From fc36fc9927d7c45ba83d2429c955743a56e4fc82 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Thu, 5 Nov 2020 17:33:26 +0800
Subject: [PATCH] Fix CVE-2018-11798 and CVE-2018-1320

---
 CVE-2018-11798.patch | 63 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2018-1320.patch  | 32 ++++++++++++++++++++++
 thrift.spec          |  8 +++++-
 3 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2018-11798.patch
 create mode 100644 CVE-2018-1320.patch

diff --git a/CVE-2018-11798.patch b/CVE-2018-11798.patch
new file mode 100644
index 0000000..65d7fdf
--- /dev/null
+++ b/CVE-2018-11798.patch
@@ -0,0 +1,63 @@
+From 54356a41474cccb0e2e2a7fc4b646812acadb7ec Mon Sep 17 00:00:00 2001
+From: jfarrell <jfarrell@apache.org>
+Date: Thu, 4 Oct 2018 23:00:28 -0400
+Subject: [PATCH] Thrift-4647: Node.js Filesever webroot fixed path
+
+Updates the node.js fileserver to have a fixed based webroot which can
+not be escaped by end users.
+---
+ lib/js/test/server_http.js          |  2 +-
+ lib/js/test/server_https.js         |  2 +-
+ lib/nodejs/lib/thrift/web_server.js | 10 +++++++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js
+index e195e80..c516409 100644
+--- a/lib/js/test/server_http.js
++++ b/lib/js/test/server_http.js
+@@ -36,7 +36,7 @@ var ThriftTestSvcOpt = {
+ };
+ 
+ var ThriftWebServerOptions = {
+-	files: ".",
++	files: __dirname,
+ 	services: {
+ 		"/service": ThriftTestSvcOpt
+ 	}
+diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js
+index af1745b..9499b09 100644
+--- a/lib/js/test/server_https.js
++++ b/lib/js/test/server_https.js
+@@ -40,7 +40,7 @@ var ThriftTestSvcOpt = {
+ };
+ 
+ var ThriftWebServerOptions = {
+-  files: ".",
++  files: __dirname,
+   tls: {
+      key: fs.readFileSync("../../../test/keys/server.key"),
+      cert: fs.readFileSync("../../../test/keys/server.crt")
+diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js
+index 37159ea..47e8a9f 100644
+--- a/lib/nodejs/lib/thrift/web_server.js
++++ b/lib/nodejs/lib/thrift/web_server.js
+@@ -414,7 +414,15 @@ exports.createWebServer = function(options) {
+ 
+     //Locate the file requested and send it
+     var uri = url.parse(request.url).pathname;
+-    var filename = path.join(baseDir, uri);
++    var filename = path.resolve(path.join(baseDir, uri));
++
++    //Ensure the basedir path is not able to be escaped
++    if (filename.indexOf(baseDir) != 0) {
++      response.writeHead(400, "Invalid request path", {});
++      response.end();
++      return;
++    }
++
+     fs.exists(filename, function(exists) {
+       if(!exists) {
+         response.writeHead(404);
+-- 
+2.23.0
+
diff --git a/CVE-2018-1320.patch b/CVE-2018-1320.patch
new file mode 100644
index 0000000..5021496
--- /dev/null
+++ b/CVE-2018-1320.patch
@@ -0,0 +1,32 @@
+From d973409661f820d80d72c0034d06a12348c8705e Mon Sep 17 00:00:00 2001
+From: "James E. King III" <jking@apache.org>
+Date: Mon, 5 Mar 2018 11:34:21 -0500
+Subject: [PATCH] THRIFT-4506: fix use of assert for correctness in Java SASL
+ negotiation Client: java
+
+---
+ lib/java/src/org/apache/thrift/transport/TSaslTransport.java | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/lib/java/src/org/apache/thrift/transport/TSaslTransport.java b/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
+index a94d9a7760..bbd3f9a34a 100644
+--- a/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
++++ b/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
+@@ -287,7 +287,7 @@ public void open() throws TTransportException {
+         if (message.status == NegotiationStatus.COMPLETE &&
+             getRole() == SaslRole.CLIENT) {
+           LOGGER.debug("{}: All done!", getRole());
+-          break;
++          continue;
+         }
+ 
+         sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK,
+@@ -295,8 +295,6 @@ public void open() throws TTransportException {
+       }
+       LOGGER.debug("{}: Main negotiation loop complete", getRole());
+ 
+-      assert sasl.isComplete();
+-
+       // If we're the client, and we're complete, but the server isn't
+       // complete yet, we need to wait for its response. This will occur
+       // with ANONYMOUS auth, for example, where we send an initial response
diff --git a/thrift.spec b/thrift.spec
index 30acae9..1cde6b9 100644
--- a/thrift.spec
+++ b/thrift.spec
@@ -30,7 +30,7 @@
 %global golang_configure --without-go
 Name:                thrift
 Version:             0.10.0
-Release:             1
+Release:             2
 Summary:             Software framework for cross-language services development
 License:             ASL 2.0 and BSD and zlib
 URL:                 https://thrift.apache.org/
@@ -44,6 +44,9 @@ Patch2:              configure-java-prefix.patch
 Patch3:              fix-ppc64le-builds.patch
 Patch4:              THRIFT-4177.patch
 Patch5:              python3.patch
+Patch6:              CVE-2018-11798.patch
+Patch7:              CVE-2018-1320.patch
+
 BuildRequires:       ant >= 1.7 autoconf automake bison boost-devel flex flex-devel gcc-c++
 BuildRequires:       glib2-devel libevent-devel libstdc++-devel libtool openssl-devel qt-devel
 BuildRequires:       texlive zlib-devel
@@ -361,5 +364,8 @@ find %{buildroot} -name \*.py -exec grep -q /usr/bin/env {} \; -print | xargs -r
 %doc LICENSE NOTICE
 
 %changelog
+* Thu Nov 05 2020 wangyue <wangyue92@huawei.com> - 0.10.0-2
+- Fix CVE-2018-11798 and CVE-2018-1320.
+
 * Tue Aug 18 2020 yaokai <yaokai13@huawei.com> - 0.10.0-1
 - package init
-- 
Gitee