www-servers/puma: backport CVE-2020-11077 fixes

Upstream created releases but did not tag them so we cannot use them for our ebuilds. Backport the patches to address the security issue. Bug: https://bugs.gentoo.org/724800 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
author: Hans de Graaff <graaff@gentoo.org> 2020-07-19 11:29:11 +0200
committer: Hans de Graaff <graaff@gentoo.org> 2020-07-19 11:29:27 +0200
commit: 866b1c92b435b1c6d03ed2e4dfb664a073ad089c (patch)
tree: 76c8c8c536be51fc61baa628439e4948ba1f0b7f /www-servers
parent: dev-cpp/glibmm: fix tests with network-sandbox (diff)
download: gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.gz
gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.bz2
gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.zip
4 files changed, 375 insertions, 0 deletions
diff --git a/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch b/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch
new file mode 100644
index 000000000000..4d26da28eee8
--- /dev/null
+++ b/www-servers/puma/files/puma-3.12.5-cve-2020-11077.patch
@@ -0,0 +1,114 @@
+From 089df0727ffab1b3b69f2e6da40597c52e346013 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:20:10 -0700
+Subject: [PATCH] Reduce ambiguity of headers
+
+---
+ ext/puma_http11/http11_parser.c  |  4 +++-
+ ext/puma_http11/http11_parser.rl |  4 +++-
+ lib/puma/server.rb               | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
+index 453f8cd40..e8844a37e 100644
+--- a/ext/puma_http11/http11_parser.c
++++ b/ext/puma_http11/http11_parser.c
+@@ -14,12 +14,14 @@
+ 
+ /*
+  * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+  */
+ static void snake_upcase_char(char *c)
+ {
+     if (*c >= 'a' && *c <= 'z')
+       *c &= ~0x20;
++    else if (*c == '_')
++      *c = ',';
+     else if (*c == '-')
+       *c = '_';
+ }
+diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl
+index 880c1d40b..62452ba7c 100644
+--- a/ext/puma_http11/http11_parser.rl
++++ b/ext/puma_http11/http11_parser.rl
+@@ -12,12 +12,14 @@
+ 
+ /*
+  * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+  */
+ static void snake_upcase_char(char *c)
+ {
+     if (*c >= 'a' && *c <= 'z')
+       *c &= ~0x20;
++    else if (*c == '_')
++      *c = ',';
+     else if (*c == '-')
+       *c = '_';
+ }
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index d870b383f..5b2cd94df 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -665,6 +665,37 @@ def handle_request(req, lines)
+         }
+       end
+ 
++      # Fixup any headers with , in the name to have _ now. We emit
++      # headers with , in them during the parse phase to avoid ambiguity
++      # with the - to _ conversion for critical headers. But here for
++      # compatibility, we'll convert them back. This code is written to
++      # avoid allocation in the common case (ie there are no headers
++      # with , in their names), that's why it has the extra conditionals.
++
++      to_delete = nil
++      to_add = nil
++
++      env.each do |k,v|
++        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
++          if to_delete
++            to_delete << k
++          else
++            to_delete = [k]
++          end
++
++          unless to_add
++            to_add = {}
++          end
++
++          to_add[k.gsub(",", "_")] = v
++        end
++      end
++
++      if to_delete
++        to_delete.each { |k| env.delete(k) }
++        env.merge! to_add
++      end
++
+       # A rack extension. If the app writes #call'ables to this
+       # array, we will invoke them when the request is done.
+       #
+From 0a3c09a0603857f088571d0eb69e0b9adee0fed1 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:34:06 -0700
+Subject: [PATCH] Adjust test to match real world value
+
+---
+ test/test_puma_server.rb | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
+index 9d40cd5f3..375eca399 100644
+--- a/test/test_puma_server.rb
++++ b/test/test_puma_server.rb
+@@ -137,6 +137,7 @@ def test_default_server_port
+ 
+     req = Net::HTTP::Get.new("/")
+     req['HOST'] = "example.com"
++    req['X-FORWARDED-PROTO'] = "https,http"
+ 
+     res = Net::HTTP.start @host, @server.connected_port do |http|
+       http.request(req)
diff --git a/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch
new file mode 100644
index 000000000000..673641a91627
--- /dev/null
+++ b/www-servers/puma/files/puma-4.3.4-cve-2020-11077.patch
@@ -0,0 +1,115 @@
+From f3b409c565d67557c04ad37c10a42dd8cad0b655 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:20:10 -0700
+Subject: [PATCH] Reduce ambiguity of headers
+
+---
+ ext/puma_http11/http11_parser.c  |  4 +++-
+ ext/puma_http11/http11_parser.rl |  4 +++-
+ lib/puma/server.rb               | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/ext/puma_http11/http11_parser.c b/ext/puma_http11/http11_parser.c
+index 0b5fdabc3..bf1dd89ab 100644
+--- a/ext/puma_http11/http11_parser.c
++++ b/ext/puma_http11/http11_parser.c
+@@ -14,12 +14,14 @@
+ 
+ /*
+  * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+  */
+ static void snake_upcase_char(char *c)
+ {
+     if (*c >= 'a' && *c <= 'z')
+       *c &= ~0x20;
++    else if (*c == '_')
++      *c = ',';
+     else if (*c == '-')
+       *c = '_';
+ }
+diff --git a/ext/puma_http11/http11_parser.rl b/ext/puma_http11/http11_parser.rl
+index 880c1d40b..62452ba7c 100644
+--- a/ext/puma_http11/http11_parser.rl
++++ b/ext/puma_http11/http11_parser.rl
+@@ -12,12 +12,14 @@
+ 
+ /*
+  * capitalizes all lower-case ASCII characters,
+- * converts dashes to underscores.
++ * converts dashes to underscores, and underscores to commas.
+  */
+ static void snake_upcase_char(char *c)
+ {
+     if (*c >= 'a' && *c <= 'z')
+       *c &= ~0x20;
++    else if (*c == '_')
++      *c = ',';
+     else if (*c == '-')
+       *c = '_';
+ }
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index b8e8a7b48..0e123687c 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -672,6 +672,37 @@ def handle_request(req, lines)
+         }
+       end
+ 
++      # Fixup any headers with , in the name to have _ now. We emit
++      # headers with , in them during the parse phase to avoid ambiguity
++      # with the - to _ conversion for critical headers. But here for
++      # compatibility, we'll convert them back. This code is written to
++      # avoid allocation in the common case (ie there are no headers
++      # with , in their names), that's why it has the extra conditionals.
++
++      to_delete = nil
++      to_add = nil
++
++      env.each do |k,v|
++        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
++          if to_delete
++            to_delete << k
++          else
++            to_delete = [k]
++          end
++
++          unless to_add
++            to_add = {}
++          end
++
++          to_add[k.gsub(",", "_")] = v
++        end
++      end
++
++      if to_delete
++        to_delete.each { |k| env.delete(k) }
++        env.merge! to_add
++      end
++
+       # A rack extension. If the app writes #call'ables to this
+       # array, we will invoke them when the request is done.
+       #
+From 6d87ed2101dab40e6aaa85b0df01433cfb84df53 Mon Sep 17 00:00:00 2001
+From: Evan Phoenix <evan@phx.io>
+Date: Tue, 19 May 2020 15:34:06 -0700
+Subject: [PATCH] Adjust test to match real world value
+
+---
+ test/test_puma_server.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
+index 75fcc22e8..a10490a71 100644
+--- a/test/test_puma_server.rb
++++ b/test/test_puma_server.rb
+@@ -151,7 +151,7 @@ def test_default_server_port_respects_x_forwarded_proto
+ 
+     req = Net::HTTP::Get.new("/")
+     req['HOST'] = "example.com"
+-    req['X_FORWARDED_PROTO'] = "https,http"
++    req['X-FORWARDED-PROTO'] = "https,http"
+ 
+     res = Net::HTTP.start @host, @server.connected_port do |http|
+       http.request(req)
diff --git a/www-servers/puma/puma-3.12.5-r1.ebuild b/www-servers/puma/puma-3.12.5-r1.ebuild
new file mode 100644
index 000000000000..636d825ffc79
--- /dev/null
+++ b/www-servers/puma/puma-3.12.5-r1.ebuild
@@ -0,0 +1,71 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+USE_RUBY="ruby25 ruby26 ruby27"
+
+inherit multilib ruby-fakegem
+
+DESCRIPTION="a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack"
+HOMEPAGE="https://puma.io/"
+SRC_URI="https://github.com/puma/puma/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="3"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~x86"
+IUSE=""
+
+DEPEND+=" dev-libs/openssl:0 test? ( net-misc/curl )"
+RDEPEND+=" dev-libs/openssl:0"
+
+ruby_add_bdepend "virtual/ruby-ssl
+	test? ( dev-ruby/rack >=dev-ruby/minitest-5.9:5 >=dev-ruby/test-unit-3.0:2 )"
+
+all_ruby_prepare() {
+	eapply "${FILESDIR}/${PN}-3.12.1-ruby26-waitpid.patch"
+	eapply "${FILESDIR}/${PN}-3.12.5-cve-2020-11077.patch"
+
+	sed -i -e '/bundler/ s:^:#:' test/helper.rb || die
+
+	# Avoid test failing inconsistently
+	sed -i -e '/phased_restart_via_pumactl/,/^  end/ s:^:#:' test/test_integration.rb || die
+
+	# Fix FORWARDED_PROTO
+	sed -i -e '127 s/443/80/' test/test_puma_server.rb || die
+
+	# Avoid test that trigger a bug in ruby very easily and lead to
+	# failure. This affects all current puma versions in combination
+	# with the latest ruby versions, so we add this new version anyway
+	# while allowing these tests to fail.
+	# https://github.com/puma/puma/pull/1345
+	rm -f test/test_puma_server_ssl.rb || die
+
+	# Use correct ruby version
+	sed -i -e 's/ruby -rrubygems/#{Gem.ruby} -rrubygems/' test/shell/t{1,3}.rb || die
+}
+
+each_ruby_prepare() {
+	sed -i -e 's:ruby -rubygems:'${RUBY}' -rubygems:' \
+		-e 's/localhost/127.0.0.1/' test/shell/* || die
+	sed -i -e '1ilog_requests' test/shell/t{1,2}_conf.rb || die
+}
+
+each_ruby_configure() {
+	${RUBY} -Cext/puma_http11 extconf.rb || die
+}
+
+each_ruby_compile() {
+	emake V=1 -Cext/puma_http11
+	cp ext/puma_http11/puma_http11$(get_modname) lib/puma/ || die
+}
+
+each_ruby_test() {
+	einfo "Running test suite"
+	${RUBY} -Ilib:.:test -e "gem 'minitest', '~>5.9'; gem 'test-unit', '~>3.0'; require 'minitest/autorun'; Dir['test/**/*test_*.rb'].each{|f| require f}" || die
+
+	einfo "Running integration tests"
+	pushd test/shell
+	#sh run.sh || die
+	popd
+}
diff --git a/www-servers/puma/puma-4.3.4-r1.ebuild b/www-servers/puma/puma-4.3.4-r1.ebuild
new file mode 100644
index 000000000000..ec3645ec7477
--- /dev/null
+++ b/www-servers/puma/puma-4.3.4-r1.ebuild
@@ -0,0 +1,75 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+USE_RUBY="ruby25 ruby26 ruby27"
+
+RUBY_FAKEGEM_GEMSPEC="puma.gemspec"
+
+inherit multilib ruby-fakegem
+
+DESCRIPTION="a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack"
+HOMEPAGE="https://puma.io/"
+SRC_URI="https://github.com/puma/puma/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="BSD"
+SLOT="3"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+IUSE=""
+
+DEPEND+=" dev-libs/openssl:0 test? ( net-misc/curl )"
+RDEPEND+=" dev-libs/openssl:0"
+
+ruby_add_bdepend "virtual/ruby-ssl
+	test? ( dev-ruby/rack >=dev-ruby/minitest-5.9:5 >=dev-ruby/test-unit-3.0:2 )"
+
+ruby_add_rdepend "dev-ruby/nio4r:2"
+
+all_ruby_prepare() {
+	eapply "${FILESDIR}/${P}-cve-2020-11077.patch"
+
+	sed -e '/bundler/ s:^:#:' \
+		-e '/prove/ s:^:#:' \
+		-i test/helper.rb || die
+
+	# Avoid tests failing inconsistently
+	sed -i -e '/phased_restart_via_pumactl/,/^  end/ s:^:#:' test/test_integration_pumactl.rb || die
+	sed -i -e '/test_bad_client/askip "inconsistent results"' test/test_web_server.rb || die
+
+	# Loosen timing on flakey test
+	#sed -i -e '390 s/sleep 2/sleep 4/' test/test_integration.rb || die
+
+	# Use correct ruby version
+	sed -i -e 's/ruby -rrubygems/#{Gem.ruby} -rrubygems/' test/shell/t{1,3}.rb || die
+
+	# Avoid launcher tests since they make assumptions about bundler use
+	rm -f test/test_launcher.rb || die
+
+	sed -i -e 's/git ls-files --/find/' ${RUBY_FAKEGEM_GEMSPEC} || die
+}
+
+each_ruby_prepare() {
+	sed -i -e 's:ruby -rubygems:'${RUBY}' -rubygems:' \
+		-e 's/localhost/127.0.0.1/' test/shell/* || die
+	sed -i -e '1ilog_requests' test/shell/t{1,2}_conf.rb || die
+}
+
+each_ruby_configure() {
+	${RUBY} -Cext/puma_http11 extconf.rb || die
+}
+
+each_ruby_compile() {
+	emake V=1 -Cext/puma_http11
+	cp ext/puma_http11/puma_http11$(get_modname) lib/puma/ || die
+}
+
+each_ruby_test() {
+	einfo "Running test suite"
+	${RUBY} -Ilib:.:test -e "gem 'minitest', '~>5.9'; gem 'test-unit', '~>3.0'; require 'minitest/autorun'; Dir['test/**/*test_*.rb'].each{|f| require f}" || die
+
+	einfo "Running integration tests"
+	pushd test/shell
+	#sh run.sh || die
+	popd
+}
author	Hans de Graaff <graaff@gentoo.org>	2020-07-19 11:29:11 +0200
committer	Hans de Graaff <graaff@gentoo.org>	2020-07-19 11:29:27 +0200
commit	866b1c92b435b1c6d03ed2e4dfb664a073ad089c (patch)
tree	76c8c8c536be51fc61baa628439e4948ba1f0b7f /www-servers
parent	dev-cpp/glibmm: fix tests with network-sandbox (diff)
download	gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.gz gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.tar.bz2 gentoo-866b1c92b435b1c6d03ed2e4dfb664a073ad089c.zip