GNU bug report logs - #46634
[PATCH] gnu: node: Update to 10.23.3. [security fixes]

Previous Next

Package: guix-patches;

Reported by: Jelle Licht <jlicht <at> fsfe.org>

Date: Fri, 19 Feb 2021 11:04:01 UTC

Severity: normal

Tags: patch

Done: Jelle Licht <jlicht <at> fsfe.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 46634 in the body.
You can then email your comments to 46634 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#46634; Package guix-patches. (Fri, 19 Feb 2021 11:04:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jelle Licht <jlicht <at> fsfe.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 19 Feb 2021 11:04:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jelle Licht <jlicht <at> fsfe.org>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date: Fri, 19 Feb 2021 12:02:46 +0100
[Message part 1 (text/plain, inline)]
Hey Guix,

The attached two patches together should address CVE-2020-8287 (in
Node). I am kind of fuzzy on the details, but to me it seems that the
vulnerability is actually in http-parser (and llhttp), not node. I
informed upstream about my findings, but in the mean time we should
probably apply these.

The node package subsequently has a regression test to demonstrate that
the applied fix works. Nonetheless, http-parser has quite some
dependents, and I only verified everything to still work with node.

 - Jelle

[0001-gnu-http-parser-Update-to-2.9.4-1.ec8b5ee-fixes-CVE-.patch (text/x-patch, inline)]
From a89046a7d2dc585c7f0760ed1799ad8c7c9eff1a Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht <at> fsfe.org>
Date: Tue, 16 Feb 2021 23:28:58 +0100
Subject: [PATCH] gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes
 CVE-2020-8287].

Fixes CVE-2020-8287.

* gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee.
  [source]: Add patch to mitigate CVE.
* gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file.
* gnu/local.mk [dist_patch_DATA]: New patch.
---
 gnu/local.mk                                  |   1 +
 .../patches/http-parser-CVE-2020-8287.patch   |  75 ++++++++++
 gnu/packages/web.scm                          | 136 +++++++++---------
 3 files changed, 146 insertions(+), 66 deletions(-)
 create mode 100644 gnu/packages/patches/http-parser-CVE-2020-8287.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 250901f6d9..2e20638047 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1164,6 +1164,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
   %D%/packages/patches/hdf-eos5-fix-szip.patch			\
   %D%/packages/patches/hdf-eos5-fortrantests.patch		\
+  %D%/packages/patches/http-parser-CVE-2020-8287.patch		\
   %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch	\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-cross.patch				\
diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch b/gnu/packages/patches/http-parser-CVE-2020-8287.patch
new file mode 100644
index 0000000000..580f773099
--- /dev/null
+++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch
@@ -0,0 +1,75 @@
+From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001
+From: Fedor Indutny <fedor <at> indutny.com>
+Date: Wed, 18 Nov 2020 20:50:21 -0800
+Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`
+
+Duplicate `Transfer-Encoding` header should be a treated as a single,
+but with original header values concatenated with a comma separator. In
+the light of this, even if the past `Transfer-Encoding` ended with
+`chunked`, we should be not let the `F_CHUNKED` to leak into the next
+header, because mere presence of another header indicates that `chunked`
+is not the last transfer-encoding token.
+
+CVE-ID: CVE-2020-8287
+PR-URL: https://github.com/nodejs-private/node-private/pull/235
+Reviewed-By: Fedor Indutny <fedor.indutny <at> gmail.com>
+---
+ http_parser.c |  7 +++++++
+ test.c        | 26 ++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/http_parser.c b/http_parser.c
+index 9be003e7322..e9b2b9e83b9 100644
+--- a/http_parser.c
++++ b/http_parser.c
+@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
+               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+                 parser->header_state = h_transfer_encoding;
+                 parser->uses_transfer_encoding = 1;
++
++                /* Multiple `Transfer-Encoding` headers should be treated as
++                 * one, but with values separate by a comma.
++                 *
++                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++                 */
++                parser->flags &= ~F_CHUNKED;
+               }
+               break;
+ 
+diff --git a/test.c b/test.c
+index 3f7c77b3494..2e5a9ebd678 100644
+--- a/test.c
++++ b/test.c
+@@ -2154,6 +2154,32 @@ const struct message responses[] =
+   ,.body= "2\r\nOK\r\n0\r\n\r\n"
+   ,.num_chunks_complete= 0
+   }
++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
++  ,.type= HTTP_RESPONSE
++  ,.raw= "HTTP/1.1 200 OK\r\n"
++         "Transfer-Encoding: chunked\r\n"
++         "Transfer-Encoding: identity\r\n"
++         "\r\n"
++         "2\r\n"
++         "OK\r\n"
++         "0\r\n"
++         "\r\n"
++  ,.should_keep_alive= FALSE
++  ,.message_complete_on_eof= TRUE
++  ,.http_major= 1
++  ,.http_minor= 1
++  ,.status_code= 200
++  ,.response_status= "OK"
++  ,.content_length= -1
++  ,.num_headers= 2
++  ,.headers=
++    { { "Transfer-Encoding", "chunked" }
++    , { "Transfer-Encoding", "identity" }
++    }
++  ,.body= "2\r\nOK\r\n0\r\n\r\n"
++  ,.num_chunks_complete= 0
++  }
+ };
+ 
+ /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index d55e3ac70c..6745d7b5fd 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -6162,78 +6162,82 @@ into your tests.  It automatically starts up a HTTP server in a separate thread
     (license license:expat)))
 
 (define-public http-parser
-  (package
-    (name "http-parser")
-    (version "2.9.4")
-    (home-page "https://github.com/nodejs/http-parser")
-    (source
-     (origin
-       (method git-fetch)
-       (uri (git-reference (url home-page)
-                           (commit (string-append "v" version))))
-       (sha256
-        (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c"))
-       (file-name (git-file-name name version))
-       (patches
-        (list
-         (origin
-           ;; Treat an empty port (e.g. `http://hostname:/`) when parsing
-           ;; URLs as if no port were specified.  This patch is applied
-           ;; to Fedora's http-parser and to libgit2's bundled version.
-           (method url-fetch)
-           (uri (string-append
-                 "https://src.fedoraproject.org/rpms/http-parser/raw/"
-                 "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
-                 "f/0001-url-treat-empty-port-as-default.patch"))
-           (sha256
-            (base32
-             "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))
-    (build-system gnu-build-system)
-    (arguments
-     `(#:test-target "test"
-       #:make-flags
-       (list (string-append "PREFIX="
-                            (assoc-ref %outputs "out"))
-             "library"
-             ,@(if (%current-target-system)
-                   '()
-                   '("CC=gcc")))
-       #:phases
-       (modify-phases %standard-phases
-         ,@(match (%current-system)
+  (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d")
+        (revision "1"))
+    (package
+      (name "http-parser")
+      (version (git-version "2.9.4" revision commit))
+      (home-page "https://github.com/nodejs/http-parser")
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference (url home-page)
+                             (commit commit)))
+         (sha256
+          (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i"))
+         (file-name (git-file-name name version))
+         (patches
+          (append
+           (search-patches "http-parser-CVE-2020-8287.patch")
+           (list
+            (origin
+              ;; Treat an empty port (e.g. `http://hostname:/`) when parsing
+              ;; URLs as if no port were specified.  This patch is applied
+              ;; to Fedora's http-parser and to libgit2's bundled version.
+              (method url-fetch)
+              (uri (string-append
+                    "https://src.fedoraproject.org/rpms/http-parser/raw/"
+                    "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/"
+                    "f/0001-url-treat-empty-port-as-default.patch"))
+              (sha256
+               (base32
+                "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))))
+      (build-system gnu-build-system)
+      (arguments
+       `(#:test-target "test"
+         #:make-flags
+         (list (string-append "PREFIX="
+                              (assoc-ref %outputs "out"))
+               "library"
+               ,@(if (%current-target-system)
+                     '()
+                     '("CC=gcc")))
+         #:phases
+         (modify-phases %standard-phases
+           ,@(match (%current-system)
+               ("armhf-linux"
+                '((add-before 'check 'apply-assertion.patch
+                    (lambda* (#:key inputs #:allow-other-keys)
+                      (let ((patch (assoc-ref inputs "assertion.patch")))
+                        (invoke "patch" "-p1" "-i" patch)
+                        #t)))))
+               (_ '()))
+           ,@(if (%current-target-system)
+                 '((replace 'configure
+                     (lambda* (#:key target #:allow-other-keys)
+                       (substitute* (find-files "." "Makefile")
+                         (("CC\\?=.*$")
+                          (string-append "CC=" target "-gcc\n"))
+                         (("AR\\?=.*$")
+                          (string-append "AR=" target "-ar\n")))
+                       #t)))
+                 '((delete 'configure))))))
+      (native-inputs
+       `(,@(match (%current-system)
              ("armhf-linux"
-              '((add-before 'check 'apply-assertion.patch
-                  (lambda* (#:key inputs #:allow-other-keys)
-                    (let ((patch (assoc-ref inputs "assertion.patch")))
-                      (invoke "patch" "-p1" "-i" patch)
-                      #t)))))
-             (_ '()))
-         ,@(if (%current-target-system)
-               '((replace 'configure
-                    (lambda* (#:key target #:allow-other-keys)
-                      (substitute* (find-files "." "Makefile")
-                        (("CC\\?=.*$")
-                         (string-append "CC=" target "-gcc\n"))
-                        (("AR\\?=.*$")
-                         (string-append "AR=" target "-ar\n")))
-                      #t)))
-               '((delete 'configure))))))
-    (native-inputs
-     `(,@(match (%current-system)
-           ("armhf-linux"
-            ;; A fix for <https://issues.guix.gnu.org/40604> which in turn
-            ;; breaks i686-linux builds.
-            `(("assertion.patch"
-               ,@(search-patches "http-parser-fix-assertion-on-armhf.patch"))))
-           (_ '()))))
-    (synopsis "HTTP request/response parser for C")
-    (description "This is a parser for HTTP messages written in C.  It parses
+              ;; A fix for <https://issues.guix.gnu.org/40604> which in turn
+              ;; breaks i686-linux builds.
+              `(("assertion.patch"
+                 ,@(search-patches "http-parser-fix-assertion-on-armhf.patch"))))
+             (_ '()))))
+      (synopsis "HTTP request/response parser for C")
+      (description "This is a parser for HTTP messages written in C.  It parses
 both requests and responses.  The parser is designed to be used in
 high-performance HTTP applications.  It does not make any syscalls nor
 allocations, it does not buffer data, it can be interrupted at anytime.
 Depending on your architecture, it only requires about 40 bytes of data per
 message stream (in a web server that is per connection).")
-    (license license:expat)))
+      (license license:expat))))
 
 (define-public python-httpretty
   (package
-- 
2.30.1

[0002-gnu-node-Update-to-10.23.3.patch (text/x-patch, inline)]
From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht <at> fsfe.org>
Date: Wed, 17 Feb 2021 00:06:04 +0100
Subject: [PATCH] gnu: node: Update to 10.23.3.

* gnu/packages/node.scm (node): Update to 10.23.3.
---
 gnu/packages/node.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index 77c47ec71f..051c4c3b41 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -50,14 +50,14 @@
 (define-public node
   (package
     (name "node")
-    (version "10.22.1")
+    (version "10.23.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nodejs.org/dist/v" version
                                   "/node-v" version ".tar.xz"))
               (sha256
                (base32
-                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
+                "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi"))
               (modules '((guix build utils)))
               (snippet
                `(begin
-- 
2.30.1


Information forwarded to guix-patches <at> gnu.org:
bug#46634; Package guix-patches. (Tue, 23 Feb 2021 19:30:02 GMT) Full text and rfc822 format available.

Message #8 received at 46634 <at> debbugs.gnu.org (full text, mbox):

From: Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
To: Jelle Licht <jlicht <at> fsfe.org>, 46634 <at> debbugs.gnu.org
Subject: Re: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date: Tue, 23 Feb 2021 20:29:35 +0100
On 19.02.21 12:02, Jelle Licht wrote:
> Hey Guix,
>
> The attached two patches together should address CVE-2020-8287 (in
> Node). I am kind of fuzzy on the details, but to me it seems that the
> vulnerability is actually in http-parser (and llhttp), not node. I
> informed upstream about my findings, but in the mean time we should
> probably apply these.
>
> The node package subsequently has a regression test to demonstrate that
> the applied fix works. Nonetheless, http-parser has quite some
> dependents, and I only verified everything to still work with node.
>
>   - Jelle

Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...




Reply sent to Jelle Licht <jlicht <at> fsfe.org>:
You have taken responsibility. (Wed, 24 Feb 2021 09:39:02 GMT) Full text and rfc822 format available.

Notification sent to Jelle Licht <jlicht <at> fsfe.org>:
bug acknowledged by developer. (Wed, 24 Feb 2021 09:39:02 GMT) Full text and rfc822 format available.

Message #13 received at 46634-done <at> debbugs.gnu.org (full text, mbox):

From: Jelle Licht <jlicht <at> fsfe.org>
To: Jonathan Brielmaier <jonathan.brielmaier <at> web.de>,
 46634-done <at> debbugs.gnu.org
Subject: Re: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date: Wed, 24 Feb 2021 10:38:34 +0100
Jonathan Brielmaier <jonathan.brielmaier <at> web.de> writes:

> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>>   - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
 - Jelle





bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 24 Mar 2021 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 3 years and 5 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.