fix cve

2020-01-12 12:05:52 +08:00 · 2020-01-12 12:05:52 +08:00 · 6e45701335
commit 6e45701335
parent eca01bf363
2 changed files with 73 additions and 1 deletions
--- a/CVE-2019-3804.patch
+++ b/CVE-2019-3804.patch
@ -0,0 +1,64 @@
+From c51f6177576d7e12614c64d316cf0b67addd17c9 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@redhat.com>
+Date: Thu, 13 Dec 2018 15:12:44 +0100
+Subject: [PATCH] ws: Fix bug parsing invalid base64 headers
+
+The len parameter to g_base64_decode_inplace() is a inout
+parameter, and needs to be initialized. Lets just use
+the simpler g_base64_decode() function. This fixes a segfault.
+
+Closes #10819
+---
+ src/ws/cockpitauth.c | 13 ++++++++-----
+ src/ws/test-auth.c   |  6 ++++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
+index 474e13c..963f7a7 100644
+--- a/src/ws/cockpitauth.c
+++ b/src/ws/cockpitauth.c
+@@ -1159,16 +1159,19 @@ cockpit_auth_class_init (CockpitAuthClass *klass)
+   cockpit_authorize_logger (authorize_logger, 0);
+ }
+ 
+-static char *
+static gchar *
+ base64_decode_string (const char *enc)
+ {
+  gchar *dec;
+  gsize len;
+
+   if (enc == NULL)
+     return NULL;
+ 
+-  char *dec = g_strdup (enc);
+-  gsize len;
+-  g_base64_decode_inplace (dec, &len);
+-  dec[len] = '\0';
+  dec = (gchar *)g_base64_decode (enc, &len);
+  if (dec)
+    dec[len] = '\0';
+
+   return dec;
+ }
+ 
+diff --git a/src/ws/test-auth.c b/src/ws/test-auth.c
+index 6f84b01..57d9462 100644
+--- a/src/ws/test-auth.c
+++ b/src/ws/test-auth.c
+@@ -286,6 +286,12 @@ test_headers_bad (Test *test,
+   if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
+       g_assert_not_reached ();
+
+  /* Bad encoding */
+  g_hash_table_remove_all (headers);
+  g_hash_table_insert (headers, g_strdup ("Cookie"), g_strdup ("cockpit=d"));
+  if (cockpit_auth_check_cookie (test->auth, "/cockpit", headers))
+      g_assert_not_reached ();
+
+   g_hash_table_destroy (headers);
+ }
+ 
+-- 
+2.19.1
+
--- a/cockpit.spec
+++ b/cockpit.spec
@ -1,12 +1,14 @@
 %bcond_with pcp
 Name:           cockpit
 Version:        178
-Release:        5
+Release:        6
 Summary:        A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
 License:        LGPLv2+
 URL:            https://cockpit-project.org/
 Source0:        https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz

+Patch6000:      CVE-2019-3804.patch
+
 BuildRequires:  pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
 BuildRequires:  autoconf automake python3 intltool libssh-devel >= 0.7.1 openssl-devel zlib-devel krb5-devel
 BuildRequires:  libxslt-devel docbook-style-xsl glib-networking sed glib2-devel >= 2.37.4
@ -175,6 +177,12 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
 %doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz}

 %changelog
+* Sun Jan 12 2020 zhangrui <zhangrui182@huawei.com> - 178-6
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2019-3804
+
 * Mon Oct 28 2019 caomeng <caomeng5@huawei.com> - 178-5
 - Type:NA
 - ID:NA