Details: https://nvd.nist.gov/vuln/detail/CVE-2020-12845
Pick the merge commit that mentions the vulnerability. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../cherokee/cherokee/CVE-2020-12845.patch | 195 ++++++++++++++++++ .../recipes-httpd/cherokee/cherokee_git.bb | 1 + 2 files changed, 196 insertions(+) create mode 100644 meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch new file mode 100644 index 0000000000..864cfd0a87 --- /dev/null +++ b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch @@ -0,0 +1,195 @@ +From dab30272a2fc72f69542a6ae2d6d63de875574cb Mon Sep 17 00:00:00 2001 +From: Stefan de Konink <[email protected]> +Date: Sat, 25 Jul 2020 22:17:13 +0200 +Subject: [PATCH] Fix CVE-2020-12845 (#1243) + +* Implement tests for CVE-2020-12845 + +Can be manually reproduced by: +curl -H "Authorization: Basic " -X GET url +curl -H "Authorization: Digest " -X GET url + +* Don't process empty input for cherokee_buffer_decode_base64 +* Don't process empty input for cherokee_validator_parse_basic and cherokee_validator_parse_digest +* Guard empty input in get_authorization to resolve CVE-2020-12845 + +Thanks Patrik Lantz from F-Secure for reporting this issue! + +CVE: CVE-2020-12845 +Upstream-Status: Backport [https://github.com/cherokee/webserver/commit/51f13b9535e652421c128ef541371854637ac32e] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + cherokee/buffer.c | 3 +++ + cherokee/connection.c | 5 +++++ + cherokee/validator.c | 14 ++++++++++++++ + qa/310-Authorization-empty.py | 35 +++++++++++++++++++++++++++++++++++ + qa/311-Authorization-empty.py | 33 +++++++++++++++++++++++++++++++++ + qa/Makefile.am | 4 +++- + 6 files changed, 93 insertions(+), 1 deletion(-) + create mode 100644 qa/310-Authorization-empty.py + create mode 100644 qa/311-Authorization-empty.py + +diff --git a/cherokee/buffer.c b/cherokee/buffer.c +index d93c1638..2b07ceb3 100644 +--- a/cherokee/buffer.c ++++ b/cherokee/buffer.c +@@ -1643,6 +1643,9 @@ cherokee_buffer_decode_base64 (cherokee_buffer_t *buf) + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 /* F0-FF */ + }; + ++ if (unlikely(buf == NULL || buf->len == 0)) ++ return ret_ok; ++ + for (i=0; i < buf->len; i++) { + d = b64_decode_tab[(int) buf->buf[i]]; + if (d != -1) { +diff --git a/cherokee/connection.c b/cherokee/connection.c +index 0b790282..e11c01c3 100644 +--- a/cherokee/connection.c ++++ b/cherokee/connection.c +@@ -1895,6 +1895,11 @@ get_authorization (cherokee_connection_t *conn, + ptr += pre_len; + ptr_len -= pre_len; + ++ /* Guard authentication string ++ */ ++ if (ptr_len == 0) ++ return ret_error; ++ + /* Parse the request + */ + switch (conn->req_auth_type) { +diff --git a/cherokee/validator.c b/cherokee/validator.c +index 8b02b698..f227a813 100644 +--- a/cherokee/validator.c ++++ b/cherokee/validator.c +@@ -125,6 +125,11 @@ cherokee_validator_parse_basic (cherokee_validator_t *validator, char *str, cuin + char *colon; + cherokee_buffer_t auth = CHEROKEE_BUF_INIT; + ++ /* Guard empty input ++ */ ++ if (unlikely(str == NULL || str_len == 0)) ++ goto error; ++ + /* Decode base64 + */ + cherokee_buffer_add (&auth, str, str_len); +@@ -166,6 +171,11 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator, + cherokee_buffer_t auth = CHEROKEE_BUF_INIT; + cherokee_buffer_t *entry_buf; + ++ /* Guard empty input ++ */ ++ if (unlikely(str == NULL || str_len == 0)) ++ goto error; ++ + /* Copy authentication string + */ + cherokee_buffer_add (&auth, str, str_len); +@@ -260,6 +270,10 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator, + */ + cherokee_buffer_mrproper (&auth); + return ret_ok; ++ ++error: ++ cherokee_buffer_mrproper (&auth); ++ return ret_error; + } + + +diff --git a/qa/310-Authorization-empty.py b/qa/310-Authorization-empty.py +new file mode 100644 +index 00000000..ef2f8d24 +--- /dev/null ++++ b/qa/310-Authorization-empty.py +@@ -0,0 +1,35 @@ ++import base64 ++ ++from conf import * ++from base import * ++ ++MAGIC = "Cherokee supports old crypt password hashes" ++REALM = "realm" ++USER = "username" ++PASSWD = "alo" ++ ++CONF = """ ++vserver!1!rule!3100!match = directory ++vserver!1!rule!3100!match!directory = /htpasswd_plain_empty ++vserver!1!rule!3100!match!final = 0 ++vserver!1!rule!3100!auth = htpasswd ++vserver!1!rule!3100!auth!methods = basic ++vserver!1!rule!3100!auth!realm = %s ++vserver!1!rule!3100!auth!passwdfile = %s ++""" ++ ++class Test (TestBase): ++ def __init__ (self): ++ TestBase.__init__ (self, __file__) ++ ++ self.name = "Authorization: Basic empty" ++ self.expected_error = 401 ++ self.request = "GET /htpasswd_plain_empty/file HTTP/1.0\r\n" + \ ++ "Authorization: Basic \r\n" ++ ++ def Prepare (self, www): ++ tdir = self.Mkdir (www, "htpasswd_plain_empty") ++ passf = self.WriteFile (tdir, "passwd", 0444, '%s:%s\n' %(USER, PASSWD)) ++ self.WriteFile (tdir, "file", 0444, MAGIC) ++ ++ self.conf = CONF % (REALM, passf) +diff --git a/qa/311-Authorization-empty.py b/qa/311-Authorization-empty.py +new file mode 100644 +index 00000000..017fe036 +--- /dev/null ++++ b/qa/311-Authorization-empty.py +@@ -0,0 +1,33 @@ ++import base64 ++ ++from base import * ++ ++MAGIC = "Don't show this" ++ ++CONF = """ ++vserver!1!rule!3110!match = directory ++vserver!1!rule!3110!match!directory = /digest_empty_1 ++vserver!1!rule!3110!match!final = 0 ++vserver!1!rule!3110!auth = plain ++vserver!1!rule!3110!auth!methods = digest ++vserver!1!rule!3110!auth!realm = Test is the realm ++vserver!1!rule!3110!auth!passwdfile = %s ++""" ++ ++class Test (TestBase): ++ def __init__ (self): ++ TestBase.__init__ (self, __file__) ++ self.name = "Authorization: Digest empty" ++ ++ self.request = "GET /digest_empty_1/file HTTP/1.0\r\n" + \ ++ "Authorization: Digest \r\n" ++ self.expected_error = 401 ++ self.expected_content = [ "WWW-Authenticate: Digest", "qop=", "algorithm=" ] ++ self.forbiden_content = MAGIC ++ ++ def Prepare (self, www): ++ tdir = self.Mkdir (www, "digest_empty_1") ++ self.WriteFile (tdir, "file", 0444, MAGIC) ++ passfile = self.WriteFile (tdir, ".passwd", 0444, "user:password\n") ++ ++ self.conf = CONF % (passfile) +diff --git a/qa/Makefile.am b/qa/Makefile.am +index 5cdaf4d6..e5bd42ce 100644 +--- a/qa/Makefile.am ++++ b/qa/Makefile.am +@@ -326,7 +326,9 @@ run-tests.py \ + 302-DirIndex3.py \ + 304-Dirlist-TransferEncoding.py \ + 305-Error-ContentLength.py \ +-306-NoContent-keepalive.py ++306-NoContent-keepalive.py \ ++310-Authorization-empty.py \ ++311-Authorization-empty.py + + if USE_OPENSSL + ssl-keys/set-1.pem: ssl-keys/set-1.key openssl.cnf diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb index 7100ef4341..a3d871555f 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \ file://0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch \ file://0001-make-Do-not-build-po-files.patch \ file://0001-common-internal.h-Define-LLONG_MAX-if-undefined.patch \ + file://CVE-2020-12845.patch \ " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122764): https://lists.openembedded.org/g/openembedded-devel/message/122764 Mute This Topic: https://lists.openembedded.org/mt/116842020/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
