[DRE-maint] Bug#950795: buster-pu: package puma/3.12.0-2

Thu Feb 6 16:33:27 GMT 2020

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The proposed update will fix CVE-2019-16770 (#946312) for Buster users. The
security team marked the issue no-dsa and asked to schedule the fix via the
next point release. The debdiff is attached. The patch to fix the CVE has been
taken from upstream's Git repository.

The debdiff is attached.

Please let me know, how to proceed.

Regards, Daniel


- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.3.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl48P9cACgkQS80FZ8KW
0F2aKQ//VCdYXCl4gK1NSWOH5NtwoyIFoUcC6ofglL+shomnFMbvwr3V7H4rpVta
7oOysLOfGEmsCJXL5kcl0awijAmFz58dmlRmeSAOlirJ+09eyS56v/gSVPODueTA
7UjvjPQV3gJRgA0bsLEjTfIyyE9S17ylxDF9t1FRYGqngkTM3aYaz4NR5WMrFWGs
b0ogyJxjpDW3VHgy2b0smrED5j2/Amo11DIg9CYhNyV5zAoNmH93cMlS+67p7CDK
WIghSH4BoMjv0THRh521HK7hVywKFKhCHhG/fXCAEQnPgfP9umtBaM1eQeItpRRf
A5MGtYBDLrvm8YLbtL0Fl8TsEYjdJmEUoS4Pr1HtVC4TiFLei6QxmriAY2pv+7h0
XtMyZ/L4dCCiilSUd58cnLBSdCm8OTf/NUI7m7zdCBDwG76ewbeuWQ59X6a8j+oH
uOGeOjJJvxKlO1ngyLrPC8jZOcKNwGwdsBpI6YgOvSGWbQU3RWjlzmw+M/YgVaHL
zIg5nEJHnTmdZUr22e4vaQ0kwH73Ggst+hA68LdZ9auDlb+o/37Rp8tz7M966c/x
Tcoduwr5TLDMzLBtDYMpqw+8jakdpwACWGErqR46XcUtUtjQAy0GMQXucgQNwIw/
mZp5UDEsKR7RE6baUPMcQKMcU0W7AIWXGD2LrYMW/WmV9HverYY=
=Fie4
-----END PGP SIGNATURE-----
-------------- next part --------------
diff -Nru puma-3.12.0/debian/changelog puma-3.12.0/debian/changelog

--- puma-3.12.0/debian/changelog	2019-02-10 14:26:47.000000000 +0100
+++ puma-3.12.0/debian/changelog	2020-02-06 13:25:24.000000000 +0100
@@ -1,3 +1,12 @@
+puma (3.12.0-2+deb10u1) buster-security; urgency=medium
+
+  * Team upload.
+  * d/patches/CVE-2019-16770.patch: Add patch.
+    - Backport fix for CVE-2019-16770 from upstream (closes: #946312).
+  * d/patches/series: Add patch.
+
+ -- Daniel Leidert <dleidert at debian.org>  Thu, 06 Feb 2020 13:25:24 +0100
+
 puma (3.12.0-2) unstable; urgency=medium
 
   * Disable tests failing in single cpu (Closes: #921931)
diff -Nru puma-3.12.0/debian/patches/CVE-2019-16770.patch puma-3.12.0/debian/patches/CVE-2019-16770.patch
--- puma-3.12.0/debian/patches/CVE-2019-16770.patch	1970-01-01 01:00:00.000000000 +0100
+++ puma-3.12.0/debian/patches/CVE-2019-16770.patch	2020-02-06 13:25:24.000000000 +0100
@@ -0,0 +1,69 @@
+From: Nate Berkopec <nate.berkopec at gmail.com>
+Date: Thu, 5 Dec 2019 14:19:32 +0700
+Subject: Merge pull request from GHSA-7xx3-m584-x994
+
+could monopolize a thread. Previously, this could make a DoS attack more
+severe.
+
+Co-authored-by: Evan Phoenix <evan at phx.io>
+
+Debian-Bug: https://bugs.debian.org/946312
+Acked-By: Daniel Leidert <dleidert at debian.org>
+Origin: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e.patch
+---
+ lib/puma/const.rb  |  7 +++++++
+ lib/puma/server.rb | 16 +++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/puma/const.rb b/lib/puma/const.rb
+index f9e0a2a..7fc105c 100644
+--- a/lib/puma/const.rb
++++ b/lib/puma/const.rb
+@@ -116,6 +116,13 @@ module Puma
+     # sending data back
+     WRITE_TIMEOUT = 10
+ 
++    # How many requests to attempt inline before sending a client back to
++    # the reactor to be subject to normal ordering. The idea here is that
++    # we amortize the cost of going back to the reactor for a well behaved
++    # but very "greedy" client across 10 requests. This prevents a not
++    # well behaved client from monopolizing the thread forever.
++    MAX_FAST_INLINE = 10
++
+     # The original URI requested by the client.
+     REQUEST_URI= 'REQUEST_URI'.freeze
+     REQUEST_PATH = 'REQUEST_PATH'.freeze
+diff --git a/lib/puma/server.rb b/lib/puma/server.rb
+index e2e862f..66a982a 100644
+--- a/lib/puma/server.rb
++++ b/lib/puma/server.rb
+@@ -468,6 +468,8 @@ module Puma
+         clean_thread_locals = @options[:clean_thread_locals]
+         close_socket = true
+ 
++        requests = 0
++
+         while true
+           case handle_request(client, buffer)
+           when false
+@@ -481,7 +483,19 @@ module Puma
+ 
+             ThreadPool.clean_thread_locals if clean_thread_locals
+ 
+-            unless client.reset(@status == :run)
++            requests += 1
++
++            check_for_more_data = @status == :run
++
++            if requests >= MAX_FAST_INLINE
++              # This will mean that reset will only try to use the data it already
++              # has buffered and won't try to read more data. What this means is that
++              # every client, independent of their request speed, gets treated like a slow
++              # one once every MAX_FAST_INLINE requests.
++              check_for_more_data = false
++            end
++
++            unless client.reset(check_for_more_data)
+               close_socket = false
+               client.set_timeout @persistent_timeout
+               @reactor.add client
diff -Nru puma-3.12.0/debian/patches/series puma-3.12.0/debian/patches/series
--- puma-3.12.0/debian/patches/series	2019-02-10 14:18:23.000000000 +0100
+++ puma-3.12.0/debian/patches/series	2020-02-06 13:25:24.000000000 +0100
@@ -6,3 +6,4 @@
 0007-test-test_cli.rb-disable-test-that-fails-randomly.patch
 0008-fix-ssl-tests.patch
 0009-disable-tests-failing-in-single-cpu.patch
+CVE-2019-16770.patch
