From ecb700385c453c8399aeef94599bf9803915f011 Mon Sep 17 00:00:00 2001
From: liweigang <liweiganga@uniontech.com>
Date: Mon, 29 Sep 2025 15:31:41 +0800
Subject: [PATCH] fix CVE-2025-1867

---
 backport-CVE-2025-1867.patch | 59 ++++++++++++++++++++++++++++++++++++
 libhv.spec                   |  6 +++-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-1867.patch

diff --git a/backport-CVE-2025-1867.patch b/backport-CVE-2025-1867.patch
new file mode 100644
index 0000000..bffa062
--- /dev/null
+++ b/backport-CVE-2025-1867.patch
@@ -0,0 +1,59 @@
+From 4025ed5fc405422fcd6d85bd5b5db965c5c31883 Mon Sep 17 00:00:00 2001
+From: tabudz <tanb74653@gmail.com>
+Date: Tue, 25 Feb 2025 15:20:34 +0800
+Subject: [PATCH 1/2] http: unset F_CHUNKED on new Transfer-Encoding
+
+Duplicate `Transfer-Encoding` header should be a treated as a single,
+but with original header values concatenated with a comma separator. In
+the light of this, even if the past `Transfer-Encoding` ended with
+`chunked`, we should be not let the `F_CHUNKED` to leak into the next
+header, because mere presence of another header indicates that `chunked`
+is not the last transfer-encoding token.
+
+CVE-ID: CVE-2020-8287
+PR-URL: nodejs-private/node-private#235
+Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
+---
+ http/http_parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/http/http_parser.c b/http/http_parser.c
+index 659cfb2c5..a53b6003c 100644
+--- a/http/http_parser.c
++++ b/http/http_parser.c
+@@ -1335,6 +1335,13 @@ size_t http_parser_execute (http_parser *parser,
+                 parser->header_state = h_general;
+               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+                 parser->header_state = h_transfer_encoding;
++                /* Multiple `Transfer-Encoding` headers should be treated as
++                 * one, but with values separate by a comma.
++                 *
++                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++                 */
++                parser->flags &= ~F_CHUNKED;
++              }
+               }
+               break;
+ 
+
+From a754a9046dc969adbb93880aa32ed46d615e4c4a Mon Sep 17 00:00:00 2001
+From: tabudz <64760144+tabudz@users.noreply.github.com>
+Date: Tue, 25 Feb 2025 20:18:28 +0800
+Subject: [PATCH 2/2] Update http_parser.c
+
+---
+ http/http_parser.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/http/http_parser.c b/http/http_parser.c
+index a53b6003c..6084685da 100644
+--- a/http/http_parser.c
++++ b/http/http_parser.c
+@@ -1342,7 +1342,6 @@ size_t http_parser_execute (http_parser *parser,
+                  */
+                 parser->flags &= ~F_CHUNKED;
+               }
+-              }
+               break;
+ 
+             /* upgrade */
diff --git a/libhv.spec b/libhv.spec
index 315ae68..d491842 100644
--- a/libhv.spec
+++ b/libhv.spec
@@ -1,6 +1,6 @@
 Name:           libhv
 Version:        1.3.3
-Release:        1
+Release:        2
 Summary:        Like libevent, libev, and libuv, libhv provides event-loop with non-blocking IO and timer, but simpler api and richer protocols
 
 License:        BSD-3-Clause
@@ -8,6 +8,7 @@ URL:            https://gitee.com/libhv/libhv
 Source0:        https://gitee.com/libhv/libhv/archive/refs/tags/v%{version}.tar.gz
 
 Patch6001:       support-lib64-path.patch
+Patch0001:       backport-CVE-2025-1867.patch
 
 BuildRequires: gcc  gcc-c++ openssl-devel glibc-devel procps-ng net-tools cmake
 
@@ -45,6 +46,9 @@ with %{name}.
 %{_libdir}/*.a
 
 %changelog
+* Mon Sep 29 2025 liweigang <liweigang <liweiganga@gmail.com> - 1.3.3-2
+- fix CVE-2025-1867
+
 * Tue Nov 12 2024 Funda Wang <fundawang@yeah.net> - 1.3.3-1
 - update to 1.3.3
 
-- 
Gitee