mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
cherokee: patch CVE-2020-12845
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-12845 Pick the merge commit that mentions the vulnerability. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
@@ -0,0 +1,195 @@
|
||||
From dab30272a2fc72f69542a6ae2d6d63de875574cb Mon Sep 17 00:00:00 2001
|
||||
From: Stefan de Konink <stefan@konink.de>
|
||||
Date: Sat, 25 Jul 2020 22:17:13 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-12845 (#1243)
|
||||
|
||||
* Implement tests for CVE-2020-12845
|
||||
|
||||
Can be manually reproduced by:
|
||||
curl -H "Authorization: Basic " -X GET url
|
||||
curl -H "Authorization: Digest " -X GET url
|
||||
|
||||
* Don't process empty input for cherokee_buffer_decode_base64
|
||||
* Don't process empty input for cherokee_validator_parse_basic and cherokee_validator_parse_digest
|
||||
* Guard empty input in get_authorization to resolve CVE-2020-12845
|
||||
|
||||
Thanks Patrik Lantz from F-Secure for reporting this issue!
|
||||
|
||||
CVE: CVE-2020-12845
|
||||
Upstream-Status: Backport [https://github.com/cherokee/webserver/commit/51f13b9535e652421c128ef541371854637ac32e]
|
||||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||
---
|
||||
cherokee/buffer.c | 3 +++
|
||||
cherokee/connection.c | 5 +++++
|
||||
cherokee/validator.c | 14 ++++++++++++++
|
||||
qa/310-Authorization-empty.py | 35 +++++++++++++++++++++++++++++++++++
|
||||
qa/311-Authorization-empty.py | 33 +++++++++++++++++++++++++++++++++
|
||||
qa/Makefile.am | 4 +++-
|
||||
6 files changed, 93 insertions(+), 1 deletion(-)
|
||||
create mode 100644 qa/310-Authorization-empty.py
|
||||
create mode 100644 qa/311-Authorization-empty.py
|
||||
|
||||
diff --git a/cherokee/buffer.c b/cherokee/buffer.c
|
||||
index d93c1638..2b07ceb3 100644
|
||||
--- a/cherokee/buffer.c
|
||||
+++ b/cherokee/buffer.c
|
||||
@@ -1643,6 +1643,9 @@ cherokee_buffer_decode_base64 (cherokee_buffer_t *buf)
|
||||
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 /* F0-FF */
|
||||
};
|
||||
|
||||
+ if (unlikely(buf == NULL || buf->len == 0))
|
||||
+ return ret_ok;
|
||||
+
|
||||
for (i=0; i < buf->len; i++) {
|
||||
d = b64_decode_tab[(int) buf->buf[i]];
|
||||
if (d != -1) {
|
||||
diff --git a/cherokee/connection.c b/cherokee/connection.c
|
||||
index 0b790282..e11c01c3 100644
|
||||
--- a/cherokee/connection.c
|
||||
+++ b/cherokee/connection.c
|
||||
@@ -1895,6 +1895,11 @@ get_authorization (cherokee_connection_t *conn,
|
||||
ptr += pre_len;
|
||||
ptr_len -= pre_len;
|
||||
|
||||
+ /* Guard authentication string
|
||||
+ */
|
||||
+ if (ptr_len == 0)
|
||||
+ return ret_error;
|
||||
+
|
||||
/* Parse the request
|
||||
*/
|
||||
switch (conn->req_auth_type) {
|
||||
diff --git a/cherokee/validator.c b/cherokee/validator.c
|
||||
index 8b02b698..f227a813 100644
|
||||
--- a/cherokee/validator.c
|
||||
+++ b/cherokee/validator.c
|
||||
@@ -125,6 +125,11 @@ cherokee_validator_parse_basic (cherokee_validator_t *validator, char *str, cuin
|
||||
char *colon;
|
||||
cherokee_buffer_t auth = CHEROKEE_BUF_INIT;
|
||||
|
||||
+ /* Guard empty input
|
||||
+ */
|
||||
+ if (unlikely(str == NULL || str_len == 0))
|
||||
+ goto error;
|
||||
+
|
||||
/* Decode base64
|
||||
*/
|
||||
cherokee_buffer_add (&auth, str, str_len);
|
||||
@@ -166,6 +171,11 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
|
||||
cherokee_buffer_t auth = CHEROKEE_BUF_INIT;
|
||||
cherokee_buffer_t *entry_buf;
|
||||
|
||||
+ /* Guard empty input
|
||||
+ */
|
||||
+ if (unlikely(str == NULL || str_len == 0))
|
||||
+ goto error;
|
||||
+
|
||||
/* Copy authentication string
|
||||
*/
|
||||
cherokee_buffer_add (&auth, str, str_len);
|
||||
@@ -260,6 +270,10 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
|
||||
*/
|
||||
cherokee_buffer_mrproper (&auth);
|
||||
return ret_ok;
|
||||
+
|
||||
+error:
|
||||
+ cherokee_buffer_mrproper (&auth);
|
||||
+ return ret_error;
|
||||
}
|
||||
|
||||
|
||||
diff --git a/qa/310-Authorization-empty.py b/qa/310-Authorization-empty.py
|
||||
new file mode 100644
|
||||
index 00000000..ef2f8d24
|
||||
--- /dev/null
|
||||
+++ b/qa/310-Authorization-empty.py
|
||||
@@ -0,0 +1,35 @@
|
||||
+import base64
|
||||
+
|
||||
+from conf import *
|
||||
+from base import *
|
||||
+
|
||||
+MAGIC = "Cherokee supports old crypt password hashes"
|
||||
+REALM = "realm"
|
||||
+USER = "username"
|
||||
+PASSWD = "alo"
|
||||
+
|
||||
+CONF = """
|
||||
+vserver!1!rule!3100!match = directory
|
||||
+vserver!1!rule!3100!match!directory = /htpasswd_plain_empty
|
||||
+vserver!1!rule!3100!match!final = 0
|
||||
+vserver!1!rule!3100!auth = htpasswd
|
||||
+vserver!1!rule!3100!auth!methods = basic
|
||||
+vserver!1!rule!3100!auth!realm = %s
|
||||
+vserver!1!rule!3100!auth!passwdfile = %s
|
||||
+"""
|
||||
+
|
||||
+class Test (TestBase):
|
||||
+ def __init__ (self):
|
||||
+ TestBase.__init__ (self, __file__)
|
||||
+
|
||||
+ self.name = "Authorization: Basic empty"
|
||||
+ self.expected_error = 401
|
||||
+ self.request = "GET /htpasswd_plain_empty/file HTTP/1.0\r\n" + \
|
||||
+ "Authorization: Basic \r\n"
|
||||
+
|
||||
+ def Prepare (self, www):
|
||||
+ tdir = self.Mkdir (www, "htpasswd_plain_empty")
|
||||
+ passf = self.WriteFile (tdir, "passwd", 0444, '%s:%s\n' %(USER, PASSWD))
|
||||
+ self.WriteFile (tdir, "file", 0444, MAGIC)
|
||||
+
|
||||
+ self.conf = CONF % (REALM, passf)
|
||||
diff --git a/qa/311-Authorization-empty.py b/qa/311-Authorization-empty.py
|
||||
new file mode 100644
|
||||
index 00000000..017fe036
|
||||
--- /dev/null
|
||||
+++ b/qa/311-Authorization-empty.py
|
||||
@@ -0,0 +1,33 @@
|
||||
+import base64
|
||||
+
|
||||
+from base import *
|
||||
+
|
||||
+MAGIC = "Don't show this"
|
||||
+
|
||||
+CONF = """
|
||||
+vserver!1!rule!3110!match = directory
|
||||
+vserver!1!rule!3110!match!directory = /digest_empty_1
|
||||
+vserver!1!rule!3110!match!final = 0
|
||||
+vserver!1!rule!3110!auth = plain
|
||||
+vserver!1!rule!3110!auth!methods = digest
|
||||
+vserver!1!rule!3110!auth!realm = Test is the realm
|
||||
+vserver!1!rule!3110!auth!passwdfile = %s
|
||||
+"""
|
||||
+
|
||||
+class Test (TestBase):
|
||||
+ def __init__ (self):
|
||||
+ TestBase.__init__ (self, __file__)
|
||||
+ self.name = "Authorization: Digest empty"
|
||||
+
|
||||
+ self.request = "GET /digest_empty_1/file HTTP/1.0\r\n" + \
|
||||
+ "Authorization: Digest \r\n"
|
||||
+ self.expected_error = 401
|
||||
+ self.expected_content = [ "WWW-Authenticate: Digest", "qop=", "algorithm=" ]
|
||||
+ self.forbiden_content = MAGIC
|
||||
+
|
||||
+ def Prepare (self, www):
|
||||
+ tdir = self.Mkdir (www, "digest_empty_1")
|
||||
+ self.WriteFile (tdir, "file", 0444, MAGIC)
|
||||
+ passfile = self.WriteFile (tdir, ".passwd", 0444, "user:password\n")
|
||||
+
|
||||
+ self.conf = CONF % (passfile)
|
||||
diff --git a/qa/Makefile.am b/qa/Makefile.am
|
||||
index 5cdaf4d6..e5bd42ce 100644
|
||||
--- a/qa/Makefile.am
|
||||
+++ b/qa/Makefile.am
|
||||
@@ -326,7 +326,9 @@ run-tests.py \
|
||||
302-DirIndex3.py \
|
||||
304-Dirlist-TransferEncoding.py \
|
||||
305-Error-ContentLength.py \
|
||||
-306-NoContent-keepalive.py
|
||||
+306-NoContent-keepalive.py \
|
||||
+310-Authorization-empty.py \
|
||||
+311-Authorization-empty.py
|
||||
|
||||
if USE_OPENSSL
|
||||
ssl-keys/set-1.pem: ssl-keys/set-1.key openssl.cnf
|
||||
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \
|
||||
file://0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch \
|
||||
file://0001-make-Do-not-build-po-files.patch \
|
||||
file://0001-common-internal.h-Define-LLONG_MAX-if-undefined.patch \
|
||||
file://CVE-2020-12845.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
Reference in New Issue
Block a user