From e02d61e159ee33df3b3bda700d342ef7787aa117 Mon Sep 17 00:00:00 2001 From: yangcheng1203 Date: Thu, 19 Jun 2025 10:36:34 +0800 Subject: [PATCH] add patch to fix CVE-2022-2048 --- 0004-fix-CVE-2022-2048.patch | 209 +++++++++++++++++++++++++++++++++++ jetty.spec | 8 +- 2 files changed, 216 insertions(+), 1 deletion(-) create mode 100644 0004-fix-CVE-2022-2048.patch diff --git a/0004-fix-CVE-2022-2048.patch b/0004-fix-CVE-2022-2048.patch new file mode 100644 index 00000000..caf11b8d --- /dev/null +++ b/0004-fix-CVE-2022-2048.patch @@ -0,0 +1,209 @@ +From af828e7d4937ea20a4b896f4ad77fc3edd7ff2c4 Mon Sep 17 00:00:00 2001 +From: Simone Bordet +Date: Wed, 11 May 2022 10:28:18 -0500 +Subject: [PATCH] Fixes #7935 - Review HTTP/2 error handling (#7938) + +Now returning error handling code as a Runnable. +Updates after review. + +Signed-off-by: Simone Bordet +Signed-off-by: Joakim Erdfelt +--- + .../http2/server/HttpChannelOverHTTP2.java | 14 +- + .../jetty/http2/server/BadURITest.java | 149 ++++++++++++++++++ + 2 files changed, 155 insertions(+), 8 deletions(-) + create mode 100644 jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java + +diff --git a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java +index 3879a0747f53..345e2850c9ea 100644 +--- a/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java ++++ b/jetty-http2/http2-server/src/main/java/org/eclipse/jetty/http2/server/HttpChannelOverHTTP2.java +@@ -143,13 +143,13 @@ public Runnable onRequest(HeadersFrame frame) + } + catch (BadMessageException x) + { +- onBadMessage(x); +- return null; ++ if (LOG.isDebugEnabled()) ++ LOG.debug("onRequest", x); ++ return () -> onBadMessage(x); + } + catch (Throwable x) + { +- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); +- return null; ++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); + } + } + +@@ -175,13 +175,11 @@ public Runnable onPushRequest(MetaData.Request request) + } + catch (BadMessageException x) + { +- onBadMessage(x); +- return null; ++ return () -> onBadMessage(x); + } + catch (Throwable x) + { +- onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); +- return null; ++ return () -> onBadMessage(new BadMessageException(HttpStatus.INTERNAL_SERVER_ERROR_500, null, x)); + } + } + +diff --git a/jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java b/jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java +new file mode 100644 +index 000000000000..5ff2dced496d +--- /dev/null ++++ b/jetty-http2/http2-server/src/test/java/org/eclipse/jetty/http2/server/BadURITest.java +@@ -0,0 +1,149 @@ ++// ++// ======================================================================== ++// Copyright (c) 1995-2022 Mort Bay Consulting Pty Ltd and others. ++// ++// This program and the accompanying materials are made available under the ++// terms of the Eclipse Public License v. 2.0 which is available at ++// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0 ++// which is available at https://www.apache.org/licenses/LICENSE-2.0. ++// ++// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 ++// ======================================================================== ++// ++ ++package org.eclipse.jetty.http2.server; ++ ++import java.io.OutputStream; ++import java.net.Socket; ++import java.nio.ByteBuffer; ++import java.util.HashMap; ++import java.util.concurrent.CountDownLatch; ++import java.util.concurrent.TimeUnit; ++import javax.servlet.http.HttpServletRequest; ++import javax.servlet.http.HttpServletResponse; ++ ++import org.eclipse.jetty.http.HostPortHttpField; ++import org.eclipse.jetty.http.HttpFields; ++import org.eclipse.jetty.http.HttpMethod; ++import org.eclipse.jetty.http.HttpScheme; ++import org.eclipse.jetty.http.HttpVersion; ++import org.eclipse.jetty.http.MetaData; ++import org.eclipse.jetty.http2.frames.HeadersFrame; ++import org.eclipse.jetty.http2.frames.PrefaceFrame; ++import org.eclipse.jetty.http2.frames.SettingsFrame; ++import org.eclipse.jetty.http2.generator.Generator; ++import org.eclipse.jetty.io.ByteBufferPool; ++import org.eclipse.jetty.server.Handler; ++import org.eclipse.jetty.server.HttpConfiguration; ++import org.eclipse.jetty.server.Request; ++import org.eclipse.jetty.server.Server; ++import org.eclipse.jetty.server.ServerConnector; ++import org.eclipse.jetty.server.handler.AbstractHandler; ++import org.eclipse.jetty.server.handler.ErrorHandler; ++import org.eclipse.jetty.util.BufferUtil; ++import org.eclipse.jetty.util.component.LifeCycle; ++import org.junit.jupiter.api.AfterEach; ++import org.junit.jupiter.api.Test; ++ ++import static org.junit.jupiter.api.Assertions.assertTrue; ++ ++public class BadURITest ++{ ++ private Server server; ++ private ServerConnector connector; ++ ++ protected void startServer(Handler handler) throws Exception ++ { ++ server = new Server(); ++ connector = new ServerConnector(server, 1, 1, new HTTP2CServerConnectionFactory(new HttpConfiguration())); ++ server.addConnector(connector); ++ server.setHandler(handler); ++ server.start(); ++ } ++ ++ @AfterEach ++ public void dispose() ++ { ++ LifeCycle.stop(server); ++ } ++ ++ @Test ++ public void testBadURI() throws Exception ++ { ++ CountDownLatch handlerLatch = new CountDownLatch(1); ++ startServer(new AbstractHandler() ++ { ++ @Override ++ public void handle(String target, Request jettyRequest, HttpServletRequest request, HttpServletResponse response) ++ { ++ jettyRequest.setHandled(true); ++ handlerLatch.countDown(); ++ } ++ }); ++ ++ // Remove existing ErrorHandlers. ++ for (ErrorHandler errorHandler : server.getBeans(ErrorHandler.class)) ++ { ++ server.removeBean(errorHandler); ++ } ++ ++ server.addBean(new ErrorHandler() ++ { ++ @Override ++ public ByteBuffer badMessageError(int status, String reason, HttpFields.Mutable fields) ++ { ++ // Return a very large buffer that will cause HTTP/2 flow control exhaustion and/or TCP congestion. ++ return ByteBuffer.allocateDirect(128 * 1024 * 1024); ++ } ++ }); ++ ++ ByteBufferPool byteBufferPool = connector.getByteBufferPool(); ++ Generator generator = new Generator(byteBufferPool); ++ ++ // Craft a request with a bad URI, it will not hit the Handler. ++ MetaData.Request metaData1 = new MetaData.Request( ++ HttpMethod.GET.asString(), ++ HttpScheme.HTTP.asString(), ++ new HostPortHttpField("localhost:" + connector.getLocalPort()), ++ // Use an ambiguous path parameter so that the URI is invalid. ++ "/foo/..;/bar", ++ HttpVersion.HTTP_2, ++ HttpFields.EMPTY, ++ -1 ++ ); ++ ByteBufferPool.Lease lease = new ByteBufferPool.Lease(byteBufferPool); ++ generator.control(lease, new PrefaceFrame()); ++ generator.control(lease, new SettingsFrame(new HashMap<>(), false)); ++ generator.control(lease, new HeadersFrame(1, metaData1, null, true)); ++ ++ try (Socket client = new Socket("localhost", connector.getLocalPort())) ++ { ++ OutputStream output = client.getOutputStream(); ++ for (ByteBuffer buffer : lease.getByteBuffers()) ++ { ++ output.write(BufferUtil.toArray(buffer)); ++ } ++ ++ // Wait for the first request be processed on the server. ++ Thread.sleep(1000); ++ ++ // Send a second request and verify that it hits the Handler. ++ lease.recycle(); ++ MetaData.Request metaData2 = new MetaData.Request( ++ HttpMethod.GET.asString(), ++ HttpScheme.HTTP.asString(), ++ new HostPortHttpField("localhost:" + connector.getLocalPort()), ++ "/valid", ++ HttpVersion.HTTP_2, ++ HttpFields.EMPTY, ++ -1 ++ ); ++ generator.control(lease, new HeadersFrame(3, metaData2, null, true)); ++ for (ByteBuffer buffer : lease.getByteBuffers()) ++ { ++ output.write(BufferUtil.toArray(buffer)); ++ } ++ assertTrue(handlerLatch.await(5, TimeUnit.SECONDS)); ++ } ++ } ++} diff --git a/jetty.spec b/jetty.spec index a7273970..44f98067 100644 --- a/jetty.spec +++ b/jetty.spec @@ -1,4 +1,4 @@ -%define anolis_release 3 +%define anolis_release 4 %bcond_without bootstrap @@ -76,6 +76,8 @@ Patch3: 0003-Fixes-11259-HTTP-2-connection-not-closed-after-idle-.patch Patch0004: backport-fix-001-CVE-2024-13009.patch # https://github.com/jetty/jetty.project/commit/e3fa9466633db6bf36e0eb0d17e3de166c788ede Patch0005: backport-fix-002-CVE-2024-13009.patch +# https://github.com/jetty/jetty.project/commit/af828e7d4937ea20a4b896f4ad77fc3edd7ff2c4 +Patch6: 0004-fix-CVE-2022-2048.patch %if %{with bootstrap} BuildRequires: javapackages-bootstrap @@ -606,6 +608,7 @@ License: (ASL 2.0 or EPL-1.0) and MIT %patch2 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 find . -name "*.?ar" -exec rm {} \; find . -name "*.class" -exec rm {} \; @@ -989,6 +992,9 @@ exit 0 %license LICENSE NOTICE.txt LICENSE-MIT %changelog +* Thu Jun 19 2025 yangcheng - 9.4.43-4 +- add patch to fix CVE-2022-2048 + * Mon May 26 2025 wenxin - 9.4.43-3 - add patch to fix CVE-2024-13009 -- Gitee