!45 [sync] PR-42: Fix CVE-2024-4109

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2019-3888.patch

@@ -0,0 +1,22 @@
+From ac72df4e61b73d205c6cc5ad08226fa4c889ccc2 Mon Sep 17 00:00:00 2001
+From: Michael Bolz <michael.bolz@sap.com>
+Date: Tue, 1 Oct 2019 06:45:17 +0200
+Subject: [PATCH] [UNDERTOW-1515] HttpServerExchange.toString does not include
+ headers
+
+---
+ core/src/main/java/io/undertow/server/HttpServerExchange.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/io/undertow/server/HttpServerExchange.java b/core/src/main/java/io/undertow/server/HttpServerExchange.java
+index d933eb7811..a2763ed6ab 100644
+--- a/core/src/main/java/io/undertow/server/HttpServerExchange.java
++++ b/core/src/main/java/io/undertow/server/HttpServerExchange.java
+@@ -2443,6 +2443,6 @@ public T create() {
+ 
+     @Override
+     public String toString() {
+-        return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + " request " + requestHeaders + " response " + responseHeaders + '}';
++        return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + '}';
+     }
+ }

CVE-2020-10719.patch

@@ -0,0 +1,48 @@
+From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001
+From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
+Date: Tue, 25 Feb 2020 13:26:20 +0000
+Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size
+
+---
+ core/src/main/java/io/undertow/UndertowMessages.java     | 3 +++
+ core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java
+index fbde7d1..3aa4ad8 100644
+--- a/core/src/main/java/io/undertow/UndertowMessages.java
++++ b/core/src/main/java/io/undertow/UndertowMessages.java
+@@ -471,4 +471,7 @@ public interface UndertowMessages {
+ 
+     @Message(id = 147, value = "No host header in a HTTP/1.1 request")
+     IOException noHostInHttp11Request();
++
++    @Message(id = 195, value = "Chunk size too large")
++    IOException chunkSizeTooLarge();
+ }
+diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java
+index 21ef002..e064f71 100644
+--- a/core/src/main/java/io/undertow/conduits/ChunkReader.java
++++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java
+@@ -48,6 +48,8 @@ class ChunkReader<T extends Conduit> {
+ 
+     private static final long MASK_COUNT = longBitMask(0, 56);
+ 
++    private static final long LIMIT = Long.MAX_VALUE >> 4;
++
+     private long state;
+     private final Attachable attachable;
+     private final AttachmentKey<HeaderMap> trailerAttachmentKey;
+@@ -103,6 +105,9 @@ class ChunkReader<T extends Conduit> {
+                 while (buf.hasRemaining()) {
+                     byte b = buf.get();
+                     if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) {
++                        if (chunkRemaining > LIMIT) {
++                            throw UndertowMessages.MESSAGES.chunkSizeTooLarge();
++                        }
+                         chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end
+                         chunkRemaining += Character.digit((char) b, 16);
+                     } else {
+-- 
+2.23.0
+

CVE-2021-3690.patch

@@ -0,0 +1,25 @@
+From abbaa6e883e6b4d082f13347e0f8e332097f9554 Mon Sep 17 00:00:00 2001
+From: Andrey Marinchuk <radist.nt@gmail.com>
+Date: Sat, 31 Jul 2021 00:26:57 +0300
+Subject: [PATCH] [UNDERTOW-1935] - buffer leak on incoming websocket PONG
+ message
+
+Origin:
+https://github.com/undertow-io/undertow/commit/97482a5d4114001d45f9b07f1d2893749cdcba8b
+---
+ .../src/main/java/io/undertow/websockets/jsr/FrameHandler.java  | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
+index 12ae5bb38c..a93822587d 100644
+--- a/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
++++ b/websockets-jsr/src/main/java/io/undertow/websockets/jsr/FrameHandler.java
+@@ -152,6 +152,8 @@ public void run() {
+                     }
+                 }
+             });
++        } else {
++            bufferedBinaryMessage.getData().free();
+         }
+     }
+ 

CVE-2023-1108.patch

@@ -0,0 +1,25 @@
+From b98b55c993e3163e22121935f826adc8c4025c86 Mon Sep 17 00:00:00 2001
+From: mayp <mayanping@ncti-gba.cn>
+Date: Mon, 3 Apr 2023 18:02:05 +0800
+Subject: [PATCH] Fix CVE-2023-1108
+
+---
+ core/src/main/java/io/undertow/protocols/ssl/SslConduit.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
+index 3084915..dde0e0c 100644
+--- a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
++++ b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
+@@ -852,7 +852,7 @@ public class SslConduit implements StreamSourceConduit, StreamSinkConduit {
+         }
+         try {
+             SSLEngineResult result = null;
+-            while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
++            while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
+                 if (userBuffers == null) {
+                     result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
+                 } else {
+-- 
+2.36.1
+

CVE-2023-1973.patch

@@ -0,0 +1,131 @@
+From 0410f3c4d9b39b754a2203a29834cac51da11258 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Richard=20Op=C3=A1lka?= <opalka.richard@gmail.com>
+Date: Fri, 19 Jan 2024 19:52:31 +0100
+Subject: [PATCH] [UNDERTOW-2264] CVE-2023-1973 Force session timeout to 2
+ minutes when session was created during the authentication phase. Once
+ authentication is complete restore original (configured) session timeout.
+
+Signed-off-by: Flavia Rainone <frainone@redhat.com>
+
+Origin:
+https://github.com/undertow-io/undertow/commit/0410f3c4d9b39b754a2203a29834cac51da11258
+---
+ .../impl/FormAuthenticationMechanism.java     | 28 +++++++++++++++++--
+ .../ServletFormAuthenticationMechanism.java   | 20 ++++++++++++-
+ 2 files changed, 44 insertions(+), 4 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
+index 22f95a6..5e6981e 100644
+--- a/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
++++ b/core/src/main/java/io/undertow/security/impl/FormAuthenticationMechanism.java
+@@ -45,9 +45,8 @@ import static io.undertow.UndertowMessages.MESSAGES;
+ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+ 
+     public static final String LOCATION_ATTRIBUTE = FormAuthenticationMechanism.class.getName() + ".LOCATION";
+-
+     public static final String DEFAULT_POST_LOCATION = "/j_security_check";
+-
++    protected static final String ORIGINAL_SESSION_TIMEOUT = "io.undertow.servlet.form.auth.orig.session.timeout";;
+     private final String name;
+     private final String loginPage;
+     private final String errorPage;
+@@ -55,6 +54,13 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     private final FormParserFactory formParserFactory;
+     private final IdentityManager identityManager;
+ 
++    /**
++     * If the authentication process creates a session, this is the maximum session timeout (in seconds) during the
++     * authentication process. Once authentication is complete, the default session timeout will apply. Sessions that
++     * exist before the authentication process starts will retain their original session timeout throughout.
++     */
++    protected final int authenticationSessionTimeout = 120;
++
+     public FormAuthenticationMechanism(final String name, final String loginPage, final String errorPage) {
+         this(FormParserFactory.builder().build(), name, loginPage, errorPage);
+     }
+@@ -144,6 +150,10 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     protected void handleRedirectBack(final HttpServerExchange exchange) {
+         final Session session = Sessions.getSession(exchange);
+         if (session != null) {
++            final Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT);
++            if (originalSessionTimeout != null) {
++                session.setMaxInactiveInterval(originalSessionTimeout);
++            }
+             final String location = (String) session.removeAttribute(LOCATION_ATTRIBUTE);
+             if(location != null) {
+                 exchange.addDefaultResponseListener(new DefaultResponseListener() {
+@@ -179,7 +189,19 @@ public class FormAuthenticationMechanism implements AuthenticationMechanism {
+     }
+ 
+     protected void storeInitialLocation(final HttpServerExchange exchange) {
+-        Session session = Sessions.getOrCreateSession(exchange);
++        Session session = Sessions.getSession(exchange);
++        boolean newSession = false;
++        if (session == null) {
++            session = Sessions.getOrCreateSession(exchange);
++            newSession = true;
++        }
++        if (newSession) {
++            int originalMaxInactiveInterval = session.getMaxInactiveInterval();
++            if (originalMaxInactiveInterval > authenticationSessionTimeout) {
++                session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval());
++                session.setMaxInactiveInterval(authenticationSessionTimeout);
++            }
++        }
+         session.setAttribute(LOCATION_ATTRIBUTE, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
+     }
+ 
+diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
+index 9c5c704..51a0b68 100644
+--- a/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
++++ b/servlet/src/main/java/io/undertow/servlet/handlers/security/ServletFormAuthenticationMechanism.java
+@@ -30,6 +30,7 @@ import io.undertow.server.session.Session;
+ import io.undertow.servlet.handlers.ServletRequestContext;
+ import io.undertow.servlet.spec.HttpSessionImpl;
+ import io.undertow.servlet.util.SavedRequest;
++import io.undertow.servlet.spec.ServletContextImpl;
+ import io.undertow.util.Headers;
+ import io.undertow.util.RedirectBuilder;
+ 
+@@ -120,13 +121,26 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan
+             return;
+         }
+         final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
+-        HttpSessionImpl httpSession = servletRequestContext.getCurrentServletContext().getSession(exchange, true);
++        final ServletContextImpl servletContextImpl =  servletRequestContext.getCurrentServletContext();
++        HttpSessionImpl httpSession = servletContextImpl.getSession(exchange, false);
++        boolean newSession = false;
++        if (httpSession == null) {
++            httpSession = servletContextImpl.getSession(exchange, true);
++            newSession = true;
++        }
+         Session session;
+         if (System.getSecurityManager() == null) {
+             session = httpSession.getSession();
+         } else {
+             session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
+         }
++        if (newSession) {
++            int originalMaxInactiveInterval = session.getMaxInactiveInterval();
++            if (originalMaxInactiveInterval > authenticationSessionTimeout) {
++                session.setAttribute(ORIGINAL_SESSION_TIMEOUT, session.getMaxInactiveInterval());
++                session.setMaxInactiveInterval(authenticationSessionTimeout);
++            }
++        }
+         session.setAttribute(SESSION_KEY, RedirectBuilder.redirect(exchange, exchange.getRelativePath()));
+         SavedRequest.trySaveRequest(exchange);
+     }
+@@ -143,6 +157,10 @@ public class ServletFormAuthenticationMechanism extends FormAuthenticationMechan
+             } else {
+                 session = AccessController.doPrivileged(new HttpSessionImpl.UnwrapSessionAction(httpSession));
+             }
++            Integer originalSessionTimeout = (Integer) session.removeAttribute(ORIGINAL_SESSION_TIMEOUT);
++            if (originalSessionTimeout != null) {
++                session.setMaxInactiveInterval(originalSessionTimeout);
++            }
+             String path = (String) session.getAttribute(SESSION_KEY);
+             if (path != null) {
+                 try {
+-- 
+2.46.2
+

CVE-2023-5379.patch

@@ -0,0 +1,36 @@
+From b0732610112cb2066b5e43a47a11008edfacee02 Mon Sep 17 00:00:00 2001
+From: Flavia Rainone <frainone@redhat.com>
+Date: Thu, 8 Jun 2023 01:22:47 -0300
+Subject: [PATCH] [UNDERTOW-2280] CVE-2023-5379 At AjpReadListener, do not
+ close the connection if read is larger than maxRequestSize
+
+Signed-off-by: Flavia Rainone <frainone@redhat.com>
+
+Origin:
+https://github.com/undertow-io/undertow/commit/b422fdf0f2a5a051a9cd1664ead8277e421a0083
+---
+ .../java/io/undertow/server/protocol/ajp/AjpReadListener.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
+index 8f9c94abb0..a9631b3717 100644
+--- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
++++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpReadListener.java
+@@ -19,6 +19,7 @@
+ package io.undertow.server.protocol.ajp;
+ 
+ import io.undertow.UndertowLogger;
++import io.undertow.UndertowMessages;
+ import io.undertow.UndertowOptions;
+ import io.undertow.conduits.ConduitListener;
+ import io.undertow.conduits.EmptyStreamSourceConduit;
+@@ -165,8 +166,7 @@ public void handleEvent(final StreamSourceChannel channel) {
+                 }
+                 if (read > maxRequestSize) {
+                     UndertowLogger.REQUEST_LOGGER.requestHeaderWasTooLarge(connection.getPeerAddress(), maxRequestSize);
+-                    safeClose(connection);
+-                    return;
++                    throw UndertowMessages.MESSAGES.badRequest();
+                 }
+             } while (!state.isComplete());
+ 

CVE-2024-4109.patch

@@ -0,0 +1,50 @@
+From 28229fe98d5818f2329cb42151c31471367f20c3 Mon Sep 17 00:00:00 2001
+From: liyajie <liyajie15@h-partners.com>
+Date: Fri, 29 Nov 2024 03:44:57 +0800
+Subject: [PATCH 1/1] Fix CVE-2024-4109
+
+https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb
+---
+ .../io/undertow/protocols/http2/HpackDecoder.java   | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java b/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
+index 8643130..f21dc1d 100644
+--- a/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
++++ b/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
+@@ -66,8 +66,6 @@ public class HpackDecoder {
+      */
+     private int maxMemorySize;
+ 
+-    private final StringBuilder stringBuilder = new StringBuilder();
+-
+     public HpackDecoder(int maxMemorySize) {
+         this.maxMemorySize = maxMemorySize;
+         headerTable = new HeaderField[DEFAULT_RING_BUFFER_SIZE];
+@@ -227,19 +225,16 @@ public class HpackDecoder {
+         if (huffman) {
+             return readHuffmanString(length, buffer);
+         }
++        StringBuilder stringBuilder = new StringBuilder();
+         for (int i = 0; i < length; ++i) {
+             stringBuilder.append((char) buffer.get());
+         }
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
+-        HPackHuffman.decode(buffer, length, stringBuilder);
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        StringBuilder stringBuilder = new StringBuilder(length);
++        return stringBuilder.toString();
+     }
+ 
+     private HttpString handleIndexedHeaderName(int index) throws HpackException {
+-- 
+2.43.0
+

undertow.spec

@@ -2,7 +2,7 @@
 %global namedversion %{version}%{?namedreltag}
 Name:                undertow
 Version:             1.4.0
-Release:             2
+Release:             8
 Summary:             Java web server using non-blocking IO
 License:             ASL 2.0
 URL:                 http://undertow.io/
@@ -10,6 +10,13 @@ Source0:             https://github.com/undertow-io/undertow/archive/%{namedvers
 # Remove unavailable methods in jetty-alpn-api-1.1.0
 Patch0:              undertow-1.4.0-jetty-alpn-api-1.1.0.patch
 Patch1:		     CVE-2020-10705.patch
+Patch2:              CVE-2019-3888.patch
+Patch3:              CVE-2020-10719.patch
+Patch4:              CVE-2023-1108.patch
+Patch5:              CVE-2021-3690.patch
+Patch6:              CVE-2023-1973.patch
+Patch7:              CVE-2023-5379.patch
+Patch8:              CVE-2024-4109.patch
 BuildArch:           noarch
 Epoch:               1
 BuildRequires:       maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@@ -31,10 +38,12 @@ Summary:             Javadoc for %{name}
 This package contains the API documentation for %{name}.
 
 %prep
-%setup -q -n %{name}-%{namedversion}
-%patch0 -p1
-%patch1 -p1
+%autosetup -n %{name}-%{namedversion} -p1
 rm -rf mac-jdk-fix
+
+#Remove test cases suspected of containing viruses 
+rm -rf servlet/src/test/java/io/undertow/servlet/test/proprietry/TransferTestCase.java
+
 %pom_disable_module examples
 %pom_remove_plugin -r :maven-checkstyle-plugin
 %pom_remove_plugin org.bitstrings.maven.plugins:dependencypath-maven-plugin core
@@ -62,6 +71,24 @@ done
 %license LICENSE.txt
 
 %changelog
+* Tue Dec 17 2024 liyajie <liyajie15@h-partners.com> - 1:1.4.0-8
+- Fix CVE-2024-4109
+
+* Tue Nov 05 2024 yaoxin <yao_xin001@hoperun.com> - 1:1.4.0-7
+- Fix CVE-2021-3690,CVE-2023-1973 and CVE-2023-5379
+
+* Tue Jun 13 2023 liyanan <thistleslyn@163.com> - 1:1.4.0-6
+- Delete TransferTestCase.java TestCase
+
+* Mon Apr 3 2023 mayp <mayanping@ncti-gba.cn> - 1:1.4.0-5
+- Fix CVE-2023-1108
+
+* Wed Oct 29 2021 wangkai <wangkai385@huawei.com> - 1.4.0-4
+- Fix CVE-2020-10719
+
+* Wed Oct 28 2021 wangkai <wangkai385@huawei.com> - 1.4.0-3
+- Fix CVE-2019-3888
+
 * Wed Oct 27 2021 houyingchao <houyingchao@huawei.com> - 1.4.0-2
 - Fix CVE-2020-10705