!13 [sync] PR-12: fix CVE-2020-10719

From: @openeuler-sync-bot Reviewed-by: @wangchong1995924 Signed-off-by: @wangchong1995924
2021-11-01 01:18:54 +00:00 · 2021-11-01 01:18:54 +00:00 · 25983d3345
commit 25983d3345
parent 98c08111ae aa7a7da807
2 changed files with 54 additions and 1 deletions
--- a/CVE-2020-10719.patch
+++ b/CVE-2020-10719.patch
@ -0,0 +1,48 @@
+From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001
+From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
+Date: Tue, 25 Feb 2020 13:26:20 +0000
+Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size
+
+---
+ core/src/main/java/io/undertow/UndertowMessages.java     | 3 +++
+ core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java
+index fbde7d1..3aa4ad8 100644
+--- a/core/src/main/java/io/undertow/UndertowMessages.java
+++ b/core/src/main/java/io/undertow/UndertowMessages.java
+@@ -471,4 +471,7 @@ public interface UndertowMessages {
+ 
+     @Message(id = 147, value = "No host header in a HTTP/1.1 request")
+     IOException noHostInHttp11Request();
+
+    @Message(id = 195, value = "Chunk size too large")
+    IOException chunkSizeTooLarge();
+ }
+diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java
+index 21ef002..e064f71 100644
+--- a/core/src/main/java/io/undertow/conduits/ChunkReader.java
+++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java
+@@ -48,6 +48,8 @@ class ChunkReader<T extends Conduit> {
+ 
+     private static final long MASK_COUNT = longBitMask(0, 56);
+ 
+    private static final long LIMIT = Long.MAX_VALUE >> 4;
+
+     private long state;
+     private final Attachable attachable;
+     private final AttachmentKey<HeaderMap> trailerAttachmentKey;
+@@ -103,6 +105,9 @@ class ChunkReader<T extends Conduit> {
+                 while (buf.hasRemaining()) {
+                     byte b = buf.get();
+                     if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) {
+                        if (chunkRemaining > LIMIT) {
+                            throw UndertowMessages.MESSAGES.chunkSizeTooLarge();
+                        }
+                         chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end
+                         chunkRemaining += Character.digit((char) b, 16);
+                     } else {
+-- 
+2.23.0
+
--- a/undertow.spec
+++ b/undertow.spec
@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             3
+Release:             4
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@ -11,6 +11,7 @@ Source0:             https://github.com/undertow-io/undertow/archive/%{namedvers
 Patch0:              undertow-1.4.0-jetty-alpn-api-1.1.0.patch
 Patch1:		     CVE-2020-10705.patch
 Patch2:              CVE-2019-3888.patch
+Patch3:              CVE-2020-10719.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@ -36,6 +37,7 @@ This package contains the API documentation for %{name}.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 rm -rf mac-jdk-fix
 %pom_disable_module examples
 %pom_remove_plugin -r :maven-checkstyle-plugin
@ -64,6 +66,9 @@ done
 %license LICENSE.txt

 %changelog
+* Wed Oct 29 2021 wangkai <wangkai385@huawei.com> - 1.4.0-4
+- Fix CVE-2020-10719
+
 * Wed Oct 28 2021 wangkai <wangkai385@huawei.com> - 1.4.0-3
 - Fix CVE-2019-3888