diff -pruN 2.9.4-4/debian/changelog 2.9.4-5/debian/changelog --- 2.9.4-4/debian/changelog 2021-01-02 16:07:49.000000000 +0000 +++ 2.9.4-5/debian/changelog 2022-08-05 17:53:57.000000000 +0000 @@ -1,3 +1,10 @@ +http-parser (2.9.4-5) unstable; urgency=high + + * unset F_CHUNKED on new Transfer-Encoding. + Closes: #1016690 [CVE-2020-8287] + + -- Christoph Biedl Fri, 05 Aug 2022 19:53:57 +0200 + http-parser (2.9.4-4) unstable; urgency=medium * Packaging cleanup diff -pruN 2.9.4-4/debian/copyright 2.9.4-5/debian/copyright --- 2.9.4-4/debian/copyright 2021-01-02 16:07:49.000000000 +0000 +++ 2.9.4-5/debian/copyright 2022-08-05 17:53:47.000000000 +0000 @@ -11,7 +11,7 @@ Files: debian/* Copyright: 2013 Praveen Arimbrathodiyil - 2017-2021 Christoph Biedl + 2017-2022 Christoph Biedl License: Expat License: Expat-nginx diff -pruN 2.9.4-4/debian/patches/CVE-2020-8287.patch 2.9.4-5/debian/patches/CVE-2020-8287.patch --- 2.9.4-4/debian/patches/CVE-2020-8287.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.9.4-5/debian/patches/CVE-2020-8287.patch 2022-08-05 17:53:57.000000000 +0000 @@ -0,0 +1,67 @@ +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` +Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530 +From: Fedor Indutny +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Date: 2022-08-05 + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff -pruN 2.9.4-4/debian/patches/series 2.9.4-5/debian/patches/series --- 2.9.4-4/debian/patches/series 2020-12-20 09:29:46.000000000 +0000 +++ 2.9.4-5/debian/patches/series 2022-08-05 17:53:57.000000000 +0000 @@ -4,6 +4,7 @@ cherry-pick.v2.9.4-6-gd9275da.fix-wsign- cherry-pick.v2.9.4-7-g4b99e42.test-content-length-header-parsing.patch cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch +CVE-2020-8287.patch # Debian-specific debian.improve-installation.patch