Fix DoS bug on headers parser, bug #472400, CVE-2013-3843

Package-Manager: portage-2.1.11.62/cvs/Linux x86_64 Manifest-Sign-Key: 0xF52D4BBA
author: Anthony G. Basile <blueness@gentoo.org> 2013-06-05 20:46:10 +0000
committer: Anthony G. Basile <blueness@gentoo.org> 2013-06-05 20:46:10 +0000
commit: 9e75ec52b2e8ba50cdd6543ffbb285021462e3e6 (patch)
tree: 66522dcad5d3fd3326d988350436b244bb436748 /www-servers
parent: Update patch, bug 472348 (diff)
download: historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.tar.gz
historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.tar.bz2
historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.zip
4 files changed, 157 insertions, 18 deletions
diff --git a/www-servers/monkeyd/ChangeLog b/www-servers/monkeyd/ChangeLog
index 296dc40eb0ba..408283f8d8f3 100644
--- a/www-servers/monkeyd/ChangeLog
+++ b/www-servers/monkeyd/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for www-servers/monkeyd
 # Copyright 1999- Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.55 2013/06/02 13:03:56 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.56 2013/06/05 20:45:45 blueness Exp $
+
+  05 Jun 2013; Anthony G. Basile <blueness@gentoo.org>
+  +files/monkeyd-fix-DoS-headers-parser.patch, monkeyd-1.2.0.ebuild:
+  Fix DoS bug on headers parser, bug #472400, CVE-2013-3843
 
   02 Jun 2013; Anthony G. Basile <blueness@gentoo.org> monkeyd-1.2.0.ebuild:
   Almost everyone will need liana, so turn it on by default
diff --git a/www-servers/monkeyd/Manifest b/www-servers/monkeyd/Manifest
index 85da72ec93bd..98d373f80878 100644
--- a/www-servers/monkeyd/Manifest
+++ b/www-servers/monkeyd/Manifest
@@ -1,28 +1,29 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
+AUX monkeyd-fix-DoS-headers-parser.patch 4450 SHA256 7df6eeb6afb262fd7e2fc05eb8e1932d0d5cea06a7d59b2020fc5e3c288e760e SHA512 5406625757576a660ee0da915bb270bf83649364d84a530ef88a070ed183d44465b3300f180f7ac0509102d0e81ece0b5935d957a8a84e1f412043fc5deb0ba5 WHIRLPOOL 0a0d0d80dc4b839baf06d57a4ea23a2061246aad2677f934f65ed492c810af6654376c5db4a79b922dc9158abd991cbade4fb52d4d4fc8c21ea6536015b25597
 AUX monkeyd.confd 288 SHA256 ba8e0113f3d90f4c5681fb9c76ab523b56ffa409f8b388db9f83e54bd1700eee SHA512 0ed5e3e7f86564d157d833f980e715ebbc0017530f967b21581a1df8c0990a15ff8af538f664c03da3b10affa02773ad78e4dcd03a3d3f670d7661ecaf0ca00f WHIRLPOOL 1f736bab1f63324c0020d2d236bb84bf253978d76db8087ff0d71849bece6ae7531dfa6ab250e2f136301ef265f35061d059eb45536fc1b8220c9fbd78b83ef2
 AUX monkeyd.initd 716 SHA256 3e1c3d1fcf12bde4847f86c06eaf82c1230af8c56040d56f25d22a6fbbae285d SHA512 9f5ac51a06c0255d5d2b09c19228c849c5314f8f9d4ef2dbc837028620462897dd81b504cbf53bd36bd4896e72fcc17b2b0043e038de7bd3d39aa1be26dc8126 WHIRLPOOL e3d4788d4b78a7e1b8482581547350e1dc989ca561484283533d696eea3419f89643fe45610c6e793a3e2c26a1ef7e6ef24cba9fba99f8e06a4cfcbe25cc57c6
 DIST monkey-1.1.1.tar.gz 404633 SHA256 5b6cf4b4a5cc2e6c7e2ac08515f542636884d7f85684f87005c6020e3567c7f4 SHA512 37a7806995d70a432d1f42e01f31a25012c7f39077613a4a0a772946ba512b52438d4ea3b798e09cc514833256775030a67ede5f66ac7ca93323642fba003008 WHIRLPOOL e490e34fe12a8f7f7fb63cb980fff6b642cbd341c56451ed4067fdb90445cacb6101b692e752f0771626846970651e1d07d1cb281e355be2fefa2581e96fe242
 DIST monkey-1.2.0.tar.gz 425807 SHA256 b15b7f5df57a57ffea42380454e2de9896297f3326756f77b39ca8386d9fb22f SHA512 6358e817e75cf8160f95ec8185eb7db21793b1dde916c8a5e38b85f788e284a00175fa82cf764451db6a4b656b50c25908baf6f52d73037e4f597eb84c05c356 WHIRLPOOL bf717c8c873935031955bf7f5d940f01d132347fc9b5e4f5b3d4f93bdcf2bce65b19644d5e5b12d6b1409f4734b6a28c90576e603086d7a52817fd7f0ea11840
 EBUILD monkeyd-1.1.1.ebuild 2044 SHA256 8929978ca500523871a1707816a12de6f47950d3b90efde6a29fe960ef1d6c80 SHA512 d8b549bd1df2543928a132226969ae6352ae245ce9afd98199a5c4497fd335fb0832687c7c3a789b43e7da6c6bb02a9daa7c8e14c81a6b6b57d9af545d74dfc1 WHIRLPOOL b399c1df3a3bdf5c4eb2093d154e9c3195c4233afccad725cf736492cd3c684a600c9eff53764cf486c7a964940e60a73c0a7fe5f2a47a267aa876bbc4f7d593
-EBUILD monkeyd-1.2.0.ebuild 4306 SHA256 47c4f24bf1bbf78b8cd71477796b04800ff1fc1e3433608d016e9572db2c18f1 SHA512 7d938e8abee397e0143edcbd723428738a048e81975fb8481f8af836a5cb922b0ac8b68d15d4b13ea2eabb4cb8bde58f97636a1d2a5ae73ba4fe08b7fcf2f22a WHIRLPOOL ba4442c2529340496a40d041e37936f1da7b620e7352e9678873b2df807101ea099424b516e62b2b3dbd09df7e9dab4eb89089fa77e639fd25cb06b07c2d6dc2
-MISC ChangeLog 9214 SHA256 de41e61a40edaf5c2adc9ef7a118b8cd13c19605bfa8afcc070f762c25993f76 SHA512 375aaa482de17e0d7cf111b9bb2f4cd69f3a64c95cf29f92dc64768cc3a6719f3580bfcb7b48d104105af8fa2aca569a264a0a7c61d3f5ca078221887ea450f4 WHIRLPOOL ad5711e12eff6edb25a3ac4d0635ceb502487b429251db7fd49f9eecbb682059495b1ee2f7ce4088e19e90ec723e30e4378864f90b8c125292ca30e98f855b9f
+EBUILD monkeyd-1.2.0.ebuild 4423 SHA256 74b14561c89c6db46fcb7b0f2a388bce70765db52f8f56b9b73db514d09a4dba SHA512 48a5463818e8bb4ef9118d80e8c8926cdf22a3cc5c0fe93459447919f4f8db606292b6d7e018c45760179d16472500543e7e1c9c54dd0d1bdd01b9463f4d375c WHIRLPOOL 084b02114d912faceb3466265a971b10c9f3ed1b1d9ddf57f3b6cd85740ea25f8a0616c85969fd61b1b0f026035b1d6f46f814746cce1473a97d64f2c4ad3b7e
+MISC ChangeLog 9399 SHA256 b0210463b46d64b375bd09a0e768e8cef854cf3767ddbfe766e87686ab8bce9c SHA512 cc78d432d38b4c62475ca8094c1aa02e4db159911b6e55aa933a97a3a83ae97cd8d2b4f42ad1202d38ca9ae88786d46c57b4efc0bc640e0611023811eeb25293 WHIRLPOOL e0fb5814cbc4c1a1df7289d86984692f32c5d8f3b224540b3fe090888327035c836eb73d72a700690cc057e0996906fb0f0f0c3f152cf05ffb10b4b0579356ef
 MISC metadata.xml 385 SHA256 88901f1e630c8bb995da2ece6f50de69a82b845f63e51742c6f90b26f31c5321 SHA512 863daa33d3ce733a5b84927dba2f0bb28f24802b27f0b2ef225b4c5e8251977f8500ea015f0f21febda32cc7933c95daf9add6fe9563cce979ecf8096babb242 WHIRLPOOL b61c7a2b8e851a98662ebbc76cfb826a0980c6c9654f119d152f226add3cce42b8ed2e2d354e6c994b9e10badd3521b611d133bdc0983a00c75e920717959269
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRq0LkAAoJEJOE+m71LUu6eyYQAJGk7XXpqGaGy4dQ0ZTiduS3
-LVB19aLb3t1U64RYIvimJDwT/TdKI+/r0znNzBhUeFVZIb1XMbo3tSaC06FCi/4p
-XtIxDl2XQRcAAFo+HDi521tdkEWsjoFiNAqfV6VntlypYf9hxq904HmR5Bg6NyW2
-Kt0Sq81UwwRJvipySwnQvCQUTsdmryLEiCuDDPTk4a17EdZAWDFawwZE0JjdLBQH
-+i0rHymfP12Ylc8919eWJyfMmlfSr1tq44rtnnt349OtkWQItKlRtltFODuKdOMC
-qHvTQJbdpzBGOixoamPbq+BHGpdnrPY1um/V5Hz0ca923AOWtLP0N5znNqbIcfak
-j779rmoC9gV21/GyidJM3Wm9ZycAH3tbVLdtTAL8qo14SXDfF6sVln/iTGOv5NUA
-L6f0iEJDuXFycTLxnAe6EYxhZHF6R+86ehXgp/fKdAoWJ8MXZtOXTtsoolzHB6F5
-jZ1QkhzbbgX1v6aW9a0yjPmjKZWa0rVRJYcBKDYb/AlAwVvQfN7qK1eWr/O0mB6i
-050NsMpqUEYgTfGbLxkKYv+K44sVe0EoY9wONZP5y1WVJzAw9DQL0KosJ+QGr7kQ
-izTqTO2G7I9yu9eTshzv6TyFDEiWt5EhWkzXwuaBCEELY8ExFjbLN4AsQVxvngBx
-jBxiv1zqs9j5tYg8M+e6
-=TBa5
+iQIcBAEBCAAGBQJRr6OfAAoJEJOE+m71LUu6OgUQAIFISmPu1idTFOpdZJmrpvQD
+V8HY8das/GfGJ1S5rDdLfQqQZrQ/cxnQ2vjgVkLDblghfieVOq4u/cjVQFSqi5lr
+zR0zGZKTotsDGrKTYb8F2vtvSHagOu5FUaT0X2dXyVkEfP9TKyeIM5oz34lSvYAm
+JIDFcZp9geKhnMDfpsZw+J0BXjF6IZB4bC3mUlRZ6XPT2s08g2SCQxeQHwOmYhrk
+h7ZaeclWJrn52hAq9m5rey5I8dn9ijP4Jv++bpzarjMuZuBszRVYf/uit7SuSt7I
+5tLyPb64Z+l8MO579kN+AuCgA/koyAz5YGQKJcOKERG3IF7nBWiYFrb5PkwPl0wj
+pjOZERMXp4N78D2J1WAr7VQLVWXLHJZxrOZklz8geOPCds06oqhMIoZtSEo3WCSg
+YpmoMp5nBs8CNqKXmerciq+VHJj3Fr+CG7EZRUKsWI4HN/Nia7TGKh5sXvEcFONJ
+PUflEyUqT0qISIwEtmiMxQv1NwEqAXSCfENl3gppDtZFWy8uBFGg/3BQOnbZiNaD
++hiMKK6Z3vaFjNZmjesvdKcDknTAcusOlrJebr3IvLVTN8OV17t1Ty7GC43epvpQ
+3VKYxnWgGCEZwOgiwu4p5NlBjHS9onb82/aSwuFpIy9M3McBoB8phfHwheFEVXPk
+66ioK17XmwlxYNjbmt2w
+=jvLr
 -----END PGP SIGNATURE-----
diff --git a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
new file mode 100644
index 000000000000..db0e111dab00
--- /dev/null
+++ b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
@@ -0,0 +1,131 @@
+From 95d646e5de252bfaa8b68c39d0f48e5d82965d41 Mon Sep 17 00:00:00 2001
+From: Eduardo Silva <edsiper@gmail.com>
+Date: Wed, 5 Jun 2013 12:18:39 -0600
+Subject: [PATCH] Fix #182: DoS bug on headers parser
+
+This patch fix the root cause for a problem described in Ticket #182,
+actually if a header is malformed like a Header Key without a value, the
+ToC parser used to continue processing the next header line.
+
+The solution applied is to improve the ToC generator where it adds extra
+validations for at least one colon and forcing each header line to contain
+a value or empty space, otherwise the server will trigger a Bad Request
+response to the client and close the connection.
+
+Signed-off-by: Eduardo Silva <edsiper@gmail.com>
+---
+ src/mk_method.c  |   11 ++++++++++-
+ src/mk_request.c |   36 +++++++++++++++++++++++++++++-------
+ 2 files changed, 39 insertions(+), 8 deletions(-)
+
+diff --git a/src/mk_method.c b/src/mk_method.c
+index 4a0698a..b35e893 100644
+--- a/src/mk_method.c
++++ b/src/mk_method.c
+@@ -45,16 +45,25 @@
+ 
+ long int mk_method_validate_content_length(const char *body, int body_len)
+ {
++    int crlf;
+     struct headers_toc toc;
+     long int len;
+     mk_pointer tmp;
+ 
++    crlf = mk_string_search(body, MK_CRLF, MK_STR_INSENSITIVE);
++    if (crlf < 0) {
++        return -1;
++    }
++
+     /*
+      * obs: Table of Content (toc) is created when the full
+      * request has arrived, this function cannot be used from
+      * mk_http_pending_request().
+      */
+-    mk_request_header_toc_parse(&toc, body, body_len);
++    if (mk_request_header_toc_parse(&toc, body + crlf + mk_crlf.len,
++                                    body_len - mk_crlf.len - crlf) < 0) {
++        return -1;
++    }
+     tmp = mk_request_header_get(&toc,
+                                 mk_rh_content_length.data,
+                                 mk_rh_content_length.len);
+diff --git a/src/mk_request.c b/src/mk_request.c
+index 5c1f07e..083aba8 100644
+--- a/src/mk_request.c
++++ b/src/mk_request.c
+@@ -121,13 +121,32 @@ static void mk_request_free(struct session_request *sr)
+ 
+ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int len)
+ {
+-    int i;
++    int i = 0;
++    int header_len;
++    int colon;
++    char *q;
+     char *p = (char *) data;
+-    char *l = 0;
++    char *l = p;
+ 
+     toc->length = 0;
++
++    if (*p == '\r') goto out;
+     for (i = 0; l < (data + len) && p && i < MK_HEADERS_TOC_LEN; i++) {
+-        l = strstr(p, MK_CRLF);
++        if (*p == '\r') goto out;
++
++        colon = -1;
++        for (q = p; *q != '\r'; ++q) {
++            if (*q == ':') {
++                colon = (q - p);
++            }
++        }
++
++        l          = (q);
++        header_len = (l - p) - mk_crlf.len;
++        if ((colon == -1) || (header_len == colon) || (*++q != '\n')) {
++            return -1;
++        }
++
+         if (l) {
+             toc->rows[i].init = p;
+             toc->rows[i].end = l;
+@@ -140,6 +159,7 @@ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int l
+         }
+     }
+ 
++ out:
+     return toc->length;
+ }
+ 
+@@ -237,13 +257,15 @@ static int mk_request_header_process(struct session_request *sr)
+ 
+     /* Creating Table of Content (index) for HTTP headers */
+     sr->headers_len = sr->body.len - (prot_end + mk_crlf.len);
+-    mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len);
++    if (mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len) < 0) {
++        MK_TRACE("Invalid headers");
++        return -1;
++    }
+ 
+     /* Host */
+     host = mk_request_header_get(&sr->headers_toc,
+                                  mk_rh_host.data,
+                                  mk_rh_host.len);
+-
+     if (host.data) {
+         if ((pos_sep = mk_string_char_search_r(host.data, ':', host.len)) >= 0) {
+             /* TCP port should not be higher than 65535 */
+@@ -321,8 +343,8 @@ static int mk_request_header_process(struct session_request *sr)
+             sr->keep_alive = MK_TRUE;
+             sr->close_now = MK_FALSE;
+         }
+-        else if(mk_string_search_n(sr->connection.data, "Close",
+-                                   MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
++        else if (mk_string_search_n(sr->connection.data, "Close",
++                                    MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
+             sr->keep_alive = MK_FALSE;
+             sr->close_now = MK_TRUE;
+         }
+-- 
+1.7.4.1
+
diff --git a/www-servers/monkeyd/monkeyd-1.2.0.ebuild b/www-servers/monkeyd/monkeyd-1.2.0.ebuild
index 2d256a961977..4becd232e307 100644
--- a/www-servers/monkeyd/monkeyd-1.2.0.ebuild
+++ b/www-servers/monkeyd/monkeyd-1.2.0.ebuild
@@ -1,10 +1,10 @@
 # Copyright 1999- Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0.ebuild,v 1.4 2013/06/02 13:03:56 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0.ebuild,v 1.5 2013/06/05 20:45:45 blueness Exp $
 
 EAPI="5"
 
-inherit toolchain-funcs depend.php multilib
+inherit toolchain-funcs depend.php multilib eutils
 
 MY_P="${PN/d}-${PV}"
 DESCRIPTION="A small, fast, and scalable web server"
@@ -42,6 +42,9 @@ pkg_setup() {
 }
 
 src_prepare() {
+	# Fixes security issue, bug #472400, CVE-2013-3843
+	epatch "${FILESDIR}"/${PN}-fix-DoS-headers-parser.patch
+
 	# Don't install the banana script, we use ${FILESDIR}/monkeyd.initd instead
 	sed -i '/Creating bin\/banana/d' configure || die "No configure file"
 	sed -i '/create_banana_script bindir/d' configure || die "No configure file"
author	Anthony G. Basile <blueness@gentoo.org>	2013-06-05 20:46:10 +0000
committer	Anthony G. Basile <blueness@gentoo.org>	2013-06-05 20:46:10 +0000
commit	9e75ec52b2e8ba50cdd6543ffbb285021462e3e6 (patch)
tree	66522dcad5d3fd3326d988350436b244bb436748 /www-servers
parent	Update patch, bug 472348 (diff)
download	historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.tar.gz historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.tar.bz2 historical-9e75ec52b2e8ba50cdd6543ffbb285021462e3e6.zip