From f1661f1b0fb81bec5cc04891e8e8ebc4bdb99fd4 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Fri, 29 Oct 2021 15:27:52 +0800 Subject: [PATCH] fix CVE-2020-10719 (cherry picked from commit f13e276bba8a3d3c582835af1a8a8240447cc5cb) --- CVE-2020-10719.patch | 48 ++++++++++++++++++++++++++++++++++++++++++++ undertow.spec | 7 ++++++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-10719.patch diff --git a/CVE-2020-10719.patch b/CVE-2020-10719.patch new file mode 100644 index 0000000..bce0b29 --- /dev/null +++ b/CVE-2020-10719.patch @@ -0,0 +1,48 @@ +From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001 +From: Bartosz Spyrko-Smietanko +Date: Tue, 25 Feb 2020 13:26:20 +0000 +Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size + +--- + core/src/main/java/io/undertow/UndertowMessages.java | 3 +++ + core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java +index fbde7d1..3aa4ad8 100644 +--- a/core/src/main/java/io/undertow/UndertowMessages.java ++++ b/core/src/main/java/io/undertow/UndertowMessages.java +@@ -471,4 +471,7 @@ public interface UndertowMessages { + + @Message(id = 147, value = "No host header in a HTTP/1.1 request") + IOException noHostInHttp11Request(); ++ ++ @Message(id = 195, value = "Chunk size too large") ++ IOException chunkSizeTooLarge(); + } +diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java +index 21ef002..e064f71 100644 +--- a/core/src/main/java/io/undertow/conduits/ChunkReader.java ++++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java +@@ -48,6 +48,8 @@ class ChunkReader { + + private static final long MASK_COUNT = longBitMask(0, 56); + ++ private static final long LIMIT = Long.MAX_VALUE >> 4; ++ + private long state; + private final Attachable attachable; + private final AttachmentKey trailerAttachmentKey; +@@ -103,6 +105,9 @@ class ChunkReader { + while (buf.hasRemaining()) { + byte b = buf.get(); + if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) { ++ if (chunkRemaining > LIMIT) { ++ throw UndertowMessages.MESSAGES.chunkSizeTooLarge(); ++ } + chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end + chunkRemaining += Character.digit((char) b, 16); + } else { +-- +2.23.0 + diff --git a/undertow.spec b/undertow.spec index daa0fe6..e370e2e 100644 --- a/undertow.spec +++ b/undertow.spec @@ -2,7 +2,7 @@ %global namedversion %{version}%{?namedreltag} Name: undertow Version: 1.4.0 -Release: 3 +Release: 4 Summary: Java web server using non-blocking IO License: ASL 2.0 URL: http://undertow.io/ @@ -11,6 +11,7 @@ Source0: https://github.com/undertow-io/undertow/archive/%{namedvers Patch0: undertow-1.4.0-jetty-alpn-api-1.1.0.patch Patch1: CVE-2020-10705.patch Patch2: CVE-2019-3888.patch +Patch3: CVE-2020-10719.patch BuildArch: noarch Epoch: 1 BuildRequires: maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api) @@ -36,6 +37,7 @@ This package contains the API documentation for %{name}. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 rm -rf mac-jdk-fix %pom_disable_module examples %pom_remove_plugin -r :maven-checkstyle-plugin @@ -64,6 +66,9 @@ done %license LICENSE.txt %changelog +* Wed Oct 29 2021 wangkai - 1.4.0-4 +- Fix CVE-2020-10719 + * Wed Oct 28 2021 wangkai - 1.4.0-3 - Fix CVE-2019-3888 -- Gitee