Accepting request 988945 from home:ohollmann:branches:devel:languages:perl

- Fix request smuggling in HTTP::Daemon (CVE-2022-31081, bsc#1201157) * CVE-2022-31081.patch * CVE-2022-31081-2.patch OBS-URL: https://build.opensuse.org/request/show/988945 OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-HTTP-Daemon?expand=0&rev=19
2022-07-18 15:36:00 +00:00 · 2022-07-18 15:36:00 +00:00 · 410d10973f
commit 410d10973f
parent 92b96b534e
4 changed files with 100 additions and 2 deletions
--- a/CVE-2022-31081-2.patch
+++ b/CVE-2022-31081-2.patch
@ -0,0 +1,36 @@
+From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001
+From: Theo van Hoesel <tvanhoesel@perceptyx.com>
+Date: Tue, 21 Jun 2022 20:00:47 +0000
+Subject: [PATCH] Include reason in response body content
+
+---
+ lib/HTTP/Daemon.pm | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index a5112b3..2d022ae 100644
+--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
+@@ -299,16 +299,18 @@ READ_HEADER:
+         # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+         my @nums = grep { /^[0-9]+$/} @vals;
+         unless (@vals == @nums) {
+-            $self->send_error(400);
+-            $self->reason("Content-Length value must be a unsigned integer");
+            my $reason = "Content-Length value must be an unsigned integer";
+            $self->send_error(400, $reason);
+            $self->reason($reason);
+             return;
+         }
+         # check they are all the same
+         my $len = shift @nums;
+         foreach (@nums) {
+             next if $_ == $len;
+-            $self->send_error(400);
+-            $self->reason("Content-Length values are not the same");
+            my $reason = "Content-Length values are not the same";
+            $self->send_error(400, $reason);
+            $self->reason($reason);
+             return;
+         }
+         # ensure we have now a fixed header, with only 1 value
--- a/CVE-2022-31081.patch
+++ b/CVE-2022-31081.patch
@ -0,0 +1,50 @@
+From e84475de51d6fd7b29354a997413472a99db70b2 Mon Sep 17 00:00:00 2001
+From: Theo van Hoesel <tvanhoesel@perceptyx.com>
+Date: Thu, 16 Jun 2022 08:28:30 +0000
+Subject: [PATCH] Fix Content-Length ', '-separated string issues
+
+After a security issue, we ensure we comply to
+RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+- section 3.3.2 -- Content-Length
+- section 3.3.3 -- Message Body Length
+---
+ lib/HTTP/Daemon.pm | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index c0cdf76..a5112b3 100644
+--- a/lib/HTTP/Daemon.pm
+++ b/lib/HTTP/Daemon.pm
+@@ -288,6 +288,32 @@ READ_HEADER:
+     }
+     elsif ($len) {
+ 
+        # After a security issue, we ensure we comply to
+        # RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+        # section 3.3.2 -- Content-Length
+        # section 3.3.3 -- Message Body Length
+
+        # split and clean up Content-Length ', ' separated string
+        my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
+            split ',', $len;
+        # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+        my @nums = grep { /^[0-9]+$/} @vals;
+        unless (@vals == @nums) {
+            $self->send_error(400);
+            $self->reason("Content-Length value must be a unsigned integer");
+            return;
+        }
+        # check they are all the same
+        my $len = shift @nums;
+        foreach (@nums) {
+            next if $_ == $len;
+            $self->send_error(400);
+            $self->reason("Content-Length values are not the same");
+            return;
+        }
+        # ensure we have now a fixed header, with only 1 value
+        $r->header('Content-Length' => $len);
+
+         # Plain body specified by "Content-Length"
+         my $missing = $len - length($buf);
+         while ($missing > 0) {
--- a/perl-HTTP-Daemon.changes
+++ b/perl-HTTP-Daemon.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jul 13 09:04:49 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Fix request smuggling in HTTP::Daemon
+  (CVE-2022-31081, bsc#1201157)
+  * CVE-2022-31081.patch
+  * CVE-2022-31081-2.patch
+
 -------------------------------------------------------------------
 Fri Mar  4 03:07:35 UTC 2022 - Tina Müller <timueller+perl@suse.de>

--- a/perl-HTTP-Daemon.spec
+++ b/perl-HTTP-Daemon.spec
@ -20,11 +20,15 @@
 Name:           perl-HTTP-Daemon
 Version:        6.14
 Release:        0
-License:        Artistic-1.0 OR GPL-1.0-or-later
 Summary:        Simple http server class
+License:        Artistic-1.0 OR GPL-1.0-or-later
 URL:            https://metacpan.org/release/%{cpan_name}
 Source0:        https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz
 Source1:        cpanspec.yml
+# PATCH-FIX-SECURITY bsc#1201157 otto.hollmann@suse.com
+# Fix request smuggling in HTTP::Daemon
+Patch0:         CVE-2022-31081.patch
+Patch1:         CVE-2022-31081-2.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-macros
@ -65,7 +69,7 @@ method on this object will read data from the client and return an
 back various responses.

 %prep
-%autosetup  -n %{cpan_name}-%{version}
+%autosetup  -n %{cpan_name}-%{version} -p1
 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644

 %build