summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans de Graaff <graaff@gentoo.org>2020-07-19 11:29:11 +0200
committerHans de Graaff <graaff@gentoo.org>2020-07-19 11:29:27 +0200
commit866b1c92b435b1c6d03ed2e4dfb664a073ad089c (patch)
tree76c8c8c536be51fc61baa628439e4948ba1f0b7f
parentdev-cpp/glibmm: fix tests with network-sandbox (diff)
downloadgentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.gz
gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.bz2
gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.zip
www-servers/puma: backport CVE-2020-11077 fixes
Upstream created releases but did not tag them so we cannot use them for our ebuilds. Backport the patches to address the security issue. Bug: https://bugs.gentoo.org/724800 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
-rw-r--r--www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch114
-rw-r--r--www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch115
-rw-r--r--www-servers/puma/puma-3.12.5-r1.ebuild71
-rw-r--r--www-servers/puma/puma-4.3.4-r1.ebuild75
4 files changed, 375 insertions, 0 deletions
diff --git a/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch b/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch
new file mode 100644
index 00000000000..4d26da28eee
--- /dev/null
+++ b/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch
@@ -0,0 +1,114 @@
+From 089df0727ffab1b3b69f2e6da40597c52e346013 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:20:10 -0700
+Subject: [PATCH] Reduce ambiguity of headers
+
+---
+ ext/puma_http11/http11_parser.c | 4 +++-
+ ext/puma_http11/http11_parser.rl | 4 +++-
+ lib/puma/server.rb | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
+index 453f8cd40..e8844a37e 100644
+--- a/ext/puma_http11/http11_parser.c
++++ b/ext/puma_http11/http11_parser.c
+@@ -14,12 +14,14 @@
+
+ /*
+ * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+ */
+ static void snake_upcase_char(char *c)
+ {
+ if (*c >= 'a' && *c <= 'z')
+ *c &= ~0x20;
++ else if (*c == '_')
++ *c = ',';
+ else if (*c == '-')
+ *c = '_';
+ }
+diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl
+index 880c1d40b..62452ba7c 100644
+--- a/ext/puma_http11/http11_parser.rl
++++ b/ext/puma_http11/http11_parser.rl
+@@ -12,12 +12,14 @@
+
+ /*
+ * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+ */
+ static void snake_upcase_char(char *c)
+ {
+ if (*c >= 'a' && *c <= 'z')
+ *c &= ~0x20;
++ else if (*c == '_')
++ *c = ',';
+ else if (*c == '-')
+ *c = '_';
+ }
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index d870b383f..5b2cd94df 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -665,6 +665,37 @@ def handle_request(req, lines)
+ }
+ end
+
++ # Fixup any headers with , in the name to have _ now. We emit
++ # headers with , in them during the parse phase to avoid ambiguity
++ # with the - to _ conversion for critical headers. But here for
++ # compatibility, we'll convert them back. This code is written to
++ # avoid allocation in the common case (ie there are no headers
++ # with , in their names), that's why it has the extra conditionals.
++
++ to_delete = nil
++ to_add = nil
++
++ env.each do |k,v|
++ if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
++ if to_delete
++ to_delete << k
++ else
++ to_delete = [k]
++ end
++
++ unless to_add
++ to_add = {}
++ end
++
++ to_add[k.gsub(",", "_")] = v
++ end
++ end
++
++ if to_delete
++ to_delete.each { |k| env.delete(k) }
++ env.merge! to_add
++ end
++
+ # A rack extension. If the app writes #call'ables to this
+ # array, we will invoke them when the request is done.
+ #
+From 0a3c09a0603857f088571d0eb69e0b9adee0fed1 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:34:06 -0700
+Subject: [PATCH] Adjust test to match real world value
+
+---
+ test/test_puma_server.rb | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
+index 9d40cd5f3..375eca399 100644
+--- a/test/test_puma_server.rb
++++ b/test/test_puma_server.rb
+@@ -137,6 +137,7 @@ def test_default_server_port
+
+ req = Net::HTTP::Get.new("/")
+ req['HOST'] = "example.com"
++ req['X-FORWARDED-PROTO'] = "https,http"
+
+ res = Net::HTTP.start @host, @server.connected_port do |http|
+ http.request(req)
diff --git a/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch
new file mode 100644
index 00000000000..673641a9162
--- /dev/null
+++ b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch
@@ -0,0 +1,115 @@
+From f3b409c565d67557c04ad37c10a42dd8cad0b655 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:20:10 -0700
+Subject: [PATCH] Reduce ambiguity of headers
+
+---
+ ext/puma_http11/http11_parser.c | 4 +++-
+ ext/puma_http11/http11_parser.rl | 4 +++-
+ lib/puma/server.rb | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
+index 0b5fdabc3..bf1dd89ab 100644
+--- a/ext/puma_http11/http11_parser.c
++++ b/ext/puma_http11/http11_parser.c
+@@ -14,12 +14,14 @@
+
+ /*
+ * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+ */
+ static void snake_upcase_char(char *c)
+ {
+ if (*c >= 'a' && *c <= 'z')
+ *c &= ~0x20;
++ else if (*c == '_')
++ *c = ',';
+ else if (*c == '-')
+ *c = '_';
+ }
+diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl
+index 880c1d40b..62452ba7c 100644
+--- a/ext/puma_http11/http11_parser.rl
++++ b/ext/puma_http11/http11_parser.rl
+@@ -12,12 +12,14 @@
+
+ /*
+ * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+ */
+ static void snake_upcase_char(char *c)
+ {
+ if (*c >= 'a' && *c <= 'z')
+ *c &= ~0x20;
++ else if (*c == '_')
++ *c = ',';
+ else if (*c == '-')
+ *c = '_';
+ }
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index b8e8a7b48..0e123687c 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -672,6 +672,37 @@ def handle_request(req, lines)
+ }
+ end
+
++ # Fixup any headers with , in the name to have _ now. We emit
++ # headers with , in them during the parse phase to avoid ambiguity
++ # with the - to _ conversion for critical headers. But here for
++ # compatibility, we'll convert them back. This code is written to
++ # avoid allocation in the common case (ie there are no headers
++ # with , in their names), that's why it has the extra conditionals.
++
++ to_delete = nil
++ to_add = nil
++
++ env.each do |k,v|
++ if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
++ if to_delete
++ to_delete << k
++ else
++ to_delete = [k]
++ end
++
++ unless to_add
++ to_add = {}
++ end
++
++ to_add[k.gsub(",", "_")] = v
++ end
++ end
++
++ if to_delete
++ to_delete.each { |k| env.delete(k) }
++ env.merge! to_add
++ end
++
+ # A rack extension. If the app writes #call'ables to this
+ # array, we will invoke them when the request is done.
+ #
+From 6d87ed2101dab40e6aaa85b0df01433cfb84df53 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:34:06 -0700
+Subject: [PATCH] Adjust test to match real world value
+
+---
+ test/test_puma_server.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
+index 75fcc22e8..a10490a71 100644
+--- a/test/test_puma_server.rb
++++ b/test/test_puma_server.rb
+@@ -151,7 +151,7 @@ def test_default_server_port_respects_x_forwarded_proto
+
+ req = Net::HTTP::Get.new("/")
+ req['HOST'] = "example.com"
+- req['X_FORWARDED_PROTO'] = "https,http"
++ req['X-FORWARDED-PROTO'] = "https,http"
+
+ res = Net::HTTP.start @host, @server.connected_port do |http|
+ http.request(req)
diff --git a/www-servers/puma/puma-3.12.5-r1.ebuild b/www-servers/puma/puma-3.12.5-r1.ebuild
new file mode 100644
index 00000000000..636d825ffc7
--- /dev/null
+++ b/www-servers/puma/puma-3.12.5-r1.ebuild
@@ -0,0 +1,71 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+USE_RUBY="ruby25 ruby26 ruby27"
+
+inherit multilib ruby-fakegem
+
+DESCRIPTION="a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack"
+HOMEPAGE="https://puma.io/"
+SRC_URI="https://github.com/puma/puma/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="3"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~x86"
+IUSE=""
+
+DEPEND+=" dev-libs/openssl:0 test? ( net-misc/curl )"
+RDEPEND+=" dev-libs/openssl:0"
+
+ruby_add_bdepend "virtual/ruby-ssl
+ test? ( dev-ruby/rack >=dev-ruby/minitest-5.9:5 >=dev-ruby/test-unit-3.0:2 )"
+
+all_ruby_prepare() {
+ eapply "${FILESDIR}/${PN}-3.12.1-ruby26-waitpid.patch"
+ eapply "${FILESDIR}/${PN}-3.12.5-cve-2020-11077.patch"
+
+ sed -i -e '/bundler/ s:^:#:' test/helper.rb || die
+
+ # Avoid test failing inconsistently
+ sed -i -e '/phased_restart_via_pumactl/,/^ end/ s:^:#:' test/test_integration.rb || die
+
+ # Fix FORWARDED_PROTO
+ sed -i -e '127 s/443/80/' test/test_puma_server.rb || die
+
+ # Avoid test that trigger a bug in ruby very easily and lead to
+ # failure. This affects all current puma versions in combination
+ # with the latest ruby versions, so we add this new version anyway
+ # while allowing these tests to fail.
+ # https://github.com/puma/puma/pull/1345
+ rm -f test/test_puma_server_ssl.rb || die
+
+ # Use correct ruby version
+ sed -i -e 's/ruby -rrubygems/#{Gem.ruby} -rrubygems/' test/shell/t{1,3}.rb || die
+}
+
+each_ruby_prepare() {
+ sed -i -e 's:ruby -rubygems:'${RUBY}' -rubygems:' \
+ -e 's/localhost/127.0.0.1/' test/shell/* || die
+ sed -i -e '1ilog_requests' test/shell/t{1,2}_conf.rb || die
+}
+
+each_ruby_configure() {
+ ${RUBY} -Cext/puma_http11 extconf.rb || die
+}
+
+each_ruby_compile() {
+ emake V=1 -Cext/puma_http11
+ cp ext/puma_http11/puma_http11$(get_modname) lib/puma/ || die
+}
+
+each_ruby_test() {
+ einfo "Running test suite"
+ ${RUBY} -Ilib:.:test -e "gem 'minitest', '~>5.9'; gem 'test-unit', '~>3.0'; require 'minitest/autorun'; Dir['test/**/*test_*.rb'].each{|f| require f}" || die
+
+ einfo "Running integration tests"
+ pushd test/shell
+ #sh run.sh || die
+ popd
+}
diff --git a/www-servers/puma/puma-4.3.4-r1.ebuild b/www-servers/puma/puma-4.3.4-r1.ebuild
new file mode 100644
index 00000000000..ec3645ec747
--- /dev/null
+++ b/www-servers/puma/puma-4.3.4-r1.ebuild
@@ -0,0 +1,75 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+USE_RUBY="ruby25 ruby26 ruby27"
+
+RUBY_FAKEGEM_GEMSPEC="puma.gemspec"
+
+inherit multilib ruby-fakegem
+
+DESCRIPTION="a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack"
+HOMEPAGE="https://puma.io/"
+SRC_URI="https://github.com/puma/puma/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="3"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE=""
+
+DEPEND+=" dev-libs/openssl:0 test? ( net-misc/curl )"
+RDEPEND+=" dev-libs/openssl:0"
+
+ruby_add_bdepend "virtual/ruby-ssl
+ test? ( dev-ruby/rack >=dev-ruby/minitest-5.9:5 >=dev-ruby/test-unit-3.0:2 )"
+
+ruby_add_rdepend "dev-ruby/nio4r:2"
+
+all_ruby_prepare() {
+ eapply "${FILESDIR}/${P}-cve-2020-11077.patch"
+
+ sed -e '/bundler/ s:^:#:' \
+ -e '/prove/ s:^:#:' \
+ -i test/helper.rb || die
+
+ # Avoid tests failing inconsistently
+ sed -i -e '/phased_restart_via_pumactl/,/^ end/ s:^:#:' test/test_integration_pumactl.rb || die
+ sed -i -e '/test_bad_client/askip "inconsistent results"' test/test_web_server.rb || die
+
+ # Loosen timing on flakey test
+ #sed -i -e '390 s/sleep 2/sleep 4/' test/test_integration.rb || die
+
+ # Use correct ruby version
+ sed -i -e 's/ruby -rrubygems/#{Gem.ruby} -rrubygems/' test/shell/t{1,3}.rb || die
+
+ # Avoid launcher tests since they make assumptions about bundler use
+ rm -f test/test_launcher.rb || die
+
+ sed -i -e 's/git ls-files --/find/' ${RUBY_FAKEGEM_GEMSPEC} || die
+}
+
+each_ruby_prepare() {
+ sed -i -e 's:ruby -rubygems:'${RUBY}' -rubygems:' \
+ -e 's/localhost/127.0.0.1/' test/shell/* || die
+ sed -i -e '1ilog_requests' test/shell/t{1,2}_conf.rb || die
+}
+
+each_ruby_configure() {
+ ${RUBY} -Cext/puma_http11 extconf.rb || die
+}
+
+each_ruby_compile() {
+ emake V=1 -Cext/puma_http11
+ cp ext/puma_http11/puma_http11$(get_modname) lib/puma/ || die
+}
+
+each_ruby_test() {
+ einfo "Running test suite"
+ ${RUBY} -Ilib:.:test -e "gem 'minitest', '~>5.9'; gem 'test-unit', '~>3.0'; require 'minitest/autorun'; Dir['test/**/*test_*.rb'].each{|f| require f}" || die
+
+ einfo "Running integration tests"
+ pushd test/shell
+ #sh run.sh || die
+ popd
+}