gnu: aria2: Fix CVE-2019-3500.

* gnu/packages/patches/aria2-CVE-2019-3500.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/bittorrent.scm (aria2)[source]: Use it.
2025-01-12 06:06:53 -05:00 · 2019-01-09 15:37:44 -05:00 · 2019-01-09 15:37:44 -05:00 · e82c98abe9
commit e82c98abe9
parent 45ee3fde87
3 changed files with 57 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -586,6 +586,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/antlr3-3_3-fix-java8-compilation.patch	\
  %D%/packages/patches/ao-cad-aarch64-support.patch		\
  %D%/packages/patches/apr-skip-getservbyname-test.patch	\
  %D%/packages/patches/aria2-CVE-2019-3500.patch		\
  %D%/packages/patches/aspell-default-dict-dir.patch		\
  %D%/packages/patches/ath9k-htc-firmware-binutils.patch	\
  %D%/packages/patches/ath9k-htc-firmware-gcc.patch		\
--- a/gnu/packages/bittorrent.scm
+++ b/gnu/packages/bittorrent.scm
@ -264,6 +264,7 @@ (define-public aria2
              (uri (string-append "https://github.com/tatsuhiro-t/aria2/"
                                  "releases/download/release-" version "/"
                                  name "-" version ".tar.xz"))
              (patches (search-patches "aria2-CVE-2019-3500.patch"))
              (sha256
               (base32
                "18vpgr430vxlwbcc3598rr1srfmwypls6wp1m4wf21hncc1ahi1s"))))
--- a/gnu/packages/patches/aria2-CVE-2019-3500.patch
+++ b/gnu/packages/patches/aria2-CVE-2019-3500.patch
@ -0,0 +1,55 @@
 Fix CVE-2019-3500:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3500
 https://github.com/aria2/aria2/issues/1329
 Patch copied from upstream source repository:
 https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a
 From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 5 Jan 2019 09:32:40 +0900
 Subject: [PATCH] Mask headers
 ---
 src/HttpConnection.cc | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
 diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc
 index 77cb9d27a..be5b97723 100644
 --- a/src/HttpConnection.cc
 +++ b/src/HttpConnection.cc
@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request)
   std::string result;
   std::string line;
   while (getline(istr, line)) {
 -    if (util::startsWith(line, "Authorization: Basic")) {
 -      result += "Authorization: Basic ********\n";
 +    if (util::istartsWith(line, "Authorization: ")) {
 +      result += "Authorization: <snip>\n";
     }
 -    else if (util::startsWith(line, "Proxy-Authorization: Basic")) {
 -      result += "Proxy-Authorization: Basic ********\n";
 +    else if (util::istartsWith(line, "Proxy-Authorization: ")) {
 +      result += "Proxy-Authorization: <snip>\n";
 +    }
 +    else if (util::istartsWith(line, "Cookie: ")) {
 +      result += "Cookie: <snip>\n";
 +    }
 +    else if (util::istartsWith(line, "Set-Cookie: ")) {
 +      result += "Set-Cookie: <snip>\n";
     }
     else {
       result += line;
@@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse()
   const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor();
   if (proc->parse(socketRecvBuffer_->getBuffer(),
                   socketRecvBuffer_->getBufferLength())) {
 -    A2_LOG_INFO(
 -        fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str()));
 +    A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_,
 +                    eraseConfidentialInfo(proc->getHeaderString()).c_str()));
     auto result = proc->getResult();
     if (result->getStatusCode() / 100 == 1) {
       socketRecvBuffer_->drain(proc->getLastBytesProcessed());