PR#1: Add upstream patch for CVE-2018-16789 - rpms/shellinabox

rpms / shellinabox

#1 Add upstream patch for CVE-2018-16789

Opened 4 years ago by tibbs. Modified 4 years ago

rpms/ tibbs/shellinabox CVE-2018-16789 into rawhide

Add upstream patch for CVE-2018-16789

Jason Tibbitts • 4 years ago

2620c9c

4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361.patch

file added

+50

		`@@ -0,0 +1,50 @@`
		`+ From 4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361 Mon Sep 17 00:00:00 2001`
		`+ From: Marc Singer <elf@buici.com>`
		`+ Date: Sun, 27 Jan 2019 20:18:48 -0800`
		`+ Subject: [PATCH] Rolling code for version 2.21`
		`+`
		`+ ---`
		`+ debian/changelog \| 6 ++++++`
		`+ libhttp/url.c \| 15 +++++++++++++++`
		`+ 2 files changed, 21 insertions(+)`
		`+`
		`+ diff --git a/debian/changelog b/debian/changelog`
		`+ index 4d2f7cd..52e8aa4 100644`
		`+ --- a/debian/changelog`
		`+ +++ b/debian/changelog`
		`+ @@ -1,3 +1,9 @@`
		`+ +shellinabox (2.21) unstable; urgency=medium`
		`+ +`
		`+ + * Patched DoS vulnerability reported by Imre Rad.`
		`+ +`
		`+ + -- Marc Singer <elf@debian.org> Sun, 09 Sep 2018 12:10:40 -0700`
		`+ +`
		`+ shellinabox (2.20) unstable; urgency=medium`
		`+`
		`+ * Fixed issue #222, LOGIN service`
		`+ diff --git a/libhttp/url.c b/libhttp/url.c`
		`+ index ed29475..a73cde9 100644`
		`+ --- a/libhttp/url.c`
		`+ +++ b/libhttp/url.c`
		`+ @@ -313,6 +313,21 @@ static void urlParsePostBody(struct URL *url,`
		`+ }`
		`+ }`
		`+ }`
		`+ + /* elf-2018.09.09: Detection of broken multipart/form-data`
		`+ + fixes DoS vulnerability.`
		`+ +`
		`+ + On 9/9/18 10:43 AM, Imre Rad wrote:`
		`+ + Hi Markus, Marc!`
		`+ +`
		`+ + I identified a vulnerability today in Shellinabox, it is`
		`+ + remote a denial of service, shellinaboxd eating up 100% cpu`
		`+ + and not processing subsequent requests after the attack was`
		`+ + mounted.`
		`+ + */`
		`+ + else {`
		`+ + warn ("[http] Ignorning broken multipart/form-data");`
		`+ + break;`
		`+ + }`
		`+ }`
		`+ if (lastPart) {`
		`+ warn("[http] Missing final \"boundary\" for \"multipart/form-data\"!");`

shellinabox.spec

file modified

+6 -3

		`@@ -2,7 +2,7 @@`

		`Name: shellinabox`
		`Version: 2.20`
		`- Release: 8%{?dist}`
		`+ Release: 9%{?dist}`
		`Summary: Web based AJAX terminal emulator`
		`License: GPLv2`
		`URL: https://github.com/%{name}/%{name}`
		`@@ -13,6 +13,7 @@`
		`Source3: shellinaboxd.init`

		`Patch0: %{name}-ssh-options.patch`
		`+ Patch1: https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361.patch`

		`BuildRequires: autoconf`
		`BuildRequires: automake`
		`@@ -44,8 +45,7 @@`
		`browser plugins.`

		`%prep`
		`- %setup -q`
		`- %patch0 -p1`
		`+ %autosetup -p1`

		`%build`
		`autoreconf -vif`
		`@@ -130,6 +130,9 @@`
		`%attr(750,%{username},%{username}) %{_sharedstatedir}/%{name}`

		`%changelog`
		`+ * Tue Jul 23 2019 Jason L Tibbitts III <tibbs@math.uh.edu> - 2.20-9`
		`+ - Add upstream patch for CVE-2018-16789.`
		`+`
		`* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.20-8`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild`

tibbs commented 4 years ago

This just pulls the upstream patch for CVE-2018-16789. I switched to %autosetup to avoid having to manually apply both patches. Also bumps Release: and adds a changelog entry.