Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32239 https://nvd.nist.gov/vuln/detail/CVE-2026-32240
Backport the patch that is referenced by the NVD advisories. (Same patch for both vulnerabilities) Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../CVE-2026-32239_CVE-2026-32240.patch | 160 ++++++++++++++++++ .../capnproto/capnproto_1.0.2.bb | 4 +- 2 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch diff --git a/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch b/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch new file mode 100644 index 0000000000..803a0d55ad --- /dev/null +++ b/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch @@ -0,0 +1,160 @@ +From 0e77b95c0829c83a31be5e219aee2a4e3f9895a7 Mon Sep 17 00:00:00 2001 +From: Kenton Varda <[email protected]> +Date: Tue, 10 Mar 2026 18:16:14 -0500 +Subject: [PATCH] Fix HTTP body size integer overflow bugs. + +The KJ-HTTP library was discovered to have two bugs related to integer overflows while handling message body sizes: +1. A negative `Content-Length` value was converted to unsigned, treating it as an impossibly large length instead. +2. When using `Transfer-Encoding: chunked`, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. + +In theory, these bugs could enable HTTP request/response smuggling, although it would require integration with a proxy that has bugs of its own. + +For more details, see (in a future commit): security-advisories/2026-03-10-1-http-size-validation.md + +CVE: CVE-2026-32239 CVE-2026-32240 +Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + c++/src/kj/compat/http-test.c++ | 64 +++++++++++++++++++++++++++++++++ + c++/src/kj/compat/http.c++ | 28 +++++++++++---- + 2 files changed, 86 insertions(+), 6 deletions(-) + +diff --git a/c++/src/kj/compat/http-test.c++ b/c++/src/kj/compat/http-test.c++ +index f10ff8d1..daf08992 100644 +--- a/c++/src/kj/compat/http-test.c++ ++++ b/c++/src/kj/compat/http-test.c++ +@@ -4038,6 +4038,70 @@ KJ_TEST("HttpServer invalid method") { + KJ_EXPECT(expectedResponse == response, expectedResponse, response); + } + ++KJ_TEST("HttpServer rejects negative Content-Length") { ++ KJ_HTTP_TEST_SETUP_IO; ++ kj::TimerImpl timer(kj::origin<kj::TimePoint>()); ++ auto pipe = KJ_HTTP_TEST_CREATE_2PIPE; ++ ++ HttpHeaderTable table; ++ BrokenHttpService service; ++ HttpServer server(timer, table, service, { ++ .canceledUploadGraceBytes = 1024 * 1024, ++ }); ++ ++ auto listenTask = server.listenHttp(kj::mv(pipe.ends[0])); ++ ++ auto msg = ++ "POST / HTTP/1.1\r\n" ++ "Content-Length: -1\r\n" ++ "\r\n" ++ "foo"_kj.asBytes(); ++ ++ auto writePromise = pipe.ends[1]->write(msg.begin(), msg.size()); ++ auto response = pipe.ends[1]->readAllText().wait(waitScope); ++ ++ // The server should reject the negative Content-Length. The KJ_FAIL_REQUIRE in getEntityBody() ++ // gets caught by the server loop and turned into a 500 error. ++ KJ_EXPECT(response.startsWith("HTTP/1.1 500 Internal Server Error"), response); ++ ++ KJ_EXPECT(writePromise.poll(waitScope)); ++ writePromise.catch_([](kj::Exception&&) {}).wait(waitScope); ++} ++ ++KJ_TEST("HttpServer rejects chunked body with overflowing chunk size") { ++ KJ_HTTP_TEST_SETUP_IO; ++ kj::TimerImpl timer(kj::origin<kj::TimePoint>()); ++ auto pipe = KJ_HTTP_TEST_CREATE_2PIPE; ++ ++ HttpHeaderTable table; ++ BrokenHttpService service; ++ HttpServer server(timer, table, service, { ++ .canceledUploadGraceBytes = 1024 * 1024, ++ }); ++ ++ auto listenTask = server.listenHttp(kj::mv(pipe.ends[0])); ++ ++ // 17 hex digits: 0x10000000000000000 = 2^64, which overflows uint64_t. ++ auto msg = ++ "POST / HTTP/1.1\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "\r\n" ++ "10000000000000000\r\n" ++ "x\r\n" ++ "0\r\n" ++ "\r\n"_kj.asBytes(); ++ ++ auto writePromise = pipe.ends[1]->write(msg.begin(), msg.size()); ++ auto response = pipe.ends[1]->readAllText().wait(waitScope); ++ ++ // The chunk size overflow causes a KJ_REQUIRE failure during body reading, which the server ++ // catches and turns into a 500 error. ++ KJ_EXPECT(response.startsWith("HTTP/1.1 500 Internal Server Error"), response); ++ ++ KJ_EXPECT(writePromise.poll(waitScope)); ++ writePromise.catch_([](kj::Exception&&) {}).wait(waitScope); ++} ++ + // Ensure that HttpServerSettings can continue to be constexpr. + KJ_UNUSED static constexpr HttpServerSettings STATIC_CONSTEXPR_SETTINGS {}; + +diff --git a/c++/src/kj/compat/http.c++ b/c++/src/kj/compat/http.c++ +index aae47ad1..da705e66 100644 +--- a/c++/src/kj/compat/http.c++ ++++ b/c++/src/kj/compat/http.c++ +@@ -1406,16 +1406,20 @@ public: + + uint64_t value = 0; + for (char c: text) { ++ uint64_t digit; + if ('0' <= c && c <= '9') { +- value = value * 16 + (c - '0'); ++ digit = c - '0'; + } else if ('a' <= c && c <= 'f') { +- value = value * 16 + (c - 'a' + 10); ++ digit = c - 'a' + 10; + } else if ('A' <= c && c <= 'F') { +- value = value * 16 + (c - 'A' + 10); ++ digit = c - 'A' + 10; + } else { + KJ_FAIL_REQUIRE("invalid HTTP chunk size", text, text.asBytes()) { break; } + return value; + } ++ KJ_REQUIRE(value <= (uint64_t(kj::maxValue) >> 4), ++ "HTTP chunk size overflow", text, text.asBytes()) { break; } ++ value = value * 16 + digit; + } + + return value; +@@ -1942,7 +1946,15 @@ kj::Own<kj::AsyncInputStream> HttpInputStreamImpl::getEntityBody( + // Body elided. + kj::Maybe<uint64_t> length; + KJ_IF_MAYBE(cl, headers.get(HttpHeaderId::CONTENT_LENGTH)) { +- length = strtoull(cl->cStr(), nullptr, 10); ++ // Validate that the Content-Length is a non-negative integer. Note that strtoull() accepts ++ // leading '-' signs and silently converts negative values to large unsigned values, so we ++ // must explicitly check for a leading digit. ++ char* end; ++ uint64_t parsedValue = strtoull(cl->cStr(), &end, 10); ++ if ((*cl)[0] >= '0' && (*cl)[0] <= '9' && end > cl->begin() && *end == '\0') { ++ length = parsedValue; ++ } ++ // If invalid, we just leave `length` as nullptr, since the body is elided anyway. + } else if (headers.get(HttpHeaderId::TRANSFER_ENCODING) == nullptr) { + // HACK: Neither Content-Length nor Transfer-Encoding header in response to HEAD + // request. Propagate this fact with a 0 expected body length. +@@ -1991,12 +2003,16 @@ kj::Own<kj::AsyncInputStream> HttpInputStreamImpl::getEntityBody( + // "Content-Length: 5, 5, 5". Hopefully no one actually does that... + char* end; + uint64_t length = strtoull(cl->cStr(), &end, 10); +- if (end > cl->begin() && *end == '\0') { ++ // Note that strtoull() accepts leading '-' signs and silently converts negative values to ++ // large unsigned values, so we must explicitly check for a leading digit. ++ if ((*cl)[0] >= '0' && (*cl)[0] <= '9' && end > cl->begin() && *end == '\0') { + // #5 + return kj::heap<HttpFixedLengthEntityReader>(*this, length); + } else { + // #4 (bad content-length) +- KJ_FAIL_REQUIRE("invalid Content-Length header value", *cl); ++ KJ_FAIL_REQUIRE("invalid Content-Length header value", *cl) { break; } ++ // To pass the -fno-exceptions test (but KJ-HTTP is really not safe to use in that mode). ++ return kj::heap<HttpNullEntityReader>(*this, uint64_t(0)); + } + } + diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb b/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb index 0ea243fd20..22c4b7cd0a 100644 --- a/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb +++ b/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb @@ -6,7 +6,9 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9" SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \ - file://0001-Export-binaries-only-for-native-build.patch" + file://0001-Export-binaries-only-for-native-build.patch \ + file://CVE-2026-32239_CVE-2026-32240.patch;patchdir=.. \ + " SRCREV = "1a0e12c0a3ba1f0dbbad45ddfef555166e0a14fc" S = "${UNPACKDIR}/${BP}/c++"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125274): https://lists.openembedded.org/g/openembedded-devel/message/125274 Mute This Topic: https://lists.openembedded.org/mt/118343589/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
