cherokee: patch CVE-2020-12845

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-12845 Pick the merge commit that mentions the vulnerability. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-18 14:46:57 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-22 20:56:31 +0100
commit: 756cea50655726a0cb355309d04eb3f0a13dc326 (patch)
tree: 3b3a2bc634fdd84ef9d35804958e9784a0804a98
parent: 51a73766cc31136af8c1be32d7035deb2cc364cb (diff)
download: meta-openembedded-756cea50655726a0cb355309d04eb3f0a13dc326.tar.gz
2 files changed, 196 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch
new file mode 100644
index 0000000000..864cfd0a87
--- /dev/null
+++ b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch
@@ -0,0 +1,195 @@
+From dab30272a2fc72f69542a6ae2d6d63de875574cb Mon Sep 17 00:00:00 2001
+From: Stefan de Konink <stefan@konink.de>
+Date: Sat, 25 Jul 2020 22:17:13 +0200
+Subject: [PATCH] Fix CVE-2020-12845 (#1243)
+* Implement tests for CVE-2020-12845
+Can be manually reproduced by:
+curl -H "Authorization: Basic " -X GET url
+curl -H "Authorization: Digest " -X GET url
+* Don't process empty input for cherokee_buffer_decode_base64
+* Don't process empty input for cherokee_validator_parse_basic and cherokee_validator_parse_digest
+* Guard empty input in get_authorization to resolve CVE-2020-12845
+Thanks Patrik Lantz from F-Secure for reporting this issue!
+CVE: CVE-2020-12845
+Upstream-Status: Backport [https://github.com/cherokee/webserver/commit/51f13b9535e652421c128ef541371854637ac32e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ cherokee/buffer.c             |  3 +++
+ cherokee/connection.c         |  5 +++++
+ cherokee/validator.c          | 14 ++++++++++++++
+ qa/310-Authorization-empty.py | 35 +++++++++++++++++++++++++++++++++++
+ qa/311-Authorization-empty.py | 33 +++++++++++++++++++++++++++++++++
+ qa/Makefile.am                |  4 +++-
+ 6 files changed, 93 insertions(+), 1 deletion(-)
+ create mode 100644 qa/310-Authorization-empty.py
+ create mode 100644 qa/311-Authorization-empty.py
+diff --git a/cherokee/buffer.c b/cherokee/buffer.c
+index d93c1638..2b07ceb3 100644
+--- a/cherokee/buffer.c
+++ b/cherokee/buffer.c
+@@ -1643,6 +1643,9 @@ cherokee_buffer_decode_base64 (cherokee_buffer_t *buf)
+                        -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1   /* F0-FF */
+                };
+ 
+       if (unlikely(buf == NULL || buf->len == 0))
+               return ret_ok;
+
+        for (i=0; i < buf->len; i++) {
+                d = b64_decode_tab[(int) buf->buf[i]];
+                if (d != -1) {
+diff --git a/cherokee/connection.c b/cherokee/connection.c
+index 0b790282..e11c01c3 100644
+--- a/cherokee/connection.c
+++ b/cherokee/connection.c
+@@ -1895,6 +1895,11 @@ get_authorization (cherokee_connection_t *conn,
+        ptr += pre_len;
+        ptr_len -= pre_len;
+ 
+       /* Guard authentication string
+        */
+       if (ptr_len == 0)
+               return ret_error;
+
+        /* Parse the request
+         */
+        switch (conn->req_auth_type) {
+diff --git a/cherokee/validator.c b/cherokee/validator.c
+index 8b02b698..f227a813 100644
+--- a/cherokee/validator.c
+++ b/cherokee/validator.c
+@@ -125,6 +125,11 @@ cherokee_validator_parse_basic (cherokee_validator_t *validator, char *str, cuin
+        char              *colon;
+        cherokee_buffer_t  auth = CHEROKEE_BUF_INIT;
+ 
+       /* Guard empty input
+        */
+       if (unlikely(str == NULL || str_len == 0))
+               goto error;
+
+        /* Decode base64
+         */
+        cherokee_buffer_add (&auth, str, str_len);
+@@ -166,6 +171,11 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
+        cherokee_buffer_t   auth = CHEROKEE_BUF_INIT;
+        cherokee_buffer_t  *entry_buf;
+ 
+       /* Guard empty input
+        */
+       if (unlikely(str == NULL || str_len == 0))
+               goto error;
+
+        /* Copy authentication string
+         */
+        cherokee_buffer_add (&auth, str, str_len);
+@@ -260,6 +270,10 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
+         */
+        cherokee_buffer_mrproper (&auth);
+        return ret_ok;
+
+error:
+       cherokee_buffer_mrproper (&auth);
+       return ret_error;
+ }
+ 
+ 
+diff --git a/qa/310-Authorization-empty.py b/qa/310-Authorization-empty.py
+new file mode 100644
+index 00000000..ef2f8d24
+--- /dev/null
+++ b/qa/310-Authorization-empty.py
+@@ -0,0 +1,35 @@
+import base64
+
+from conf import *
+from base import *
+
+MAGIC        = "Cherokee supports old crypt password hashes"
+REALM        = "realm"
+USER         = "username"
+PASSWD       = "alo"
+
+CONF = """
+vserver!1!rule!3100!match = directory
+vserver!1!rule!3100!match!directory = /htpasswd_plain_empty
+vserver!1!rule!3100!match!final = 0
+vserver!1!rule!3100!auth = htpasswd
+vserver!1!rule!3100!auth!methods = basic
+vserver!1!rule!3100!auth!realm = %s
+vserver!1!rule!3100!auth!passwdfile = %s
+"""
+
+class Test (TestBase):
+    def __init__ (self):
+        TestBase.__init__ (self, __file__)
+
+        self.name             = "Authorization: Basic empty"
+        self.expected_error   = 401
+        self.request          = "GET /htpasswd_plain_empty/file HTTP/1.0\r\n" + \
+                                "Authorization: Basic \r\n"
+
+    def Prepare (self, www):
+        tdir  = self.Mkdir (www, "htpasswd_plain_empty")
+        passf = self.WriteFile (tdir, "passwd", 0444, '%s:%s\n' %(USER, PASSWD))
+        self.WriteFile (tdir, "file", 0444, MAGIC)
+
+        self.conf = CONF % (REALM, passf)
+diff --git a/qa/311-Authorization-empty.py b/qa/311-Authorization-empty.py
+new file mode 100644
+index 00000000..017fe036
+--- /dev/null
+++ b/qa/311-Authorization-empty.py
+@@ -0,0 +1,33 @@
+import base64
+
+from base import *
+
+MAGIC  = "Don't show this"
+
+CONF = """
+vserver!1!rule!3110!match = directory
+vserver!1!rule!3110!match!directory = /digest_empty_1
+vserver!1!rule!3110!match!final = 0
+vserver!1!rule!3110!auth = plain
+vserver!1!rule!3110!auth!methods = digest
+vserver!1!rule!3110!auth!realm = Test is the realm
+vserver!1!rule!3110!auth!passwdfile = %s
+"""
+
+class Test (TestBase):
+    def __init__ (self):
+        TestBase.__init__ (self, __file__)
+        self.name = "Authorization: Digest empty"
+
+        self.request          = "GET /digest_empty_1/file HTTP/1.0\r\n" + \
+                                "Authorization: Digest \r\n"
+        self.expected_error   = 401
+        self.expected_content = [ "WWW-Authenticate: Digest", "qop=", "algorithm=" ]
+        self.forbiden_content = MAGIC
+
+    def Prepare (self, www):
+        tdir = self.Mkdir (www, "digest_empty_1")
+        self.WriteFile (tdir, "file", 0444, MAGIC)
+        passfile = self.WriteFile (tdir, ".passwd", 0444, "user:password\n")
+
+        self.conf = CONF % (passfile)
+diff --git a/qa/Makefile.am b/qa/Makefile.am
+index 5cdaf4d6..e5bd42ce 100644
+--- a/qa/Makefile.am
+++ b/qa/Makefile.am
+@@ -326,7 +326,9 @@ run-tests.py \
+ 302-DirIndex3.py \
+ 304-Dirlist-TransferEncoding.py \
+ 305-Error-ContentLength.py \
+-306-NoContent-keepalive.py
+306-NoContent-keepalive.py \
+310-Authorization-empty.py \
+311-Authorization-empty.py
+ 
+ if USE_OPENSSL
+ ssl-keys/set-1.pem: ssl-keys/set-1.key openssl.cnf
diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb
index 7100ef4341..a3d871555f 100644
--- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb
+++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \
           file://0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch \
           file://0001-make-Do-not-build-po-files.patch \
           file://0001-common-internal.h-Define-LLONG_MAX-if-undefined.patch \
+           file://CVE-2020-12845.patch \
 "
 S = "${WORKDIR}/git"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-18 14:46:57 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-22 20:56:31 +0100
commit	756cea50655726a0cb355309d04eb3f0a13dc326 (patch)
tree	3b3a2bc634fdd84ef9d35804958e9784a0804a98
parent	51a73766cc31136af8c1be32d7035deb2cc364cb (diff)
download	meta-openembedded-756cea50655726a0cb355309d04eb3f0a13dc326.tar.gz

diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch new file mode 100644 index 0000000000..864cfd0a87 --- /dev/null +++ b/meta-webserver/recipes-httpd/cherokee/cherokee/CVE-2020-12845.patch
@@ -0,0 +1,195 @@
		1	From dab30272a2fc72f69542a6ae2d6d63de875574cb Mon Sep 17 00:00:00 2001
		2	From: Stefan de Konink <stefan@konink.de>
		3	Date: Sat, 25 Jul 2020 22:17:13 +0200
		4	Subject: [PATCH] Fix CVE-2020-12845 (#1243)
		5
		6	* Implement tests for CVE-2020-12845
		7
		8	Can be manually reproduced by:
		9	curl -H "Authorization: Basic " -X GET url
		10	curl -H "Authorization: Digest " -X GET url
		11
		12	* Don't process empty input for cherokee_buffer_decode_base64
		13	* Don't process empty input for cherokee_validator_parse_basic and cherokee_validator_parse_digest
		14	* Guard empty input in get_authorization to resolve CVE-2020-12845
		15
		16	Thanks Patrik Lantz from F-Secure for reporting this issue!
		17
		18	CVE: CVE-2020-12845
		19	Upstream-Status: Backport [https://github.com/cherokee/webserver/commit/51f13b9535e652421c128ef541371854637ac32e]
		20	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		21	---
		22	cherokee/buffer.c \| 3 +++
		23	cherokee/connection.c \| 5 +++++
		24	cherokee/validator.c \| 14 ++++++++++++++
		25	qa/310-Authorization-empty.py \| 35 +++++++++++++++++++++++++++++++++++
		26	qa/311-Authorization-empty.py \| 33 +++++++++++++++++++++++++++++++++
		27	qa/Makefile.am \| 4 +++-
		28	6 files changed, 93 insertions(+), 1 deletion(-)
		29	create mode 100644 qa/310-Authorization-empty.py
		30	create mode 100644 qa/311-Authorization-empty.py
		31
		32	diff --git a/cherokee/buffer.c b/cherokee/buffer.c
		33	index d93c1638..2b07ceb3 100644
		34	--- a/cherokee/buffer.c
		35	+++ b/cherokee/buffer.c
		36	@@ -1643,6 +1643,9 @@ cherokee_buffer_decode_base64 (cherokee_buffer_t *buf)
		37	-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 /* F0-FF */
		38	};
		39
		40	+ if (unlikely(buf == NULL \|\| buf->len == 0))
		41	+ return ret_ok;
		42	+
		43	for (i=0; i < buf->len; i++) {
		44	d = b64_decode_tab[(int) buf->buf[i]];
		45	if (d != -1) {
		46	diff --git a/cherokee/connection.c b/cherokee/connection.c
		47	index 0b790282..e11c01c3 100644
		48	--- a/cherokee/connection.c
		49	+++ b/cherokee/connection.c
		50	@@ -1895,6 +1895,11 @@ get_authorization (cherokee_connection_t *conn,
		51	ptr += pre_len;
		52	ptr_len -= pre_len;
		53
		54	+ /* Guard authentication string
		55	+ */
		56	+ if (ptr_len == 0)
		57	+ return ret_error;
		58	+
		59	/* Parse the request
		60	*/
		61	switch (conn->req_auth_type) {
		62	diff --git a/cherokee/validator.c b/cherokee/validator.c
		63	index 8b02b698..f227a813 100644
		64	--- a/cherokee/validator.c
		65	+++ b/cherokee/validator.c
		66	@@ -125,6 +125,11 @@ cherokee_validator_parse_basic (cherokee_validator_t validator, char str, cuin
		67	char *colon;
		68	cherokee_buffer_t auth = CHEROKEE_BUF_INIT;
		69
		70	+ /* Guard empty input
		71	+ */
		72	+ if (unlikely(str == NULL \|\| str_len == 0))
		73	+ goto error;
		74	+
		75	/* Decode base64
		76	*/
		77	cherokee_buffer_add (&auth, str, str_len);
		78	@@ -166,6 +171,11 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
		79	cherokee_buffer_t auth = CHEROKEE_BUF_INIT;
		80	cherokee_buffer_t *entry_buf;
		81
		82	+ /* Guard empty input
		83	+ */
		84	+ if (unlikely(str == NULL \|\| str_len == 0))
		85	+ goto error;
		86	+
		87	/* Copy authentication string
		88	*/
		89	cherokee_buffer_add (&auth, str, str_len);
		90	@@ -260,6 +270,10 @@ cherokee_validator_parse_digest (cherokee_validator_t *validator,
		91	*/
		92	cherokee_buffer_mrproper (&auth);
		93	return ret_ok;
		94	+
		95	+error:
		96	+ cherokee_buffer_mrproper (&auth);
		97	+ return ret_error;
		98	}
		99
		100
		101	diff --git a/qa/310-Authorization-empty.py b/qa/310-Authorization-empty.py
		102	new file mode 100644
		103	index 00000000..ef2f8d24
		104	--- /dev/null
		105	+++ b/qa/310-Authorization-empty.py
		106	@@ -0,0 +1,35 @@
		107	+import base64
		108	+
		109	+from conf import *
		110	+from base import *
		111	+
		112	+MAGIC = "Cherokee supports old crypt password hashes"
		113	+REALM = "realm"
		114	+USER = "username"
		115	+PASSWD = "alo"
		116	+
		117	+CONF = """
		118	+vserver!1!rule!3100!match = directory
		119	+vserver!1!rule!3100!match!directory = /htpasswd_plain_empty
		120	+vserver!1!rule!3100!match!final = 0
		121	+vserver!1!rule!3100!auth = htpasswd
		122	+vserver!1!rule!3100!auth!methods = basic
		123	+vserver!1!rule!3100!auth!realm = %s
		124	+vserver!1!rule!3100!auth!passwdfile = %s
		125	+"""
		126	+
		127	+class Test (TestBase):
		128	+ def __init__ (self):
		129	+ TestBase.__init__ (self, __file__)
		130	+
		131	+ self.name = "Authorization: Basic empty"
		132	+ self.expected_error = 401
		133	+ self.request = "GET /htpasswd_plain_empty/file HTTP/1.0\r\n" + \
		134	+ "Authorization: Basic \r\n"
		135	+
		136	+ def Prepare (self, www):
		137	+ tdir = self.Mkdir (www, "htpasswd_plain_empty")
		138	+ passf = self.WriteFile (tdir, "passwd", 0444, '%s:%s\n' %(USER, PASSWD))
		139	+ self.WriteFile (tdir, "file", 0444, MAGIC)
		140	+
		141	+ self.conf = CONF % (REALM, passf)
		142	diff --git a/qa/311-Authorization-empty.py b/qa/311-Authorization-empty.py
		143	new file mode 100644
		144	index 00000000..017fe036
		145	--- /dev/null
		146	+++ b/qa/311-Authorization-empty.py
		147	@@ -0,0 +1,33 @@
		148	+import base64
		149	+
		150	+from base import *
		151	+
		152	+MAGIC = "Don't show this"
		153	+
		154	+CONF = """
		155	+vserver!1!rule!3110!match = directory
		156	+vserver!1!rule!3110!match!directory = /digest_empty_1
		157	+vserver!1!rule!3110!match!final = 0
		158	+vserver!1!rule!3110!auth = plain
		159	+vserver!1!rule!3110!auth!methods = digest
		160	+vserver!1!rule!3110!auth!realm = Test is the realm
		161	+vserver!1!rule!3110!auth!passwdfile = %s
		162	+"""
		163	+
		164	+class Test (TestBase):
		165	+ def __init__ (self):
		166	+ TestBase.__init__ (self, __file__)
		167	+ self.name = "Authorization: Digest empty"
		168	+
		169	+ self.request = "GET /digest_empty_1/file HTTP/1.0\r\n" + \
		170	+ "Authorization: Digest \r\n"
		171	+ self.expected_error = 401
		172	+ self.expected_content = [ "WWW-Authenticate: Digest", "qop=", "algorithm=" ]
		173	+ self.forbiden_content = MAGIC
		174	+
		175	+ def Prepare (self, www):
		176	+ tdir = self.Mkdir (www, "digest_empty_1")
		177	+ self.WriteFile (tdir, "file", 0444, MAGIC)
		178	+ passfile = self.WriteFile (tdir, ".passwd", 0444, "user:password\n")
		179	+
		180	+ self.conf = CONF % (passfile)
		181	diff --git a/qa/Makefile.am b/qa/Makefile.am
		182	index 5cdaf4d6..e5bd42ce 100644
		183	--- a/qa/Makefile.am
		184	+++ b/qa/Makefile.am
		185	@@ -326,7 +326,9 @@ run-tests.py \
		186	302-DirIndex3.py \
		187	304-Dirlist-TransferEncoding.py \
		188	305-Error-ContentLength.py \
		189	-306-NoContent-keepalive.py
		190	+306-NoContent-keepalive.py \
		191	+310-Authorization-empty.py \
		192	+311-Authorization-empty.py
		193
		194	if USE_OPENSSL
		195	ssl-keys/set-1.pem: ssl-keys/set-1.key openssl.cnf


diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb index 7100ef4341..a3d871555f 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \
16	file://0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch \	16	file://0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch \
17	file://0001-make-Do-not-build-po-files.patch \	17	file://0001-make-Do-not-build-po-files.patch \
18	file://0001-common-internal.h-Define-LLONG_MAX-if-undefined.patch \	18	file://0001-common-internal.h-Define-LLONG_MAX-if-undefined.patch \
		19	file://CVE-2020-12845.patch \
19	"	20	"
20		21
21	S = "${WORKDIR}/git"	22	S = "${WORKDIR}/git"