Subject: python-twisted: twisted version 14.0.2-3+deb8u1 in jessie
(security) is broken
Followup-For: Bug #953950
Package: python-twisted-web
Version: 14.0.2-3+deb8u1
Dear Maintainer,
After upgrading to latest jessie, I got the new python-twisted*
packages
in version 14.0.2-3+deb8u1.
This version breaks my python service using twisted.web with the
following stack trace:
2020-03-19 11:04:22,645 [7586] (ERROR) (twisted): Unhandled Error
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line
88, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line
73, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py",
line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args,
**kw)
File "/usr/lib/python2.7/dist-packages/twisted/python/context.py",
line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File
"/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line
614, in _doReadOrWrite
why = selectable.doRead()
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line
214, in doRead
return self._dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line
220, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/usr/lib/python2.7/dist-packages/twisted/protocols/basic.py",
line 571, in dataReceived
why = self.lineReceived(line)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line
1663, in lineReceived
self.headerReceived(self.__header)
File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line
1685, in headerReceived
if not self._maybeChooseTransferDecoder(header, data):
exceptions.AttributeError: HTTPChannel instance has no attribute
'_maybeChooseTransferDecoder'
To investigate I downloaded the twisted-python sources and see that two
patches were added :
1) debian/patches/CVE-2020-10108_CVE-2020-10108.patch
2) debian/patches/CVE-2020-10108_CVE-2020-10109.patch
(side note: patch #2 is void )
Patch #1 is supposed to fix CVE-2020-10108.
But, as far as I understand, is incorrect for this version 14.0.2-3 :
- it adds a method _maybeChooseTransferDecoder in class HTTPFactory
- and it adds in headerReceived method of class HTTPChannel a call to
self._maybeChooseTransferDecoder
- but HTTPChannel AFAIU has no dependency whatsoever with HTTPFactory
- therefore this call is broken
After digging in twisted git repo
(https://github.com/twisted/twisted/commits/trunk/src/twisted/web/http.py)
it seems that this debian/patches/CVE-2020-10108_CVE-2020-10108.patch
patch
was more or less taken from this upstream commit
https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281#diff-a31693cfdecc4bc57f3dd9ce31445237
But in this upstream commit the _maybeChooseTransferDecoder method is
added in the HTTPChannel class.
Please, can you revert this patch and re-publish the working (but
security flawed) 14.0.2-3 twisted version ?
Or fix this patch ?
Many thanks
-- System Information:
Debian Release: 8.9
APT prefers oldoldstable-updates
APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python-twisted-web depends on:
ii python 2.7.9-1
ii python-twisted-core 14.0.2-3+deb8u1
python-twisted-web recommends no packages.
python-twisted-web suggests no packages.
-- no debconf information
