* [Buildroot] [git commit] package/shellinabox: fix CVE-2018-16789
@ 2020-03-01 7:36 Yann E. MORIN
0 siblings, 0 replies; only message in thread
From: Yann E. MORIN @ 2020-03-01 7:36 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=5553223297a5ef07220ab5b45bf48973f7166950
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
...-16789-fix-for-broken-multipart-form-data.patch | 26 ++++++++++++++++++++++
package/shellinabox/shellinabox.mk | 3 +++
2 files changed, 29 insertions(+)
diff --git a/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
new file mode 100644
index 0000000000..4b15f419e3
--- /dev/null
+++ b/package/shellinabox/0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
@@ -0,0 +1,26 @@
+From 7f47efe1717c381f86566fabe0b1ced8cb98fe8f Mon Sep 17 00:00:00 2001
+From: irsl <irsl@users.noreply.github.com>
+Date: Fri, 26 Oct 2018 11:51:15 +0200
+Subject: [PATCH] fix for broken multipart/form-data
+
+Malformed multipart/form-data payload results in infinite loop and thus denial of service
+[Upstream status: https://github.com/shellinabox/shellinabox/pull/446]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ libhttp/url.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libhttp/url.c b/libhttp/url.c
+index ed29475..4177871 100644
+--- a/libhttp/url.c
++++ b/libhttp/url.c
+@@ -312,6 +312,9 @@ static void urlParsePostBody(struct URL *url,
+ }
+ }
+ }
++ } else {
++ warn("[http] broken multipart/form-data!");
++ break;
+ }
+ }
+ if (lastPart) {
diff --git a/package/shellinabox/shellinabox.mk b/package/shellinabox/shellinabox.mk
index be36804cb7..4c93fdccef 100644
--- a/package/shellinabox/shellinabox.mk
+++ b/package/shellinabox/shellinabox.mk
@@ -9,6 +9,9 @@ SHELLINABOX_SITE = $(call github,shellinabox,shellinabox,v$(SHELLINABOX_VERSION)
SHELLINABOX_LICENSE = GPL-2.0 with OpenSSL exception
SHELLINABOX_LICENSE_FILES = COPYING GPL-2
+# 0002-CVE-2018-16789-fix-for-broken-multipart-form-data.patch
+SHELLINABOX_IGNORE_CVES += CVE-2018-16789
+
# Fetching from Github, and patching Makefile.am, so we need to autoreconf
SHELLINABOX_AUTORECONF = YES
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-01 7:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 7:36 [Buildroot] [git commit] package/shellinabox: fix CVE-2018-16789 Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.