From 66fa2d318a1e4da3679fa1c5a70cd3972dc0efbf Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Tue, 16 Feb 2021 23:28:58 +0100 Subject: gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]. Fixes CVE-2020-8287. * gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee. [source]: Add patch to mitigate CVE. * gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/packages/web.scm | 136 ++++++++++++++++++++++++++------------------------- 1 file changed, 70 insertions(+), 66 deletions(-) (limited to 'gnu/packages/web.scm') diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index e4ba0d5bf9..010e01debb 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP server in a separate thread (license license:expat))) (define-public http-parser - (package - (name "http-parser") - (version "2.9.4") - (home-page "https://github.com/nodejs/http-parser") - (source - (origin - (method git-fetch) - (uri (git-reference (url home-page) - (commit (string-append "v" version)))) - (sha256 - (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c")) - (file-name (git-file-name name version)) - (patches - (list - (origin - ;; Treat an empty port (e.g. `http://hostname:/`) when parsing - ;; URLs as if no port were specified. This patch is applied - ;; to Fedora's http-parser and to libgit2's bundled version. - (method url-fetch) - (uri (string-append - "https://src.fedoraproject.org/rpms/http-parser/raw/" - "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" - "f/0001-url-treat-empty-port-as-default.patch")) - (sha256 - (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))) - (build-system gnu-build-system) - (arguments - `(#:test-target "test" - #:make-flags - (list (string-append "PREFIX=" - (assoc-ref %outputs "out")) - "library" - ,@(if (%current-target-system) - '() - '("CC=gcc"))) - #:phases - (modify-phases %standard-phases - ,@(match (%current-system) + (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d") + (revision "1")) + (package + (name "http-parser") + (version (git-version "2.9.4" revision commit)) + (home-page "https://github.com/nodejs/http-parser") + (source + (origin + (method git-fetch) + (uri (git-reference (url home-page) + (commit commit))) + (sha256 + (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i")) + (file-name (git-file-name name version)) + (patches + (append + (search-patches "http-parser-CVE-2020-8287.patch") + (list + (origin + ;; Treat an empty port (e.g. `http://hostname:/`) when parsing + ;; URLs as if no port were specified. This patch is applied + ;; to Fedora's http-parser and to libgit2's bundled version. + (method url-fetch) + (uri (string-append + "https://src.fedoraproject.org/rpms/http-parser/raw/" + "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" + "f/0001-url-treat-empty-port-as-default.patch")) + (sha256 + (base32 + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + (build-system gnu-build-system) + (arguments + `(#:test-target "test" + #:make-flags + (list (string-append "PREFIX=" + (assoc-ref %outputs "out")) + "library" + ,@(if (%current-target-system) + '() + '("CC=gcc"))) + #:phases + (modify-phases %standard-phases + ,@(match (%current-system) + ("armhf-linux" + '((add-before 'check 'apply-assertion.patch + (lambda* (#:key inputs #:allow-other-keys) + (let ((patch (assoc-ref inputs "assertion.patch"))) + (invoke "patch" "-p1" "-i" patch) + #t))))) + (_ '())) + ,@(if (%current-target-system) + '((replace 'configure + (lambda* (#:key target #:allow-other-keys) + (substitute* (find-files "." "Makefile") + (("CC\\?=.*$") + (string-append "CC=" target "-gcc\n")) + (("AR\\?=.*$") + (string-append "AR=" target "-ar\n"))) + #t))) + '((delete 'configure)))))) + (native-inputs + `(,@(match (%current-system) ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) - ,@(if (%current-target-system) - '((replace 'configure - (lambda* (#:key target #:allow-other-keys) - (substitute* (find-files "." "Makefile") - (("CC\\?=.*$") - (string-append "CC=" target "-gcc\n")) - (("AR\\?=.*$") - (string-append "AR=" target "-ar\n"))) - #t))) - '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) - (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses + ;; A fix for which in turn + ;; breaks i686-linux builds. + `(("assertion.patch" + ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) + (_ '())))) + (synopsis "HTTP request/response parser for C") + (description "This is a parser for HTTP messages written in C. It parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per message stream (in a web server that is per connection).") - (license license:expat))) + (license license:expat)))) (define-public python-httpretty (package -- cgit 1.4.1