Bug#896548: gunicorn: CVE-2018-1000164

Chris Lamb Sun, 22 Apr 2018 02:21:28 -0700

Hi security team,

> gunicorn: CVE-2018-1000164


I've prepared an upload for jessie. Permission to upload? :)
  
   changelog                      |    8 ++++++++
   patches/CVE-2018-1000164.patch |   38 ++++++++++++++++++++++++++++++++++++++
   patches/series                 |    1 +
   3 files changed, 47 insertions(+)
  
  diff -Nru gunicorn-19.0/debian/changelog gunicorn-19.0/debian/changelog
  --- gunicorn-19.0/debian/changelog    2014-07-05 18:09:22.000000000 +0200
  +++ gunicorn-19.0/debian/changelog    2018-04-22 11:14:10.000000000 +0200
  @@ -1,3 +1,11 @@
  +gunicorn (19.0-1+deb8u1) jessie-security; urgency=high
  +
  +  * CVE-2018-1000164: Fix an issue where CRLF sequences in HTTP headers could
  +    result in an attacker tricking the server into returning arbitrary HTTP
  +    headers. (Closes: #896548)
  +
  + -- Chris Lamb <[email protected]>  Sun, 22 Apr 2018 11:14:07 +0200
  +
   gunicorn (19.0-1) unstable; urgency=low
   
     * New upstream release.
  diff -Nru […]
  --- gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
  +++ gunicorn-19.0/debian/patches/CVE-2018-1000164.patch
  @@ -0,0 +1,38 @@
  +From: Chris Lamb <[email protected]>
  +Date: Sun, 22 Apr 2018 11:08:39 +0200
  +Subject: CVE-2018-1000164
  +
  +---
  + gunicorn/http/wsgi.py | 5 +++++
  + 1 file changed, 5 insertions(+)
  +
  +diff --git a/gunicorn/http/wsgi.py b/gunicorn/http/wsgi.py
  +index 303b890ed397..5b49dcf1795a 100644
  +--- a/gunicorn/http/wsgi.py
  ++++ b/gunicorn/http/wsgi.py
  +@@ -9,6 +9,7 @@ import os
  + import re
  + import sys
  + 
  ++from gunicorn.http.errors import InvalidHeader
  + from gunicorn.six import unquote_to_wsgi_str, string_types, binary_type, 
reraise
  + from gunicorn import SERVER_SOFTWARE
  + import gunicorn.six as six
  +@@ -23,6 +24,7 @@ except ImportError:
  +     except ImportError:
  +         sendfile = None
  + 
  ++HEADER_VALUE_RE = re.compile(r"[\x07\x1B\f\n\r\t\v]")
  + NORMALIZE_SPACE = re.compile(r'(?:\r\n)?[ \t]+')
  + 
  + log = logging.getLogger(__name__)
  +@@ -256,6 +258,9 @@ class Response(object):
  +         for name, value in headers:
  +             assert isinstance(name, string_types), "%r is not a string" % 
name
  + 
  ++            if HEADER_VALUE_RE.search(value):
  ++                raise InvalidHeader('%r' % value)
  ++
  +             value = str(value).strip()
  +             lname = name.lower().strip()
  +             if lname == "content-length":
  diff -Nru gunicorn-19.0/debian/patches/series 
gunicorn-19.0/debian/patches/series
  --- gunicorn-19.0/debian/patches/series       2014-07-05 18:09:22.000000000 
+0200
  +++ gunicorn-19.0/debian/patches/series       2018-04-22 11:14:10.000000000 
+0200
  @@ -1 +1,2 @@
   0001-drop-supplemental-groups.patch
  +CVE-2018-1000164.patch

Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      [email protected] / chris-lamb.co.uk
       `-

Bug#896548: gunicorn: CVE-2018-1000164

Reply via email to