packages/rubygem-puma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!37 Fix CVE-2024-21647

Browse Source 
From: @wk333 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001
This commit is contained in:
openeuler-ci-bot 2024-01-15 03:03:22 +00:00 committed by Gitee
commit a2fe847ed9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
CVE-2024-21647.patch Normal file
View File

@ -0,0 +1,103 @@
From bbb880ffb6debbfdea535b4b3eb2204d49ae151d Mon Sep 17 00:00:00 2001
From: Nate Berkopec <nate.berkopec@gmail.com>
Date: Mon, 8 Jan 2024 14:48:43 +0900
Subject: [PATCH] Merge pull request from GHSA-c2f4-cvqm-65w2
Origin: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
Co-authored-by: MSP-Greg <MSP-Greg@users.noreply.github.com>
Co-authored-by: Patrik Ragnarsson <patrik@starkast.net>
Co-authored-by: Evan Phoenix <evan@phx.io>
---
lib/puma/client.rb | 27 +++++++++++++++++++++++++++
test/test_puma_server.rb | 14 ++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/lib/puma/client.rb b/lib/puma/client.rb
index 0741107..9746bd4 100644
--- a/lib/puma/client.rb
+++ b/lib/puma/client.rb
@@ -40,6 +40,14 @@ module Puma
# no body share this one object since it has no state.
EmptyBody = NullIO.new
+ # The maximum number of bytes we'll buffer looking for a valid
+ # chunk header.
+ MAX_CHUNK_HEADER_SIZE = 4096
+
+ # The maximum amount of excess data the client sends
+ # using chunk size extensions before we abort the connection.
+ MAX_CHUNK_EXCESS = 16 * 1024
+
include Puma::Const
extend Forwardable
@@ -427,6 +435,7 @@ module Puma
@chunked_body = true
@partial_part_left = 0
@prev_chunk = ""
+ @excess_cr = 0
@body = Tempfile.new(Const::PUMA_TMP_BASE)
@body.unlink
@@ -496,6 +505,20 @@ module Puma
end
end
+ # Track the excess as a function of the size of the
+ # header vs the size of the actual data. Excess can
+ # go negative (and is expected to) when the body is
+ # significant.
+ # The additional of chunk_hex.size and 2 compensates
+ # for a client sending 1 byte in a chunked body over
+ # a long period of time, making sure that that client
+ # isn't accidentally eventually punished.
+ @excess_cr += (line.size - len - chunk_hex.size - 2)
+
+ if @excess_cr >= MAX_CHUNK_EXCESS
+ raise HttpParserError, "Maximum chunk excess detected"
+ end
+
len += 2
part = io.read(len)
@@ -518,6 +541,10 @@ module Puma
@partial_part_left = len - part.size
end
else
+ if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
+ raise HttpParserError, "maximum size of chunk header exceeded"
+ end
+
@prev_chunk = line
return false
end
diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
index bfa2b97..f179757 100644
--- a/test/test_puma_server.rb
+++ b/test/test_puma_server.rb
@@ -645,6 +645,20 @@ EOF
end
end
+ def test_large_chunked_request_header
+ server_run(environment: :production) { |env|
+ [200, {}, [""]]
+ }
+
+ max_chunk_header_size = Puma::Client::MAX_CHUNK_HEADER_SIZE
+ header = "GET / HTTP/1.1\r\nConnection: close\r\nContent-Length: 200\r\nTransfer-Encoding: chunked\r\n\r\n"
+ socket = send_http "#{header}1;t#{'x' * (max_chunk_header_size + 2)}"
+
+ data = socket.read
+
+ assert_match "HTTP/1.1 400 Bad Request\r\nConnection: close\r\nContent-Length: 0\r\n\r\n", data
+ end
+
def test_chunked_request_pause_before_value
body = nil
content_length = nil
--
2.33.0

7
rubygem-puma.spec
View File

@ -2,7 +2,7 @@
%bcond_with ragel %bcond_with ragel
Name: rubygem-%{gem_name} Name: rubygem-%{gem_name}
Version: 5.5.2 Version: 5.5.2
Release: 3 Release: 4
Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server
License: BSD-3-Clause License: BSD-3-Clause
URL: http://puma.io URL: http://puma.io
@ -14,6 +14,7 @@ Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch
Patch1: Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch Patch1: Support-for-cert_pem-and-key_pem-with-ssl_bind-DSL.patch
# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb # https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
Patch2: CVE-2022-23634.patch Patch2: CVE-2022-23634.patch
Patch3: CVE-2024-21647.patch
BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack) BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack)
BuildRequires: rubygem(minitest) rubygem(sd_notify) BuildRequires: rubygem(minitest) rubygem(sd_notify)
@ -38,6 +39,7 @@ Documentation for %{name}.
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
rm -rf test/test_thread_pool.rb rm -rf test/test_thread_pool.rb
%if %{with ragel} %if %{with ragel}
@ -122,6 +124,9 @@ ruby -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
%{gem_instdir}/tools %{gem_instdir}/tools
%changelog %changelog
* Fri Jan 12 2024 wangkai <13474090681@163.com> - 5.5.2-4
- Fix CVE-2024-21647
* Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 5.5.2-3 * Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 5.5.2-3
- Fix CVE-2022-23634 - Fix CVE-2022-23634