[DRE-maint] Bug#1043432: ruby-protocol-http1: CVE-2023-38697

[Salvatore Bonaccorso]

Source: ruby-protocol-http1
Version: 0.14.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/socketry/protocol-http1/pull/20
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for ruby-protocol-http1.

CVE-2023-38697[0]:
| protocol-http1 provides a low-level implementation of the HTTP/1
| protocol. RFC 9112 Section 7.1 defined the format of chunk size,
| chunk data and chunk extension. The value of Content-Length header
| should be a string of 0-9 digits, the chunk size should be a string
| of hex digits and should split from chunk data using CRLF, and the
| chunk extension shouldn't contain any invisible character. However,
| Falcon has following behaviors while disobey the corresponding RFCs:
| accepting Content-Length header values that have `+` prefix,
| accepting Content-Length header values that written in hexadecimal
| with `0x` prefix, accepting `0x` and `+` prefixed chunk size, and
| accepting LF in chunk extension. This behavior can lead to desync
| when forwarding through multiple HTTP parsers, potentially results
| in HTTP request smuggling and firewall bypassing. This issue is
| fixed in `protocol-http1` v0.15.1. There are no known workarounds.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38697
    https://www.cve.org/CVERecord?id=CVE-2023-38697
[1] https://github.com/socketry/protocol-http1/pull/20
[2] https://github.com/socketry/protocol-http1/security/advisories/GHSA-6jwc-qr2q-7xwj
[3] https://github.com/socketry/protocol-http1/commit/e11fc164fd2b36f7b7e785e69fa8859eb06bcedd 

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore