From 1b8263cf253aafe45043538a42f0336c9cdda9b6 Mon Sep 17 00:00:00 2001 From: Rohit Rawat Date: Wed, 9 Oct 2024 20:02:15 +0530 Subject: [PATCH] Patch CVE-2024-45590 in reaper (#10557) --- SPECS/reaper/CVE-2024-45590.patch | 87 +++++++++++++++++++++++++++++++ SPECS/reaper/reaper.spec | 6 ++- 2 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 SPECS/reaper/CVE-2024-45590.patch diff --git a/SPECS/reaper/CVE-2024-45590.patch b/SPECS/reaper/CVE-2024-45590.patch new file mode 100644 index 00000000000..52aa5bd83e7 --- /dev/null +++ b/SPECS/reaper/CVE-2024-45590.patch @@ -0,0 +1,87 @@ +From 58b0b02d2501825235a1c1c2598171513621df45 Mon Sep 17 00:00:00 2001 +From: Rohit Rawat +Date: Wed, 25 Sep 2024 12:35:30 +0000 +Subject: [PATCH] CVE-2024-45590: Set default depth limit to 32 + +--- + .../body-parser/lib/types/urlencoded.js | 37 +++++++++++++++---- + 1 file changed, 30 insertions(+), 7 deletions(-) + +diff --git a/src/ui/node_modules/body-parser/lib/types/urlencoded.js b/src/ui/node_modules/body-parser/lib/types/urlencoded.js +index b2ca8f16..886a3ce2 100644 +--- a/src/ui/node_modules/body-parser/lib/types/urlencoded.js ++++ b/src/ui/node_modules/body-parser/lib/types/urlencoded.js +@@ -55,6 +55,9 @@ function urlencoded (options) { + : opts.limit + var type = opts.type || 'application/x-www-form-urlencoded' + var verify = opts.verify || false ++ var depth = typeof opts.depth !== 'number' ++ ? Number(opts.depth || 32) ++ : opts.depth + + if (verify !== false && typeof verify !== 'function') { + throw new TypeError('option verify must be function') +@@ -118,7 +121,8 @@ function urlencoded (options) { + encoding: charset, + inflate: inflate, + limit: limit, +- verify: verify ++ verify: verify, ++ depth: depth + }) + } + } +@@ -133,12 +137,20 @@ function extendedparser (options) { + var parameterLimit = options.parameterLimit !== undefined + ? options.parameterLimit + : 1000 ++ ++ var depth = typeof options.depth !== 'number' ++ ? Number(options.depth || 32) ++ : options.depth + var parse = parser('qs') + + if (isNaN(parameterLimit) || parameterLimit < 1) { + throw new TypeError('option parameterLimit must be a positive number') + } + ++ if(isNaN(depth) || depth < 0) { ++ throw new TypeError('option depth must be a zero or a positive number') ++ } ++ + if (isFinite(parameterLimit)) { + parameterLimit = parameterLimit | 0 + } +@@ -156,12 +168,23 @@ function extendedparser (options) { + var arrayLimit = Math.max(100, paramCount) + + debug('parse extended urlencoding') +- return parse(body, { +- allowPrototypes: true, +- arrayLimit: arrayLimit, +- depth: Infinity, +- parameterLimit: parameterLimit +- }) ++ try { ++ return parse(body, { ++ allowPrototypes: true, ++ arrayLimit: arrayLimit, ++ depth: depth, ++ strictDepth: true, ++ parameterLimit: parameterLimit ++ }) ++ } catch (err) { ++ if (err instanceof RangeError) { ++ throw createError(400, 'The input exceeded the depth', { ++ type: 'querystring.parse.rangeError' ++ }) ++ } else { ++ throw err ++ } ++ } + } + } + +-- +2.39.4 + diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec index 021a9b5b716..18b82ec0eef 100755 --- a/SPECS/reaper/reaper.spec +++ b/SPECS/reaper/reaper.spec @@ -6,7 +6,7 @@ Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters. Name: reaper Version: 3.1.1 -Release: 12%{?dist} +Release: 13%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,7 @@ Patch1: CVE-2023-42282.patch Patch2: CVE-2017-18214.patch Patch3: CVE-2024-42459.patch Patch4: CVE-2024-43796.patch +Patch5: CVE-2024-45590.patch BuildRequires: git BuildRequires: javapackages-tools BuildRequires: maven @@ -173,6 +174,9 @@ fi %{_unitdir}/cassandra-%{name}.service %changelog +* Thu Sep 26 2024 Rohit Rawat - 3.1.1-13 +- Patch CVE-2024-45590 in body-parser module + * Wed Sep 25 2024 Rohit Rawat - 3.1.1-12 - Patch CVE-2024-43796 in express module