From c8dfb08e463cbfc2178f8f9bd688de7c7c7be4f3 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <carnil@debian.org> Date: Thu, 2 Jan 2020 23:19:52 +0100 Subject: [PATCH 1/2] Import Debian changes 1:4.1.33-1+deb10u1 netty (1:4.1.33-1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. * Correctly handle whitespaces in HTTP header names as defined by RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266) --- debian/changelog | 8 ++ ...-whitespaces-in-HTTP-header-names-as.patch | 98 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 107 insertions(+) create mode 100644 debian/patches/14-Correctly-handle-whitespaces-in-HTTP-header-names-as.patch diff --git a/debian/changelog b/debian/changelog index 6a75709..e11d2c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +netty (1:4.1.33-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Correctly handle whitespaces in HTTP header names as defined by + RFC7230#section-3.2.4 (CVE-2019-16869) (Closes: #941266) + + -- Salvatore Bonaccorso <carnil@debian.org> Thu, 02 Jan 2020 23:19:52 +0100 + netty (1:4.1.33-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/14-Correctly-handle-whitespaces-in-HTTP-header-names-as.patch b/debian/patches/14-Correctly-handle-whitespaces-in-HTTP-header-names-as.patch new file mode 100644 index 0000000..22aca38 --- /dev/null +++ b/debian/patches/14-Correctly-handle-whitespaces-in-HTTP-header-names-as.patch @@ -0,0 +1,98 @@ +From: Norman Maurer <norman_maurer@apple.com> +Date: Fri, 20 Sep 2019 21:02:11 +0200 +Subject: Correctly handle whitespaces in HTTP header names as defined by + RFC7230#section-3.2.4 (#9585) +Origin: https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-16869 +Bug-Debian: https://bugs.debian.org/941266 +Bug: https://github.com/netty/netty/issues/9571 + +Motivation: + +When parsing HTTP headers special care needs to be taken when a whitespace is detected in the header name. + +Modifications: + +- Ignore whitespace when decoding response (just like before) +- Throw exception when whitespace is detected during parsing +- Add unit tests + +Result: + +Fixes https://github.com/netty/netty/issues/9571 +[Salvatore Bonaccorso: Backport to 4.1.33 for context changes in +HttpObjectDecoder.java] +--- + .../handler/codec/http/HttpObjectDecoder.java | 16 +++++++++++++++- + .../codec/http/HttpRequestDecoderTest.java | 14 ++++++++++++++ + .../codec/http/HttpResponseDecoderTest.java | 15 +++++++++++++++ + 3 files changed, 44 insertions(+), 1 deletion(-) + +--- a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java ++++ b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java +@@ -736,7 +736,21 @@ public abstract class HttpObjectDecoder + nameStart = findNonWhitespace(sb, 0); + for (nameEnd = nameStart; nameEnd < length; nameEnd ++) { + char ch = sb.charAt(nameEnd); +- if (ch == ':' || Character.isWhitespace(ch)) { ++ // https://tools.ietf.org/html/rfc7230#section-3.2.4 ++ // ++ // No whitespace is allowed between the header field-name and colon. In ++ // the past, differences in the handling of such whitespace have led to ++ // security vulnerabilities in request routing and response handling. A ++ // server MUST reject any received request message that contains ++ // whitespace between a header field-name and colon with a response code ++ // of 400 (Bad Request). A proxy MUST remove any such whitespace from a ++ // response message before forwarding the message downstream. ++ if (ch == ':' || ++ // In case of decoding a request we will just continue processing and header validation ++ // is done in the DefaultHttpHeaders implementation. ++ // ++ // In the case of decoding a response we will "skip" the whitespace. ++ (!isDecodingRequest() && Character.isWhitespace(ch))) { + break; + } + } +--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java ++++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java +@@ -320,4 +320,18 @@ public class HttpRequestDecoderTest { + assertTrue(request.decoderResult().cause() instanceof TooLongFrameException); + assertFalse(channel.finish()); + } ++ ++ @Test ++ public void testWhitespace() { ++ EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder()); ++ String requestStr = "GET /some/path HTTP/1.1\r\n" + ++ "Transfer-Encoding : chunked\r\n" + ++ "Host: netty.io\n\r\n"; ++ ++ assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII))); ++ HttpRequest request = channel.readInbound(); ++ assertTrue(request.decoderResult().isFailure()); ++ assertTrue(request.decoderResult().cause() instanceof IllegalArgumentException); ++ assertFalse(channel.finish()); ++ } + } +--- a/codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java ++++ b/codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java +@@ -683,4 +683,19 @@ public class HttpResponseDecoderTest { + assertThat(message.decoderResult().cause(), instanceOf(PrematureChannelClosureException.class)); + assertNull(channel.readInbound()); + } ++ ++ @Test ++ public void testWhitespace() { ++ EmbeddedChannel channel = new EmbeddedChannel(new HttpResponseDecoder()); ++ String requestStr = "HTTP/1.1 200 OK\r\n" + ++ "Transfer-Encoding : chunked\r\n" + ++ "Host: netty.io\n\r\n"; ++ ++ assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII))); ++ HttpResponse response = channel.readInbound(); ++ assertFalse(response.decoderResult().isFailure()); ++ assertEquals(HttpHeaderValues.CHUNKED.toString(), response.headers().get(HttpHeaderNames.TRANSFER_ENCODING)); ++ assertEquals("netty.io", response.headers().get(HttpHeaderNames.HOST)); ++ assertFalse(channel.finish()); ++ } + } diff --git a/debian/patches/series b/debian/patches/series index cb303d3..2d62502 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 10-ignore-lzma.patch 11-ignore-protobuf-nano.patch 13-ignore-conscrypt.patch +14-Correctly-handle-whitespaces-in-HTTP-header-names-as.patch -- GitLab From bef9ec5cb6159aa397f96a7c77adece0016f13e8 Mon Sep 17 00:00:00 2001 From: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com> Date: Fri, 29 May 2020 19:19:17 +0530 Subject: [PATCH 2/2] Release netty version 1:4.1.33-1+deb10u1co1 Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com> --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 0a04472..fa77af0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +netty (1:4.1.33-1+deb10u1co1) apertis; urgency=medium + + * Sync changes from Debian Buster. Remaining Apertis specific changes + + Build native parts without Werror as that can cause build failures + + -- Ritesh Raj Sarraf <ritesh.sarraf@collabora.com> Fri, 29 May 2020 19:18:11 +0530 + netty (1:4.1.33-1+deb10u1) buster-security; urgency=high * Non-maintainer upload by the Security Team. -- GitLab