[v2] package/lua-http: fix CVE-2023-4540

Message ID	20240212172619.13550-1-francois.perrad@gadz.org
State	Accepted
Headers	show Return-Path: <buildroot-bounces@buildroot.org> Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::32c; helo=mail-wm1-x32c.google.com; envelope-from=fperrad@gmail.com; receiver=<UNKNOWN> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 6372D812A1 From: Francois Perrad <fperrad@gmail.com> To: buildroot@busybox.net Date: Mon, 12 Feb 2024 18:26:19 +0100 Message-Id: <20240212172619.13550-1-francois.perrad@gadz.org> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707758782; x=1708363582; darn=busybox.net; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=H7SctcAmaYCen7uQwWz7PCF9nyYBcQI5/IdDyWhZuPA=; b=S9R+LqMgZninyko34xG7RNRWp8YoHTlwmw5ljK0IdkK3P6P+W6kWdrZmvLPPiz0ywp aHZsb4taz7WOLLb9SjEIeszzoj0e76JAKAz5jWvb0cxZOsEZew+n78HLdWjf8e+BFS8b GljPSthfgCWqbuc1XBuuy+2lntZc+7C5bO8eUrE2uo/BGg4cxZTciHTfuGa7Be4dz1FP bwJb2nbLvMfsaoYmt+PiA0xlbwUEL6ZuiijYU9vR7YRd4B73tNpg0HNS/o81Bo4hI70u +8DwylXIE2OOYP2zlpPk3AptleY++y3Csjhl7C9TCJfNAUPpSjevdgTlAeapHEGhVKmz yLNA== X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dmarc=pass (p=none dis=none) header.from=gmail.com X-Mailman-Original-Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=S9R+LqMg Subject: [Buildroot] [PATCH v2] package/lua-http: fix CVE-2023-4540 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[v2] package/lua-http: fix CVE-2023-4540 \| expand [v2] package/lua-http: fix CVE-2023-4540

Message ID

20240212172619.13550-1-francois.perrad@gadz.org

State

Accepted

Headers

Received-SPF: Pass (mailfrom) identity=mailfrom;
 client-ip=2a00:1450:4864:20::32c; helo=mail-wm1-x32c.google.com;
 envelope-from=fperrad@gmail.com; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 6372D812A1
From: Francois Perrad <fperrad@gmail.com>
To: buildroot@busybox.net
Date: Mon, 12 Feb 2024 18:26:19 +0100
Message-Id: <20240212172619.13550-1-francois.perrad@gadz.org>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp1.osuosl.org;
 dmarc=pass (p=none dis=none)
 header.from=gmail.com
X-Mailman-Original-Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=S9R+LqMg
Subject: [Buildroot] [PATCH v2] package/lua-http: fix CVE-2023-4540
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[v2] package/lua-http: fix CVE-2023-4540 | expand

Commit Message

Francois Perrad Feb. 12, 2024, 5:26 p.m. UTC

see https://nvd.nist.gov/vuln/detail/CVE-2023-4540
  & https://cert.pl/en/posts/2023/09/CVE-2023-4540

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 ...andle-EOF-when-body_read_type-length.patch | 71 +++++++++++++++++++
 package/lua-http/lua-http.mk                  |  3 +
 2 files changed, 74 insertions(+)
 create mode 100644 package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch

Comments

Thomas Petazzoni Feb. 12, 2024, 9:56 p.m. UTC | #1

On Mon, 12 Feb 2024 18:26:19 +0100
Francois Perrad <fperrad@gmail.com> wrote:

> see https://nvd.nist.gov/vuln/detail/CVE-2023-4540
>   & https://cert.pl/en/posts/2023/09/CVE-2023-4540
> 
> Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
> ---
>  ...andle-EOF-when-body_read_type-length.patch | 71 +++++++++++++++++++
>  package/lua-http/lua-http.mk                  |  3 +
>  2 files changed, 74 insertions(+)
>  create mode 100644 package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch

Applied to master, thanks.

Thomas

Peter Korsgaard March 16, 2024, 9:06 p.m. UTC | #2

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > see https://nvd.nist.gov/vuln/detail/CVE-2023-4540
 >   & https://cert.pl/en/posts/2023/09/CVE-2023-4540

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>

Committed to 2023.02.x and 2023.11.x, thanks.

diff --git a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
new file mode 100644
index 000000000..fdbf5243f
--- /dev/null
+++ b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
@@ -0,0 +1,71 @@ 
+From ddab2835c583d45dec62680ca8d3cbde55e0bae6 Mon Sep 17 00:00:00 2001
+From: daurnimator <quae@daurnimator.com>
+Date: Tue, 22 Aug 2023 23:30:20 +1000
+Subject: [PATCH] http/h1_stream: handle EOF when `body_read_type==length`
+
+If a client closes the connection before sending the expected number of bytes
+then return `EPIPE`.
+This fixes a potential infinite draining loop when trying to trying to
+`:shutdown()` a stream.
+
+Upstream: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
+Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
+---
+ http/h1_stream.lua      |  2 ++
+ spec/h1_stream_spec.lua | 27 +++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/lua-http-0.4/http/h1_stream.lua b/lua-http-0.4/http/h1_stream.lua
+index b2469a1..b0ca821 100644
+--- a/lua-http-0.4/http/h1_stream.lua
++++ b/lua-http-0.4/http/h1_stream.lua
+@@ -861,6 +861,8 @@ function stream_methods:read_next_chunk(timeout)
+ 			if chunk ~= nil then
+ 				self.body_read_left = length_n - #chunk
+ 				end_stream = (self.body_read_left == 0)
++			elseif err == nil then
++				return nil, ce.strerror(ce.EPIPE), ce.EPIPE
+ 			end
+ 		elseif length_n == 0 then
+ 			chunk = ""
+diff --git a/lua-http-0.4/spec/h1_stream_spec.lua b/lua-http-0.4/spec/h1_stream_spec.lua
+index f9cfea9..1303f94 100644
+--- a/lua-http-0.4/spec/h1_stream_spec.lua
++++ b/lua-http-0.4/spec/h1_stream_spec.lua
+@@ -295,6 +295,33 @@ describe("http1 stream", function()
+ 		server:close()
+ 		client:close()
+ 	end)
++	it("Doesn't hang when a content-length delimited stream is closed", function()
++		local server, client = new_pair(1.1)
++		local cq = cqueues.new()
++		cq:wrap(function()
++			local stream = client:new_stream()
++			local headers = new_headers()
++			headers:append(":method", "GET")
++			headers:append(":scheme", "http")
++			headers:append(":authority", "myauthority")
++			headers:append(":path", "/a")
++			assert(stream:write_headers(headers, true))
++		end)
++		cq:wrap(function()
++			local stream = server:get_next_incoming_stream()
++			assert(stream:get_headers())
++			local res_headers = new_headers()
++			res_headers:append(":status", "200")
++			res_headers:append("content-length", "100")
++			assert(stream:write_headers(res_headers, false))
++			assert(stream:write_chunk("foo", false))
++			assert(stream:shutdown())
++		end)
++		assert_loop(cq, TEST_TIMEOUT)
++		assert.truthy(cq:empty())
++		server:close()
++		client:close()
++	end)
+ 	it("allows pipelining", function()
+ 		local server, client = new_pair(1.1)
+ 		local cq = cqueues.new()
+-- 
+2.40.1
+
diff --git a/package/lua-http/lua-http.mk b/package/lua-http/lua-http.mk
index df3e2c005..34387c12e 100644
--- a/package/lua-http/lua-http.mk
+++ b/package/lua-http/lua-http.mk
@@ -13,4 +13,7 @@  LUA_HTTP_LICENSE_FILES = $(LUA_HTTP_SUBDIR)/LICENSE.md
 LUA_HTTP_CPE_ID_VERSION = $(LUA_HTTP_VERSION_UPSTREAM)
 LUA_HTTP_CPE_ID_VENDOR = daurnimator
 
+# 0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
+LUA_HTTP_IGNORE_CVES += CVE-2023-4540
+
 $(eval $(luarocks-package))

[v2] package/lua-http: fix CVE-2023-4540

Commit Message

Comments

Patch