Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835492 (CVE-2022-24761) - <dev-python/waitress-2.1.1: multiple "HTTP desync/HTTP request smuggling" vulnerabilities
Summary: <dev-python/waitress-2.1.1: multiple "HTTP desync/HTTP request smuggling" vul...
Status: IN_PROGRESS
Alias: CVE-2022-24761
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 835493
Blocks:
  Show dependency tree
 
Reported: 2022-03-17 09:05 UTC by Michał Górny
Modified: 2022-03-19 05:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-17 09:05:58 UTC
+2.1.1
+-----
+
+Security Bugfix
+~~~~~~~~~~~~~~~
+
+- Waitress now validates that chunked encoding extensions are valid, and don't
+  contain invalid characters that are not allowed. They are still skipped/not
+  processed, but if they contain invalid data we no longer continue in and
+  return a 400 Bad Request. This stops potential HTTP desync/HTTP request
+  smuggling. Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
+- Waitress now validates that the chunk length is only valid hex digits when
+  parsing chunked encoding, and values such as ``0x01`` and ``+01`` are no
+  longer supported. This stops potential HTTP desync/HTTP request smuggling.
+  Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
+
+- Waitress now validates that the Content-Length sent by a remote contains only
+  digits in accordance with RFC7230 and will return a 400 Bad Request when the
+  Content-Length header contains invalid data, such as ``+10`` which would
+  previously get parsed as ``10`` and accepted. This stops potential HTTP
+  desync/HTTP request smuggling Thanks to Zhang Zeyu for reporting this issue. See
+  https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-03-18 11:31:04 UTC
cleanup done.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 05:30:47 UTC
Thanks!