fix CVE-2019-0205 CVE-2019-0210

2021-01-12 14:17:45 +08:00 · 2021-01-12 14:17:45 +08:00 · b001e02f7b
commit b001e02f7b
parent 4c16ee6108
3 changed files with 108 additions and 1 deletions
--- a/CVE-2019-0205.patch
+++ b/CVE-2019-0205.patch
@ -0,0 +1,23 @@
+From 2b70c1df2bb2c1667f30dff6d4b263459fabe91a Mon Sep 17 00:00:00 2001
+From: Jens Geyer <jensg@apache.org>
+Date: Sat, 9 Feb 2019 11:50:03 +0100
+Subject: [PATCH] THRIFT-4784 Thrift should throw when skipping over unexpected
+ data Client: as3 Patch: Jens Geyer
+
+---
+ lib/as3/src/org/apache/thrift/protocol/TProtocolUtil.as | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/as3/src/org/apache/thrift/protocol/TProtocolUtil.as b/lib/as3/src/org/apache/thrift/protocol/TProtocolUtil.as
+index 513df954be..22877b75b2 100644
+--- a/lib/as3/src/org/apache/thrift/protocol/TProtocolUtil.as
+++ b/lib/as3/src/org/apache/thrift/protocol/TProtocolUtil.as
+@@ -141,7 +141,7 @@ package org.apache.thrift.protocol {
+           break;
+         }
+         default:
+-          break;
+          throw new TProtocolError(TProtocolError.INVALID_DATA, "invalid data");
+       }
+     }
+   }
--- a/CVE-2019-0210.patch
+++ b/CVE-2019-0210.patch
@ -0,0 +1,79 @@
+From 264a3f318ed3e9e51573f67f963c8509786bcec2 Mon Sep 17 00:00:00 2001
+From: Jens Geyer <jensg@apache.org>
+Date: Sat, 23 Feb 2019 13:11:40 +0100
+Subject: [PATCH] additional test for TSimpleJSONProtocol
+
+---
+ lib/go/thrift/json_protocol.go             |  5 +----
+ lib/go/thrift/simple_json_protocol.go      |  4 ++--
+ lib/go/thrift/simple_json_protocol_test.go | 22 ++++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/lib/go/thrift/json_protocol.go b/lib/go/thrift/json_protocol.go
+index 7be685d43f..800ac22c7b 100644
+--- a/lib/go/thrift/json_protocol.go
+++ b/lib/go/thrift/json_protocol.go
+@@ -31,10 +31,7 @@ const (
+ // for references to _ParseContext see tsimplejson_protocol.go
+ 
+ // JSON protocol implementation for thrift.
+-//
+-// This protocol produces/consumes a simple output format
+-// suitable for parsing by scripting languages.  It should not be
+-// confused with the full-featured TJSONProtocol.
+// Utilizes Simple JSON protocol
+ //
+ type TJSONProtocol struct {
+ 	*TSimpleJSONProtocol
+diff --git a/lib/go/thrift/simple_json_protocol.go b/lib/go/thrift/simple_json_protocol.go
+index 2e8a71112a..f5e0c05d18 100644
+--- a/lib/go/thrift/simple_json_protocol.go
+++ b/lib/go/thrift/simple_json_protocol.go
+@@ -59,7 +59,7 @@ func (p _ParseContext) String() string {
+ 	return "UNKNOWN-PARSE-CONTEXT"
+ }
+ 
+-// JSON protocol implementation for thrift.
+// Simple JSON protocol implementation for thrift.
+ //
+ // This protocol produces/consumes a simple output format
+ // suitable for parsing by scripting languages.  It should not be
+@@ -1316,7 +1316,7 @@ func (p *TSimpleJSONProtocol) readNumeric() (Numeric, error) {
+ func (p *TSimpleJSONProtocol) safePeekContains(b []byte) bool {
+ 	for i := 0; i < len(b); i++ {
+ 		a, _ := p.reader.Peek(i + 1)
+-		if len(a) == 0 || a[i] != b[i] {
+		if len(a) < (i+1) || a[i] != b[i] {
+ 			return false
+ 		}
+ 	}
+diff --git a/lib/go/thrift/simple_json_protocol_test.go b/lib/go/thrift/simple_json_protocol_test.go
+index 7b98082a4e..0126da0a8e 100644
+--- a/lib/go/thrift/simple_json_protocol_test.go
+++ b/lib/go/thrift/simple_json_protocol_test.go
+@@ -713,3 +713,25 @@ func TestWriteSimpleJSONProtocolMap(t *testing.T) {
+ 	}
+ 	trans.Close()
+ }
+
+func TestWriteSimpleJSONProtocolSafePeek(t *testing.T) {
+	trans := NewTMemoryBuffer()
+	p := NewTSimpleJSONProtocol(trans)
+	trans.Write([]byte{'a', 'b'})
+	trans.Flush(context.Background())
+	
+	test1 := p.safePeekContains([]byte{'a', 'b'})
+	if !test1 {
+		t.Fatalf("Should match at test 1")
+	}
+	
+	test2 := p.safePeekContains([]byte{'a', 'b', 'c', 'd'})
+	if test2 {
+		t.Fatalf("Should not match at test 2")
+	}
+	
+	test3 := p.safePeekContains([]byte{'x', 'y'})
+	if test3 {
+		t.Fatalf("Should not match at test 3")
+	}
+}
--- a/thrift.spec
+++ b/thrift.spec
@ -30,7 +30,7 @@
 %global golang_configure --without-go
 Name:                thrift
 Version:             0.10.0
-Release:             2
+Release:             3
 Summary:             Software framework for cross-language services development
 License:             ASL 2.0 and BSD and zlib
 URL:                 https://thrift.apache.org/
@ -46,6 +46,8 @@ Patch4:              THRIFT-4177.patch
 Patch5:              python3.patch
 Patch6:              CVE-2018-11798.patch
 Patch7:              CVE-2018-1320.patch
+Patch8:              CVE-2019-0205.patch
+Patch9:              CVE-2019-0210.patch

 BuildRequires:       ant >= 1.7 autoconf automake bison boost-devel flex flex-devel gcc-c++
 BuildRequires:       glib2-devel libevent-devel libstdc++-devel libtool openssl-devel qt-devel
@ -364,6 +366,9 @@ find %{buildroot} -name \*.py -exec grep -q /usr/bin/env {} \; -print | xargs -r
 %doc LICENSE NOTICE

 %changelog
+* Tue Nov 12 2020 wangxiao <wangxiao65@huawei.com> - 0.10.0-3
+- Fix CVE-2019-0205 and CVE-2019-0210
+
 * Thu Nov 05 2020 wangyue <wangyue92@huawei.com> - 0.10.0-2
 - Fix CVE-2018-11798 and CVE-2018-1320.