Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: python-torn...@packages.debian.org Control: affects -1 + src:python-tornado User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] This upload intends to fix the vulnerabilities CVE-2024-52804 and CVE-2023-28370. CVE-2023-28370 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user access a specially crafted URL. CVE-2024-52804 can lead to excessive CPU consumption when parsing maliciously-crafted cookie headers. [ Impact ] Users of Debian Bookworm will continue to be vulnerable to the mentioned issues if the update is not approved. [ Tests ] For both issues, tests have been added or adjusted. The tests are run during build and via autopkgtest and ran successfully. [ Risks ] The changes are quite simple. However, regressions are always possible. The fact that the tests are successful reduce the risk of regressions. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] For CVE-2023-28370, the fix simply leads to a refusal of attempts to redirect to URLs that could be misinterpreted. For CVE-2024-52804, a quadratic algorithm, originally copied from Python 3.5, is replaced with the implementation copied from the Python 3.13 standard library. [ Other info ] All patches contain links to the original reports and commits. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmdzRCwACgkQS80FZ8KW 0F2UPhAAsIbmA/9NykDhNg0Pu7ZFkRZK3gIhX58B4vsjMQp6oRAUgYYaINQPsrIj YtEkjIkkil2be8oBip8zIzAI/FdB5BZ8cUz/BHCUC7wIjznsdMbsL/yHhWvZ6KXe THXypEr1qPueCWIhcJE7LKuoYekmlRsHS8DzlN/Q9IeqObmHz0OQudPruylBd+Y8 uvqNZ1MLiXNTQGBK6FrjiL2CXxOwt52nSVd1xLHzJgPFPHL6Yytu6rp2iq0HKvnV T0IoRtOMk2CA2uMx2Wh4fUIbgDRJPZ34TdbJW8Kuq4Rqwq1+v5tmOkRNGGyVpcUg GMp6FH9JPPgk4nit/zC8l5ZH5vs9WU93G8//B3kfFty2XbbKTK8mGaRnbQe9Fss/ rr5JtGVxLc7ozdnlCcf6rmQhbo+ZkeBNKKgkSR34iHKK4SNgTIE5Juh1Tvd6K0ZU 5HmxEbSX8mATYflyupnFvtLaHJ0piSObsWkRL5jlTwf0BSntjdhBWTWIo9IuWQcY U2WW/xXnYRr2BPMIAYrVctd6jnjYzpE4zn7cMUaEpUmEqTATAvUo932KMT7ueraj Ymy7f6nJcpqq6LiQ9FJ8NV3700OwFUKA94juxaq13OW3lkEwpFnEjlRyDV7BrFdL SiyEQolqoyZvUMl0JTyruDJEPjT1LZx2/xSkqKzfOR7IpVdy1jo= =qDcm -----END PGP SIGNATURE-----
diff -Nru python-tornado-6.2.0/debian/changelog python-tornado-6.2.0/debian/changelog --- python-tornado-6.2.0/debian/changelog 2022-11-20 13:24:11.000000000 +0100 +++ python-tornado-6.2.0/debian/changelog 2024-12-31 01:53:59.000000000 +0100 @@ -1,3 +1,21 @@ +python-tornado (6.2.0-3+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the Debian LTS team. + * d/patches/CVE-2024-52804.patch: Fix CVE-2024-52804 (closes: #1088112). + - The algorithm used for parsing HTTP cookies in Tornado versions prior to + 6.4.2 sometimes has quadratic complexity, leading to excessive CPU + consumption when parsing maliciously-crafted cookie headers. This + parsing occurs in the event loop thread and may block the processing of + other requests. + * d/patches/CVE-2023-28370-1.patch, + d/patches/CVE-2023-28370-2.patch: Fix CVE-2023-28370 (closes: #1036875). + - Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows + a remote unauthenticated attacker to redirect a user to an arbitrary web + site and conduct a phishing attack by having user access a specially + crafted URL. + + -- Daniel Leidert <dleid...@debian.org> Tue, 31 Dec 2024 01:53:59 +0100 + python-tornado (6.2.0-3) unstable; urgency=medium [ Debian Janitor ] diff -Nru python-tornado-6.2.0/debian/gbp.conf python-tornado-6.2.0/debian/gbp.conf --- python-tornado-6.2.0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ python-tornado-6.2.0/debian/gbp.conf 2024-12-31 01:53:59.000000000 +0100 @@ -0,0 +1,4 @@ +[DEFAULT] +upstream-branch = upstream +debian-branch = debian/bookworm +pristine-tar = True diff -Nru python-tornado-6.2.0/debian/patches/CVE-2023-28370-1.patch python-tornado-6.2.0/debian/patches/CVE-2023-28370-1.patch --- python-tornado-6.2.0/debian/patches/CVE-2023-28370-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-tornado-6.2.0/debian/patches/CVE-2023-28370-1.patch 2024-12-31 01:53:59.000000000 +0100 @@ -0,0 +1,41 @@ +From: Ben Darnell <b...@bendarnell.com> +Date: Sat, 13 May 2023 20:58:52 -0400 +Subject: web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. + +Reviewed-By: Daniel Leidert <dleid...@debian.org> +Origin: https://github.com/tornadoweb/tornado/pull/3266 +Bug: https://github.com/advisories/GHSA-hj3f-6gcp-jg8j +Bug-Debian: https://bugs.debian.org/1036875 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28370 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2023-28370 +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index cd6a81b..05b571e 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2806,6 +2806,15 @@ class StaticFileHandler(RequestHandler): + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename) diff -Nru python-tornado-6.2.0/debian/patches/CVE-2023-28370-2.patch python-tornado-6.2.0/debian/patches/CVE-2023-28370-2.patch --- python-tornado-6.2.0/debian/patches/CVE-2023-28370-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-tornado-6.2.0/debian/patches/CVE-2023-28370-2.patch 2024-12-31 01:53:59.000000000 +0100 @@ -0,0 +1,63 @@ +From: Ben Darnell <b...@bendarnell.com> +Date: Tue, 6 Jun 2023 22:48:05 -0400 +Subject: test: Add test for open redirect fixed in 6.3.2 + +Reviewed-By: Daniel Leidert <dleid...@debian.org> +Origin: https://github.com/tornadoweb/tornado/pull/3276 +Bug: https://github.com/advisories/GHSA-hj3f-6gcp-jg8j +Bug-Debian: https://bugs.debian.org/1036875 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-28370 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2023-28370 +--- + tornado/test/web_test.py | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index 396ba6d..7e33033 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1426,6 +1426,35 @@ class StaticDefaultFilenameTest(WebTestCase): + self.assertTrue(response.headers["Location"].endswith("/static/dir/")) + + ++class StaticDefaultFilenameRootTest(WebTestCase): ++ def get_app_kwargs(self): ++ return dict( ++ static_path=os.path.abspath(relpath("static")), ++ static_handler_args=dict(default_filename="index.html"), ++ static_url_prefix="/", ++ ) ++ ++ def get_handlers(self): ++ return [] ++ ++ def get_http_client(self): ++ # simple_httpclient only: curl doesn't let you send a request starting ++ # with two slashes. ++ return SimpleAsyncHTTPClient() ++ ++ def test_no_open_redirect(self): ++ # This test verifies that the open redirect that affected some configurations ++ # prior to Tornado 6.3.2 is no longer possible. The vulnerability required ++ # a static_url_prefix of "/" and a default_filename (any value) to be set. ++ # The absolute server-side path to the static directory must also be known. ++ with ExpectLog(gen_log, ".*cannot redirect path with two initial slashes"): ++ response = self.fetch( ++ f"//evil.com/../{os.path.dirname(__file__)}/static/dir", ++ follow_redirects=False, ++ ) ++ self.assertEqual(response.code, 403) ++ ++ + class StaticFileWithPathTest(WebTestCase): + def get_app_kwargs(self): + return dict( +@@ -2837,7 +2866,7 @@ class XSRFTest(SimpleHandlerTestCase): + body=b"", + headers=dict( + {"X-Xsrftoken": self.xsrf_token}, # type: ignore +- **self.cookie_headers() ++ **self.cookie_headers(), + ), + ) + self.assertEqual(response.code, 200) diff -Nru python-tornado-6.2.0/debian/patches/CVE-2024-52804.patch python-tornado-6.2.0/debian/patches/CVE-2024-52804.patch --- python-tornado-6.2.0/debian/patches/CVE-2024-52804.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-tornado-6.2.0/debian/patches/CVE-2024-52804.patch 2024-12-31 01:53:59.000000000 +0100 @@ -0,0 +1,144 @@ +From: Ben Darnell <b...@bendarnell.com> +Date: Thu, 21 Nov 2024 14:48:05 -0500 +Subject: httputil: Fix quadratic performance of cookie parsing + +Maliciously-crafted cookies can cause Tornado to +spend an unreasonable amount of CPU time and block +the event loop. + +This change replaces the quadratic algorithm with +a more efficient one. The implementation is copied +from the Python 3.13 standard library (the +previous one was from Python 3.5). + +Fixes CVE-2024-52804 +See CVE-2024-7592 for a similar vulnerability in cpython. + +Thanks to github.com/kexinoh for the report. + +Reviewed-By: Daniel Leidert <dleid...@debian.org> +Origin: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533.patch +Bug: https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c +Bug-Debian: https://bugs.debian.org/1088112 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-52804 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-52804 +--- + tornado/httputil.py | 38 ++++++++++------------------------- + tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 28 deletions(-) + +diff --git a/tornado/httputil.py b/tornado/httputil.py +index 9c341d4..f74eced 100644 +--- a/tornado/httputil.py ++++ b/tornado/httputil.py +@@ -1053,15 +1053,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]: + yield (k, v) + + +-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") +-_QuotePatt = re.compile(r"[\\].") +-_nulljoin = "".join ++_unquote_sub = re.compile(r"\\(?:([0-3][0-7][0-7])|(.))").sub ++ ++ ++def _unquote_replace(m: re.Match) -> str: ++ if m[1]: ++ return chr(int(m[1], 8)) ++ else: ++ return m[2] + + + def _unquote_cookie(s: str) -> str: + """Handle double quotes and escaping in cookie values. + +- This method is copied verbatim from the Python 3.5 standard ++ This method is copied verbatim from the Python 3.13 standard + library (http.cookies._unquote) so we don't have to depend on + non-public interfaces. + """ +@@ -1082,30 +1087,7 @@ def _unquote_cookie(s: str) -> str: + # \012 --> \n + # \" --> " + # +- i = 0 +- n = len(s) +- res = [] +- while 0 <= i < n: +- o_match = _OctalPatt.search(s, i) +- q_match = _QuotePatt.search(s, i) +- if not o_match and not q_match: # Neither matched +- res.append(s[i:]) +- break +- # else: +- j = k = -1 +- if o_match: +- j = o_match.start(0) +- if q_match: +- k = q_match.start(0) +- if q_match and (not o_match or k < j): # QuotePatt matched +- res.append(s[i:k]) +- res.append(s[k + 1]) +- i = k + 2 +- else: # OctalPatt matched +- res.append(s[i:j]) +- res.append(chr(int(s[j + 1 : j + 4], 8))) +- i = j + 4 +- return _nulljoin(res) ++ return _unquote_sub(_unquote_replace, s) + + + def parse_cookie(cookie: str) -> Dict[str, str]: +diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py +index 0fad403..25faf66 100644 +--- a/tornado/test/httputil_test.py ++++ b/tornado/test/httputil_test.py +@@ -519,3 +519,49 @@ class ParseCookieTest(unittest.TestCase): + self.assertEqual( + parse_cookie(" = b ; ; = ; c = ; "), {"": "b", "c": ""} + ) ++ ++ def test_unquote(self): ++ # Copied from ++ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L62 ++ cases = [ ++ (r'a="b=\""', 'b="'), ++ (r'a="b=\\"', "b=\\"), ++ (r'a="b=\="', "b=="), ++ (r'a="b=\n"', "b=n"), ++ (r'a="b=\042"', 'b="'), ++ (r'a="b=\134"', "b=\\"), ++ (r'a="b=\377"', "b=\xff"), ++ (r'a="b=\400"', "b=400"), ++ (r'a="b=\42"', "b=42"), ++ (r'a="b=\\042"', "b=\\042"), ++ (r'a="b=\\134"', "b=\\134"), ++ (r'a="b=\\\""', 'b=\\"'), ++ (r'a="b=\\\042"', 'b=\\"'), ++ (r'a="b=\134\""', 'b=\\"'), ++ (r'a="b=\134\042"', 'b=\\"'), ++ ] ++ for encoded, decoded in cases: ++ with self.subTest(encoded): ++ c = parse_cookie(encoded) ++ self.assertEqual(c["a"], decoded) ++ ++ def test_unquote_large(self): ++ # Adapted from ++ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L87 ++ # Modified from that test because we handle semicolons differently from the stdlib. ++ # ++ # This is a performance regression test: prior to improvements in Tornado 6.4.2, this test ++ # would take over a minute with n= 100k. Now it runs in tens of milliseconds. ++ n = 100000 ++ for encoded in r"\\", r"\134": ++ with self.subTest(encoded): ++ start = time.time() ++ data = 'a="b=' + encoded * n + '"' ++ value = parse_cookie(data)["a"] ++ end = time.time() ++ self.assertEqual(value[:3], "b=\\") ++ self.assertEqual(value[-3:], "\\\\\\") ++ self.assertEqual(len(value), n + 2) ++ ++ # Very loose performance check to avoid false positives ++ self.assertLess(end - start, 1, "Test took too long") diff -Nru python-tornado-6.2.0/debian/patches/series python-tornado-6.2.0/debian/patches/series --- python-tornado-6.2.0/debian/patches/series 2022-11-20 13:24:11.000000000 +0100 +++ python-tornado-6.2.0/debian/patches/series 2024-12-31 01:53:59.000000000 +0100 @@ -4,3 +4,6 @@ 0006-Use-local-objects.inv-for-intersphinx-mapping.patch 0007-Higher-test_gc-timeout.patch ignore-py310-deprecation-warnings.patch +CVE-2024-52804.patch +CVE-2023-28370-1.patch +CVE-2023-28370-2.patch
