Compare commits
No commits in common. "c8s" and "c8-beta" have entirely different histories.
@ -1 +0,0 @@
|
||||
1
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,2 +1 @@
|
||||
SOURCES/HTTP-Daemon-6.01.tar.gz
|
||||
/HTTP-Daemon-6.01.tar.gz
|
||||
|
||||
1
.perl-HTTP-Daemon.metadata
Normal file
1
.perl-HTTP-Daemon.metadata
Normal file
@ -0,0 +1 @@
|
||||
d3b7614d4b3be4b61d26011efe90026c955102a4 SOURCES/HTTP-Daemon-6.01.tar.gz
|
||||
@ -1,113 +0,0 @@
|
||||
From 241989d49b5aedcde4bfd2a5e8257ea2c2fd252b Mon Sep 17 00:00:00 2001
|
||||
From: Olaf Alders <olaf@wundersolutions.com>
|
||||
Date: Thu, 14 May 2026 00:09:58 +0000
|
||||
Subject: [PATCH] Fix CVE-2026-8450: send_file() honoured 2-arg open()
|
||||
shell-magic
|
||||
|
||||
HTTP::Daemon::ClientConn::send_file() used the 2-arg form
|
||||
open(FILE, $file), which interprets shell-magic prefixes in the
|
||||
path argument: '| cmd' (write pipe -- RCE), 'cmd |' (read pipe --
|
||||
RCE plus response-body exfiltration via the sysread / print loop
|
||||
below), '> path' (write-truncate -- arbitrary file write), and
|
||||
'>> path', '+< path', '<&fd', and leading-whitespace variants of
|
||||
the above.
|
||||
|
||||
Any HTTP::Daemon-based application that passed attacker-influenced
|
||||
bytes to send_file($string) -- for example, a download endpoint
|
||||
that derived the filename from a query parameter -- granted command
|
||||
execution and/or arbitrary file write at the daemon's UID.
|
||||
|
||||
Switch to 3-arg open(my $fh, '<', $file): the explicit '<' mode
|
||||
makes the path argument a literal filename, so every magic shape
|
||||
above is opened (and fails, returning undef) as an ordinary file by
|
||||
that exact name. The localized typeglob is no longer needed and is
|
||||
replaced with a lexical filehandle.
|
||||
|
||||
Two collateral hardening changes ride along:
|
||||
|
||||
- binmode() failure now closes the handle and returns undef,
|
||||
rather than streaming the file with a wrong PerlIO layer.
|
||||
|
||||
- send_file() returns '0E0' (true zero) on a successful zero-byte
|
||||
transfer so callers using "send_file or die" can distinguish
|
||||
open failure (undef) from an empty-but-successful copy.
|
||||
|
||||
The POD now documents the new return-value contract and spells
|
||||
out that the fix only neutralises 2-arg open() shell-magic;
|
||||
callers remain responsible for validating attacker-influenced
|
||||
paths against symlinks, character/block devices (e.g. /dev/zero),
|
||||
named pipes, and document-root escapes.
|
||||
|
||||
Reported and patched by Stig Palmquist (stigtsp).
|
||||
|
||||
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
||||
---
|
||||
lib/HTTP/Daemon.pm | 37 +++++++++++++++++++++++++++++++------
|
||||
1 file changed, 31 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
|
||||
index 216c73f..a715159 100644
|
||||
--- a/lib/HTTP/Daemon.pm
|
||||
+++ b/lib/HTTP/Daemon.pm
|
||||
@@ -617,12 +617,11 @@ sub send_file
|
||||
{
|
||||
my($self, $file) = @_;
|
||||
my $opened = 0;
|
||||
- local(*FILE);
|
||||
if (!ref($file)) {
|
||||
- open(FILE, $file) || return undef;
|
||||
- binmode(FILE);
|
||||
- $file = \*FILE;
|
||||
- $opened++;
|
||||
+ open(my $fh, '<', $file) || return undef;
|
||||
+ binmode($fh) || do { close($fh); return undef };
|
||||
+ $file = $fh;
|
||||
+ $opened++;
|
||||
}
|
||||
my $cnt = 0;
|
||||
my $buf = "";
|
||||
@@ -633,7 +632,11 @@ sub send_file
|
||||
print $self $buf;
|
||||
}
|
||||
close($file) if $opened;
|
||||
- $cnt;
|
||||
+
|
||||
+ # Return a "true zero" for empty-but-successful copies so callers
|
||||
+ # using `send_file or die` can distinguish open failure (undef)
|
||||
+ # from a successful zero-byte transfer.
|
||||
+ $cnt || '0E0';
|
||||
}
|
||||
|
||||
|
||||
@@ -917,6 +920,28 @@ Copy the file to the client. The file can be a string (which
|
||||
will be interpreted as a filename) or a reference to an C<IO::Handle>
|
||||
or glob.
|
||||
|
||||
+Returns the number of bytes copied on success, or C<undef> if the
|
||||
+filename form failed to open. An empty file returns the string
|
||||
+C<'0E0'> (zero numerically, true in boolean context) so that callers
|
||||
+using C<< send_file or die >> can distinguish open failure from a
|
||||
+successful zero-byte transfer.
|
||||
+
|
||||
+The filename form uses Perl's 3-argument C<open> with an explicit C<<
|
||||
+< >> mode, so the path is no longer interpreted as a 2-argument
|
||||
+C<open> shell-magic shape such as C<< | cmd >>, C<< cmd | >>, or
|
||||
+C<< > path >>. See
|
||||
+L<CVE-2026-8450|https://www.cve.org/CVERecord?id=CVE-2026-8450> for
|
||||
+the prior 2-argument C<open> behaviour this replaces.
|
||||
+
|
||||
+Note that this fix only neutralises 2-argument C<open> shell-magic.
|
||||
+Callers remain responsible for validating attacker-influenced paths:
|
||||
+C<send_file> will still happily open symlinks, character/block devices
|
||||
+(e.g. C</dev/zero>, C</dev/stdin>), named pipes (which may block the
|
||||
+worker), and files outside an intended document root. If C<$filename>
|
||||
+can be derived from request input, validate it (canonicalise, reject
|
||||
+C<..> segments, require C<-f _> and a vetted prefix) before passing it
|
||||
+in.
|
||||
+
|
||||
=item $c->daemon
|
||||
|
||||
Return a reference to the corresponding C<HTTP::Daemon> object.
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: perl-HTTP-Daemon
|
||||
Version: 6.01
|
||||
Release: 24%{?dist}
|
||||
Release: 23%{?dist}
|
||||
Summary: Simple HTTP server class
|
||||
License: GPL+ or Artistic
|
||||
URL: http://search.cpan.org/dist/HTTP-Daemon/
|
||||
@ -13,8 +13,6 @@ Patch0: HTTP-Daemon-6.01-Add-IPv6-support.patch
|
||||
Patch1: HTTP-Daemon-6.01-Handle-undef-and-empty-LocalAddr.patch
|
||||
# Fix formatting specific non-local addresses, bug #1578026, CPAN RT#125242
|
||||
Patch2: HTTP-Daemon-6.01-Resolve-specific-socket-addresses-correctly.patch
|
||||
# https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995
|
||||
Patch3: HTTP-Daemon-6.01-CVE-2026-8450.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: make
|
||||
BuildRequires: perl-generators
|
||||
@ -64,7 +62,6 @@ IO::Socket::IP, so you can perform socket operations directly on it too.
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1
|
||||
@ -83,10 +80,6 @@ make test
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 17 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 6.01-24
|
||||
- Fix CVE-2026-8450: send_file() shell-magic injection via 2-arg open()
|
||||
- Resolves: RHEL-184825
|
||||
|
||||
* Wed May 23 2018 Petr Pisar <ppisar@redhat.com> - 6.01-23
|
||||
- Fix formatting numerical non-local specific IPv6 addresses (bug #1578026)
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
# RHEL
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-*
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
@ -1,12 +0,0 @@
|
||||
summary: Private (RHEL) beakerlib tests
|
||||
enabled: false
|
||||
adjust:
|
||||
- when: distro == rhel
|
||||
enabled: true
|
||||
because: private tests are accesible only within rhel pipeline
|
||||
discover:
|
||||
- name: rhel
|
||||
how: fmf
|
||||
url: https://pkgs.devel.redhat.com/git/tests/perl-HTTP-Daemon
|
||||
execute:
|
||||
how: tmt
|
||||
Loading…
Reference in New Issue
Block a user