diff --git a/CVE-2021-41136.patch b/CVE-2021-41136.patch new file mode 100644 index 0000000000000000000000000000000000000000..c97c7984c92afa3b0b5c77223316cdc8b1531f1b --- /dev/null +++ b/CVE-2021-41136.patch @@ -0,0 +1,252 @@ +From acdc3ae571dfae0e045cf09a295280127db65c7f Mon Sep 17 00:00:00 2001 +From: Nate Berkopec +Date: Tue, 12 Oct 2021 08:38:40 -0600 +Subject: [PATCH] Merge pull request from GHSA-48w2-rm65-62xx + +* Fix HTTP request smuggling vulnerability + +See GHSA-48w2-rm65-62xx or CVE-2021-41136 for more info. + +* 4.3.9 release note + +* 5.5.1 release note + +* 5.5.1 +--- + ext/puma_http11/http11_parser.c | 17 +++- + ext/puma_http11/http11_parser_common.rl | 2 +- + .../org/jruby/puma/Http11Parser.java | 92 +++++++++---------- + test/test_http11.rb | 30 ++++++ + 4 files changed, 88 insertions(+), 53 deletions(-) + +diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c +index e8844a3..be40555 100644 +--- a/ext/puma_http11/http11_parser.c ++++ b/ext/puma_http11/http11_parser.c +@@ -428,10 +428,13 @@ st18: + case 18: + #line 428 "ext/puma_http11/http11_parser.c" + switch( (*p) ) { ++ case 9: goto tr25; + case 13: goto tr26; + case 32: goto tr27; + } +- goto tr25; ++ if ( 33 <= (*p) && (*p) <= 126 ) ++ goto tr25; ++ goto st0; + tr25: + #line 44 "ext/puma_http11/http11_parser.rl" + { MARK(mark, p); } +@@ -440,10 +443,14 @@ st19: + if ( ++p == pe ) + goto _test_eof19; + case 19: +-#line 442 "ext/puma_http11/http11_parser.c" +- if ( (*p) == 13 ) +- goto tr29; +- goto st19; ++#line 447 "ext/puma_http11/http11_parser.c" ++ switch( (*p) ) { ++ case 9: goto st19; ++ case 13: goto tr29; ++ } ++ if ( 32 <= (*p) && (*p) <= 126 ) ++ goto st19; ++ goto st0; + tr9: + #line 51 "ext/puma_http11/http11_parser.rl" + { +diff --git a/ext/puma_http11/http11_parser_common.rl b/ext/puma_http11/http11_parser_common.rl +index a4cf89d..567a786 100644 +--- a/ext/puma_http11/http11_parser_common.rl ++++ b/ext/puma_http11/http11_parser_common.rl +@@ -43,7 +43,7 @@ + + field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field; + +- field_value = any* >start_value %write_value; ++ field_value = ( print | "\t" )* >start_value %write_value; + + message_header = field_name ":" " "* field_value :> CRLF; + +diff --git a/ext/puma_http11/org/jruby/puma/Http11Parser.java b/ext/puma_http11/org/jruby/puma/Http11Parser.java +index 626ee81..92dd4ed 100644 +--- a/ext/puma_http11/org/jruby/puma/Http11Parser.java ++++ b/ext/puma_http11/org/jruby/puma/Http11Parser.java +@@ -32,9 +32,9 @@ private static short[] init__puma_parser_key_offsets_0() + { + return new short [] { + 0, 0, 8, 17, 27, 29, 30, 31, 32, 33, 34, 36, +- 39, 41, 44, 45, 61, 62, 78, 80, 81, 89, 97, 107, +- 115, 125, 134, 142, 150, 159, 168, 177, 186, 195, 204, 213, +- 222, 231, 240, 249, 258, 267, 276, 285, 294, 303, 312, 313 ++ 39, 41, 44, 45, 61, 62, 78, 83, 87, 95, 103, 113, ++ 121, 130, 138, 146, 155, 164, 173, 182, 191, 200, 209, 218, ++ 227, 236, 245, 254, 263, 272, 281, 290, 299, 308, 309 + }; + } + +@@ -50,27 +50,26 @@ private static char[] init__puma_parser_trans_keys_0() + 46, 48, 57, 48, 57, 13, 48, 57, 10, 13, 33, 124, + 126, 35, 39, 42, 43, 45, 46, 48, 57, 65, 90, 94, + 122, 10, 33, 58, 124, 126, 35, 39, 42, 43, 45, 46, +- 48, 57, 65, 90, 94, 122, 13, 32, 13, 32, 60, 62, +- 127, 0, 31, 34, 35, 32, 60, 62, 127, 0, 31, 34, +- 35, 43, 58, 45, 46, 48, 57, 65, 90, 97, 122, 32, +- 34, 35, 60, 62, 127, 0, 31, 32, 34, 35, 59, 60, +- 62, 63, 127, 0, 31, 32, 34, 35, 60, 62, 63, 127, +- 0, 31, 32, 34, 35, 60, 62, 127, 0, 31, 32, 34, +- 35, 60, 62, 127, 0, 31, 32, 36, 95, 45, 46, 48, +- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, +- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, +- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, +- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, +- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, +- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, +- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, +- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, +- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, +- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, +- 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, +- 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, +- 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, +- 32, 0 ++ 48, 57, 65, 90, 94, 122, 9, 13, 32, 33, 126, 9, ++ 13, 32, 126, 32, 60, 62, 127, 0, 31, 34, 35, 32, ++ 60, 62, 127, 0, 31, 34, 35, 43, 58, 45, 46, 48, ++ 57, 65, 90, 97, 122, 32, 34, 35, 60, 62, 127, 0, ++ 31, 32, 34, 35, 60, 62, 63, 127, 0, 31, 32, 34, ++ 35, 60, 62, 127, 0, 31, 32, 34, 35, 60, 62, 127, ++ 0, 31, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, ++ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, ++ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, ++ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, ++ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, ++ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, ++ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, ++ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, ++ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, ++ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, ++ 36, 95, 45, 46, 48, 57, 65, 90, 32, 36, 95, 45, ++ 46, 48, 57, 65, 90, 32, 36, 95, 45, 46, 48, 57, ++ 65, 90, 32, 36, 95, 45, 46, 48, 57, 65, 90, 32, ++ 36, 95, 45, 46, 48, 57, 65, 90, 32, 0 + }; + } + +@@ -81,7 +80,7 @@ private static byte[] init__puma_parser_single_lengths_0() + { + return new byte [] { + 0, 2, 3, 4, 2, 1, 1, 1, 1, 1, 0, 1, +- 0, 1, 1, 4, 1, 4, 2, 1, 4, 4, 2, 6, ++ 0, 1, 1, 4, 1, 4, 3, 2, 4, 4, 2, 6, + 8, 7, 6, 6, 3, 3, 3, 3, 3, 3, 3, 3, + 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 0 + }; +@@ -94,7 +93,7 @@ private static byte[] init__puma_parser_range_lengths_0() + { + return new byte [] { + 0, 3, 3, 3, 0, 0, 0, 0, 0, 0, 1, 1, +- 1, 1, 0, 6, 0, 6, 0, 0, 2, 2, 4, 1, ++ 1, 1, 0, 6, 0, 6, 1, 1, 2, 2, 4, 1, + 1, 1, 1, 1, 3, 3, 3, 3, 3, 3, 3, 3, + 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0 + }; +@@ -107,9 +106,9 @@ private static short[] init__puma_parser_index_offsets_0() + { + return new short [] { + 0, 0, 6, 13, 21, 24, 26, 28, 30, 32, 34, 36, +- 39, 41, 44, 46, 57, 59, 70, 73, 75, 82, 89, 96, +- 104, 114, 123, 131, 139, 146, 153, 160, 167, 174, 181, 188, +- 195, 202, 209, 216, 223, 230, 237, 244, 251, 258, 265, 267 ++ 39, 41, 44, 46, 57, 59, 70, 75, 79, 86, 93, 100, ++ 108, 117, 125, 133, 140, 147, 154, 161, 168, 175, 182, 189, ++ 196, 203, 210, 217, 224, 231, 238, 245, 252, 259, 261 + }; + } + +@@ -124,24 +123,23 @@ private static byte[] init__puma_parser_indicies_0() + 10, 1, 11, 1, 12, 1, 13, 1, 14, 1, 15, 1, + 16, 15, 1, 17, 1, 18, 17, 1, 19, 1, 20, 21, + 21, 21, 21, 21, 21, 21, 21, 21, 1, 22, 1, 23, +- 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 26, 27, +- 25, 29, 28, 30, 1, 1, 1, 1, 1, 31, 32, 1, +- 1, 1, 1, 1, 33, 34, 35, 34, 34, 34, 34, 1, +- 8, 1, 9, 1, 1, 1, 1, 35, 36, 1, 38, 39, +- 1, 1, 40, 1, 1, 37, 8, 1, 9, 1, 1, 42, +- 1, 1, 41, 43, 1, 45, 1, 1, 1, 1, 44, 46, +- 1, 48, 1, 1, 1, 1, 47, 2, 49, 49, 49, 49, +- 49, 1, 2, 50, 50, 50, 50, 50, 1, 2, 51, 51, +- 51, 51, 51, 1, 2, 52, 52, 52, 52, 52, 1, 2, +- 53, 53, 53, 53, 53, 1, 2, 54, 54, 54, 54, 54, +- 1, 2, 55, 55, 55, 55, 55, 1, 2, 56, 56, 56, +- 56, 56, 1, 2, 57, 57, 57, 57, 57, 1, 2, 58, +- 58, 58, 58, 58, 1, 2, 59, 59, 59, 59, 59, 1, +- 2, 60, 60, 60, 60, 60, 1, 2, 61, 61, 61, 61, +- 61, 1, 2, 62, 62, 62, 62, 62, 1, 2, 63, 63, +- 63, 63, 63, 1, 2, 64, 64, 64, 64, 64, 1, 2, +- 65, 65, 65, 65, 65, 1, 2, 66, 66, 66, 66, 66, +- 1, 2, 1, 1, 0 ++ 24, 23, 23, 23, 23, 23, 23, 23, 23, 1, 25, 26, ++ 27, 25, 1, 28, 29, 28, 1, 30, 1, 1, 1, 1, ++ 1, 31, 32, 1, 1, 1, 1, 1, 33, 34, 35, 34, ++ 34, 34, 34, 1, 8, 1, 9, 1, 1, 1, 1, 35, ++ 36, 1, 38, 1, 1, 39, 1, 1, 37, 40, 1, 42, ++ 1, 1, 1, 1, 41, 43, 1, 45, 1, 1, 1, 1, ++ 44, 2, 46, 46, 46, 46, 46, 1, 2, 47, 47, 47, ++ 47, 47, 1, 2, 48, 48, 48, 48, 48, 1, 2, 49, ++ 49, 49, 49, 49, 1, 2, 50, 50, 50, 50, 50, 1, ++ 2, 51, 51, 51, 51, 51, 1, 2, 52, 52, 52, 52, ++ 52, 1, 2, 53, 53, 53, 53, 53, 1, 2, 54, 54, ++ 54, 54, 54, 1, 2, 55, 55, 55, 55, 55, 1, 2, ++ 56, 56, 56, 56, 56, 1, 2, 57, 57, 57, 57, 57, ++ 1, 2, 58, 58, 58, 58, 58, 1, 2, 59, 59, 59, ++ 59, 59, 1, 2, 60, 60, 60, 60, 60, 1, 2, 61, ++ 61, 61, 61, 61, 1, 2, 62, 62, 62, 62, 62, 1, ++ 2, 63, 63, 63, 63, 63, 1, 2, 1, 1, 0 + }; + } + +diff --git a/test/test_http11.rb b/test/test_http11.rb +index 2a30047..79a8b75 100644 +--- a/test/test_http11.rb ++++ b/test/test_http11.rb +@@ -183,4 +183,34 @@ class Http11ParserTest < Minitest::Test + end + + end ++ ++ def test_newline_smuggler ++ parser = Puma::HttpParser.new ++ req = {} ++ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\nDummy2: y\r\n\r\n" ++ ++ parser.execute(req, http, 0) rescue nil # We test the raise elsewhere. ++ ++ assert parser.error?, "Parser SHOULD have error" ++ end ++ ++ def test_newline_smuggler_two ++ parser = Puma::HttpParser.new ++ req = {} ++ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: x\r\nDummy: y\nDummy2: z\r\n\r\n" ++ ++ parser.execute(req, http, 0) rescue nil ++ ++ assert parser.error?, "Parser SHOULD have error" ++ end ++ ++ def test_htab_in_header_val ++ parser = Puma::HttpParser.new ++ req = {} ++ http = "GET / HTTP/1.1\r\nHost: localhost:8080\r\nDummy: Valid\tValue\r\n\r\n" ++ ++ parser.execute(req, http, 0) ++ ++ assert_equal "Valid\tValue", req['HTTP_DUMMY'] ++ end + end +-- +2.30.0 + diff --git a/CVE-2022-23634.patch b/CVE-2022-23634.patch new file mode 100644 index 0000000000000000000000000000000000000000..82039f4d34456120e70802473cc2f802d5fe354a --- /dev/null +++ b/CVE-2022-23634.patch @@ -0,0 +1,47 @@ +From b70f451fe8abc0cff192c065d549778452e155bb Mon Sep 17 00:00:00 2001 +From: Jean Boussier +Date: Fri, 11 Feb 2022 15:58:08 +0100 +Subject: [PATCH] Ensure `close` is called on the response body no matter +what + +Another fallout from https://github.com/puma/puma/pull/2809 is that +in some cases the `res_body.close` wasn't called because some previous +code +raised. + +For Rails apps it means CurrentAttributes and a few other important +states aren't reset properly. + +This is being improved on the Rails side too, but I believe it would +be good to harden this on the puma side as well. + +--- + lib/puma/server.rb | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/puma/server.rb b/lib/puma/server.rb +index 4ce0c74..7871c91 100644 +--- a/lib/puma/server.rb ++++ b/lib/puma/server.rb +@@ -866,11 +866,14 @@ module Puma + end + + ensure +- uncork_socket client ++ begin ++ uncork_socket client + +- body.close +- req.tempfile.unlink if req.tempfile +- res_body.close if res_body.respond_to? :close ++ body.close ++ req.tempfile.unlink if req.tempfile ++ ensure ++ res_body.close if res_body.respond_to? :close ++ end + + after_reply.each { |o| o.call } + end +-- +2.30.0 + diff --git a/rubygem-puma.spec b/rubygem-puma.spec index 82154e039855f8bbc7d67a2f49bc7444fcf714e1..0440dfa2df0f9783a6d32ec13fc718835d672efe 100644 --- a/rubygem-puma.spec +++ b/rubygem-puma.spec @@ -2,7 +2,7 @@ %bcond_with ragel Name: rubygem-%{gem_name} Version: 3.12.6 -Release: 2 +Release: 3 Summary: A simple, fast, threaded, and highly concurrent HTTP 1.1 server License: BSD URL: http://puma.io @@ -12,6 +12,10 @@ Source1: https://github.com/puma/%{gem_name}/archive/v%{version}.tar # https://fedoraproject.org/wiki/Packaging:CryptoPolicies Patch0: rubygem-puma-3.6.0-fedora-crypto-policy-cipher-list.patch Patch1: CVE-2021-29509.patch +# https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f +Patch2: CVE-2021-41136.patch +# https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb +Patch3: CVE-2022-23634.patch BuildRequires: openssl-devel ruby(release) rubygems-devel ruby-devel rubygem(rack) BuildRequires: rubygem(minitest) @@ -34,6 +38,8 @@ Documentation for %{name}. %setup -q -n %{gem_name}-%{version} -b 1 %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %if %{with ragel} rm -f ext/puma_http11/http11_parser.c @@ -100,6 +106,9 @@ popd %{gem_instdir}/tools %changelog +* Tue Dec 19 2023 yaoxin - 3.12.6-3 +- Fix CVE-2021-41136 and CVE-2022-23634 + * Mon May 31 2021 wangyue - 3.12.6-2 - Fix CVE-2021-29509