FreeBSD Bugzilla – Attachment 178297 Details for
Bug 215587
www/h2o: patch CVE-2016-7835 & add security/vuxml entry
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
v1 patch
file_215587.txt (text/plain), 10.55 KB, created by
Dave Cottlehuber
on 2016-12-26 19:01:09 UTC
(
hide
)
Description:
v1 patch
Filename:
MIME Type:
Creator:
Dave Cottlehuber
Created:
2016-12-26 19:01:09 UTC
Size:
10.55 KB
patch
obsolete
>From 2aa5d1e73e381927f093bae6161c0a6ccf479ee3 Mon Sep 17 00:00:00 2001 >From: Dave Cottlehuber <dch@skunkwerks.at> >Date: Mon, 26 Dec 2016 14:45:27 +0000 >Subject: [PATCH] www/h2o: patch for CVE-2016-7835 > >- include https://github.com/h2o/h2o/commit/1b2b6d7.patch >- 2.0.5 has too many changes to go into a backported security fix >--- > security/vuxml/vuln.xml | 29 ++++++ > www/h2o/Makefile | 2 +- > www/h2o/distinfo | 2 +- > www/h2o/files/patch-lib_core_request.c | 145 +++++++++++++++++++++++++++++ > www/h2o/files/patch-lib_http2_connection.c | 10 ++ > 5 files changed, 186 insertions(+), 2 deletions(-) > create mode 100644 www/h2o/files/patch-lib_core_request.c > create mode 100644 www/h2o/files/patch-lib_http2_connection.c > >diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml >index 77abe12..3c9a450 100644 >--- a/security/vuxml/vuln.xml >+++ b/security/vuxml/vuln.xml >@@ -58,6 +58,35 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="d0b12952-cb86-11e6-906f-0cc47a065786"> >+ <topic>www/h2o -- Use-after-free vulnerability</topic> >+ <affects> >+ <package> >+ <name>h2o</name> >+ <range><lt>2.0.4_2</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Kazuho Oku reports:</p> >+ <blockquote cite="https://github.com/h2o/h2o/issues?q=label%3Avulnerability"> >+ <p>A use-after-free vulnerability exists in H2O up to and including >+ version 2.0.4 / 2.1.0-beta3 that can be used by a remote attacker to >+ mount DoS attacks and / or information theft. >+ </p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://github.com/h2o/h2o/releases/tag/v2.0.5</url> >+ <url>https://github.com/h2o/h2o/issues/1144</url> >+ </references> >+ <dates> >+ <discovery>2016-09-09</discovery> >+ <entry>2016-12-21</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="c7656d4c-cb60-11e6-a9a5-b499baebfeaf"> > <topic>phpmailer -- Remote Code Execution</topic> > <affects> >diff --git a/www/h2o/Makefile b/www/h2o/Makefile >index 7786227..5d8b422 100644 >--- a/www/h2o/Makefile >+++ b/www/h2o/Makefile >@@ -5,7 +5,7 @@ PORTNAME= h2o > PORTVERSION= 2.0.4 > PORTREVISION= 1 > DISTVERSIONPREFIX= v >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= www > > MAINTAINER= dch@skunkwerks.at >diff --git a/www/h2o/distinfo b/www/h2o/distinfo >index 272d628..f0e5174 100644 >--- a/www/h2o/distinfo >+++ b/www/h2o/distinfo >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1473753131 >+TIMESTAMP = 1482767274 > SHA256 (h2o-h2o-v2.0.4_GH0.tar.gz) = c0efa18f0ffb0f68ee4b60a6ed1feb54c770458c59e48baa2d9d0906ef9c68c0 > SIZE (h2o-h2o-v2.0.4_GH0.tar.gz) = 15015392 >diff --git a/www/h2o/files/patch-lib_core_request.c b/www/h2o/files/patch-lib_core_request.c >new file mode 100644 >index 0000000..789c2cd >--- /dev/null >+++ b/www/h2o/files/patch-lib_core_request.c >@@ -0,0 +1,145 @@ >+--- lib/core/request.c.orig 2016-09-13 06:57:03 UTC >++++ lib/core/request.c >+@@ -31,21 +31,24 @@ >+ >+ #define INITIAL_INBUFSZ 8192 >+ >+-struct st_delegate_request_deferred_t { >++struct st_deferred_request_action_t { >++ h2o_timeout_entry_t timeout; >+ h2o_req_t *req; >++}; >++ >++struct st_delegate_request_deferred_t { >++ struct st_deferred_request_action_t super; >+ h2o_handler_t *current_handler; >+- h2o_timeout_entry_t _timeout; >+ }; >+ >+ struct st_reprocess_request_deferred_t { >+- h2o_req_t *req; >++ struct st_deferred_request_action_t super; >+ h2o_iovec_t method; >+ const h2o_url_scheme_t *scheme; >+ h2o_iovec_t authority; >+ h2o_iovec_t path; >+ h2o_req_overrides_t *overrides; >+ int is_delegated; >+- h2o_timeout_entry_t _timeout; >+ }; >+ >+ struct st_send_error_deferred_t { >+@@ -57,6 +60,21 @@ struct st_send_error_deferred_t { >+ h2o_timeout_entry_t _timeout; >+ }; >+ >++static void on_deferred_action_dispose(void *_action) >++{ >++ struct st_deferred_request_action_t *action = _action; >++ if (h2o_timeout_is_linked(&action->timeout)) >++ h2o_timeout_unlink(&action->timeout); >++} >++ >++static struct st_deferred_request_action_t *create_deferred_action(h2o_req_t *req, size_t sz, h2o_timeout_cb cb) >++{ >++ struct st_deferred_request_action_t *action = h2o_mem_alloc_shared(&req->pool, sz, on_deferred_action_dispose); >++ *action = (struct st_deferred_request_action_t){{0, cb}, req}; >++ h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &action->timeout); >++ return action; >++} >++ >+ static h2o_hostconf_t *find_hostconf(h2o_hostconf_t **hostconfs, h2o_iovec_t authority, uint16_t default_port) >+ { >+ h2o_iovec_t hostname; >+@@ -205,6 +223,7 @@ void h2o_init_request(h2o_req_t *req, h2 >+ req->preferred_chunk_size = SIZE_MAX; >+ >+ if (src != NULL) { >++ size_t i; >+ #define COPY(buf) \ >+ do { \ >+ req->buf.base = h2o_mem_alloc_pool(&req->pool, src->buf.len); \ >+@@ -216,9 +235,6 @@ void h2o_init_request(h2o_req_t *req, h2 >+ COPY(input.path); >+ req->input.scheme = src->input.scheme; >+ req->version = src->version; >+- h2o_vector_reserve(&req->pool, &req->headers, src->headers.size); >+- memcpy(req->headers.entries, src->headers.entries, sizeof(req->headers.entries[0]) * src->headers.size); >+- req->headers.size = src->headers.size; >+ req->entity = src->entity; >+ req->http1_is_persistent = src->http1_is_persistent; >+ req->timestamps = src->timestamps; >+@@ -229,8 +245,19 @@ void h2o_init_request(h2o_req_t *req, h2 >+ req->upgrade.len = 0; >+ } >+ #undef COPY >++ h2o_vector_reserve(&req->pool, &req->headers, src->headers.size); >++ req->headers.size = src->headers.size; >++ for (i = 0; i != src->headers.size; ++i) { >++ h2o_header_t *dst_header = req->headers.entries + i, *src_header = src->headers.entries + i; >++ if (h2o_iovec_is_token(src_header->name)) { >++ dst_header->name = src_header->name; >++ } else { >++ dst_header->name = h2o_mem_alloc_pool(&req->pool, sizeof(*dst_header->name)); >++ *dst_header->name = h2o_strdup(&req->pool, src_header->name->base, src_header->name->len); >++ } >++ dst_header->value = h2o_strdup(&req->pool, src_header->value.base, src_header->value.len); >++ } >+ if (src->env.size != 0) { >+- size_t i; >+ h2o_vector_reserve(&req->pool, &req->env, src->env.size); >+ req->env.size = src->env.size; >+ for (i = 0; i != req->env.size; ++i) >+@@ -276,16 +303,16 @@ void h2o_delegate_request(h2o_req_t *req >+ >+ static void on_delegate_request_cb(h2o_timeout_entry_t *entry) >+ { >+- struct st_delegate_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, _timeout, entry); >+- h2o_delegate_request(args->req, args->current_handler); >++ struct st_delegate_request_deferred_t *args = >++ H2O_STRUCT_FROM_MEMBER(struct st_delegate_request_deferred_t, super.timeout, entry); >++ h2o_delegate_request(args->super.req, args->current_handler); >+ } >+ >+ void h2o_delegate_request_deferred(h2o_req_t *req, h2o_handler_t *current_handler) >+ { >+- struct st_delegate_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args)); >+- *args = (struct st_delegate_request_deferred_t){req, current_handler}; >+- args->_timeout.cb = on_delegate_request_cb; >+- h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout); >++ struct st_delegate_request_deferred_t *args = >++ (struct st_delegate_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_delegate_request_cb); >++ args->current_handler = current_handler; >+ } >+ >+ void h2o_reprocess_request(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority, >+@@ -335,17 +362,23 @@ void h2o_reprocess_request(h2o_req_t *re >+ >+ static void on_reprocess_request_cb(h2o_timeout_entry_t *entry) >+ { >+- struct st_reprocess_request_deferred_t *args = H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, _timeout, entry); >+- h2o_reprocess_request(args->req, args->method, args->scheme, args->authority, args->path, args->overrides, args->is_delegated); >++ struct st_reprocess_request_deferred_t *args = >++ H2O_STRUCT_FROM_MEMBER(struct st_reprocess_request_deferred_t, super.timeout, entry); >++ h2o_reprocess_request(args->super.req, args->method, args->scheme, args->authority, args->path, args->overrides, >++ args->is_delegated); >+ } >+ >+ void h2o_reprocess_request_deferred(h2o_req_t *req, h2o_iovec_t method, const h2o_url_scheme_t *scheme, h2o_iovec_t authority, >+ h2o_iovec_t path, h2o_req_overrides_t *overrides, int is_delegated) >+ { >+- struct st_reprocess_request_deferred_t *args = h2o_mem_alloc_pool(&req->pool, sizeof(*args)); >+- *args = (struct st_reprocess_request_deferred_t){req, method, scheme, authority, path, overrides, is_delegated}; >+- args->_timeout.cb = on_reprocess_request_cb; >+- h2o_timeout_link(req->conn->ctx->loop, &req->conn->ctx->zero_timeout, &args->_timeout); >++ struct st_reprocess_request_deferred_t *args = >++ (struct st_reprocess_request_deferred_t *)create_deferred_action(req, sizeof(*args), on_reprocess_request_cb); >++ args->method = method; >++ args->scheme = scheme; >++ args->authority = authority; >++ args->path = path; >++ args->overrides = overrides; >++ args->is_delegated = is_delegated; >+ } >+ >+ void h2o_start_response(h2o_req_t *req, h2o_generator_t *generator) >diff --git a/www/h2o/files/patch-lib_http2_connection.c b/www/h2o/files/patch-lib_http2_connection.c >new file mode 100644 >index 0000000..1c8cd28 >--- /dev/null >+++ b/www/h2o/files/patch-lib_http2_connection.c >@@ -0,0 +1,10 @@ >+--- lib/http2/connection.c.orig 2016-09-13 06:57:03 UTC >++++ lib/http2/connection.c >+@@ -1329,6 +1329,7 @@ int h2o_http2_handle_upgrade(h2o_req_t * >+ >+ return 0; >+ Error: >++ h2o_linklist_unlink(&http2conn->_conns); >+ free(http2conn); >+ return -1; >+ }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 215587
: 178297