diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2013-06-06 21:06:02 +0000 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2013-06-06 21:06:02 +0000 |
| commit | 81fd038b0b9d4edfc4b524a7752aee4b66d00c94 (patch) | |
| tree | 9304b499e9314d267b93cc5bac7994c5da70d5fc /www-servers | |
| parent | fix AM_CONFIG_HEADER issue (bug #469704); fix another buffer warning; tidy ep... (diff) | |
| download | gentoo-2-81fd038b0b9d4edfc4b524a7752aee4b66d00c94.tar.gz gentoo-2-81fd038b0b9d4edfc4b524a7752aee4b66d00c94.tar.bz2 gentoo-2-81fd038b0b9d4edfc4b524a7752aee4b66d00c94.zip | |
Upstream bump to fix potencial DoS bug in headers parser, bug #472400, CVE-2013-3843
(Portage version: 2.1.11.62/cvs/Linux x86_64, signed Manifest commit with key 0xF52D4BBA)
Diffstat (limited to 'www-servers')
| -rw-r--r-- | www-servers/monkeyd/ChangeLog | 9 | ||||
| -rw-r--r-- | www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch | 131 | ||||
| -rw-r--r-- | www-servers/monkeyd/monkeyd-1.2.1.ebuild (renamed from www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild) | 7 |
3 files changed, 10 insertions, 137 deletions
diff --git a/www-servers/monkeyd/ChangeLog b/www-servers/monkeyd/ChangeLog index d54e800432ba..0e5dc49c56c7 100644 --- a/www-servers/monkeyd/ChangeLog +++ b/www-servers/monkeyd/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for www-servers/monkeyd # Copyright 1999- Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.57 2013/06/05 20:53:14 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.58 2013/06/06 21:06:02 blueness Exp $ + +*monkeyd-1.2.1 (06 Jun 2013) + + 06 Jun 2013; Anthony G. Basile <blueness@gentoo.org> +monkeyd-1.2.1.ebuild, + -files/monkeyd-fix-DoS-headers-parser.patch, -monkeyd-1.2.0-r1.ebuild: + Upstream bump to fix potencial DoS bug in headers parser, bug #472400, + CVE-2013-3843 *monkeyd-1.2.0-r1 (05 Jun 2013) diff --git a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch deleted file mode 100644 index db0e111dab00..000000000000 --- a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 95d646e5de252bfaa8b68c39d0f48e5d82965d41 Mon Sep 17 00:00:00 2001 -From: Eduardo Silva <edsiper@gmail.com> -Date: Wed, 5 Jun 2013 12:18:39 -0600 -Subject: [PATCH] Fix #182: DoS bug on headers parser - -This patch fix the root cause for a problem described in Ticket #182, -actually if a header is malformed like a Header Key without a value, the -ToC parser used to continue processing the next header line. - -The solution applied is to improve the ToC generator where it adds extra -validations for at least one colon and forcing each header line to contain -a value or empty space, otherwise the server will trigger a Bad Request -response to the client and close the connection. - -Signed-off-by: Eduardo Silva <edsiper@gmail.com> ---- - src/mk_method.c | 11 ++++++++++- - src/mk_request.c | 36 +++++++++++++++++++++++++++++------- - 2 files changed, 39 insertions(+), 8 deletions(-) - -diff --git a/src/mk_method.c b/src/mk_method.c -index 4a0698a..b35e893 100644 ---- a/src/mk_method.c -+++ b/src/mk_method.c -@@ -45,16 +45,25 @@ - - long int mk_method_validate_content_length(const char *body, int body_len) - { -+ int crlf; - struct headers_toc toc; - long int len; - mk_pointer tmp; - -+ crlf = mk_string_search(body, MK_CRLF, MK_STR_INSENSITIVE); -+ if (crlf < 0) { -+ return -1; -+ } -+ - /* - * obs: Table of Content (toc) is created when the full - * request has arrived, this function cannot be used from - * mk_http_pending_request(). - */ -- mk_request_header_toc_parse(&toc, body, body_len); -+ if (mk_request_header_toc_parse(&toc, body + crlf + mk_crlf.len, -+ body_len - mk_crlf.len - crlf) < 0) { -+ return -1; -+ } - tmp = mk_request_header_get(&toc, - mk_rh_content_length.data, - mk_rh_content_length.len); -diff --git a/src/mk_request.c b/src/mk_request.c -index 5c1f07e..083aba8 100644 ---- a/src/mk_request.c -+++ b/src/mk_request.c -@@ -121,13 +121,32 @@ static void mk_request_free(struct session_request *sr) - - int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int len) - { -- int i; -+ int i = 0; -+ int header_len; -+ int colon; -+ char *q; - char *p = (char *) data; -- char *l = 0; -+ char *l = p; - - toc->length = 0; -+ -+ if (*p == '\r') goto out; - for (i = 0; l < (data + len) && p && i < MK_HEADERS_TOC_LEN; i++) { -- l = strstr(p, MK_CRLF); -+ if (*p == '\r') goto out; -+ -+ colon = -1; -+ for (q = p; *q != '\r'; ++q) { -+ if (*q == ':') { -+ colon = (q - p); -+ } -+ } -+ -+ l = (q); -+ header_len = (l - p) - mk_crlf.len; -+ if ((colon == -1) || (header_len == colon) || (*++q != '\n')) { -+ return -1; -+ } -+ - if (l) { - toc->rows[i].init = p; - toc->rows[i].end = l; -@@ -140,6 +159,7 @@ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int l - } - } - -+ out: - return toc->length; - } - -@@ -237,13 +257,15 @@ static int mk_request_header_process(struct session_request *sr) - - /* Creating Table of Content (index) for HTTP headers */ - sr->headers_len = sr->body.len - (prot_end + mk_crlf.len); -- mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len); -+ if (mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len) < 0) { -+ MK_TRACE("Invalid headers"); -+ return -1; -+ } - - /* Host */ - host = mk_request_header_get(&sr->headers_toc, - mk_rh_host.data, - mk_rh_host.len); -- - if (host.data) { - if ((pos_sep = mk_string_char_search_r(host.data, ':', host.len)) >= 0) { - /* TCP port should not be higher than 65535 */ -@@ -321,8 +343,8 @@ static int mk_request_header_process(struct session_request *sr) - sr->keep_alive = MK_TRUE; - sr->close_now = MK_FALSE; - } -- else if(mk_string_search_n(sr->connection.data, "Close", -- MK_STR_INSENSITIVE, sr->connection.len) >= 0) { -+ else if (mk_string_search_n(sr->connection.data, "Close", -+ MK_STR_INSENSITIVE, sr->connection.len) >= 0) { - sr->keep_alive = MK_FALSE; - sr->close_now = MK_TRUE; - } --- -1.7.4.1 - diff --git a/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild b/www-servers/monkeyd/monkeyd-1.2.1.ebuild index 0b38a35e6051..4f89ecb0c958 100644 --- a/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild +++ b/www-servers/monkeyd/monkeyd-1.2.1.ebuild @@ -1,10 +1,10 @@ # Copyright 1999- Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild,v 1.1 2013/06/05 20:53:14 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.1.ebuild,v 1.1 2013/06/06 21:06:02 blueness Exp $ EAPI="5" -inherit toolchain-funcs depend.php multilib eutils +inherit toolchain-funcs depend.php multilib MY_P="${PN/d}-${PV}" DESCRIPTION="A small, fast, and scalable web server" @@ -42,9 +42,6 @@ pkg_setup() { } src_prepare() { - # Fixes security issue, bug #472400, CVE-2013-3843 - epatch "${FILESDIR}"/${PN}-fix-DoS-headers-parser.patch - # Don't install the banana script, we use ${FILESDIR}/monkeyd.initd instead sed -i '/Creating bin\/banana/d' configure || die "No configure file" sed -i '/create_banana_script bindir/d' configure || die "No configure file" |