fri Mar 4 03:07:35 UTC 2022 - Tina Müller <timueller+perl@suse.de>

View File

@ -20,11 +20,15 @@
Name: perl-HTTP-Daemon Name: perl-HTTP-Daemon
Version: 6.14 Version: 6.14
Release: 0 Release: 0
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: Simple http server class Summary: Simple http server class
License: Artistic-1.0 OR GPL-1.0-or-later
URL: https://metacpan.org/release/%{cpan_name} URL: https://metacpan.org/release/%{cpan_name}
Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz Source0: https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz
Source1: cpanspec.yml Source1: cpanspec.yml
# PATCH-FIX-SECURITY bsc#1201157 otto.hollmann@suse.com
# Fix request smuggling in HTTP::Daemon
Patch0: CVE-2022-31081.patch
Patch1: CVE-2022-31081-2.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: perl BuildRequires: perl
BuildRequires: perl-macros BuildRequires: perl-macros
@ -65,7 +69,7 @@ method on this object will read data from the client and return an
back various responses. back various responses.
%prep %prep
%autosetup -n %{cpan_name}-%{version} %autosetup -n %{cpan_name}-%{version} -p1
find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644
%build %build