main/aria2: security fix (CVE-2019-3500)

Fixes #9900

2 files changed, 56 insertions, 3 deletions

diff --git a/main/aria2/APKBUILD b/main/aria2/APKBUILD
index 67d0ebf4fb..a1838dec76 100644
--- a/main/aria2/APKBUILD
+++ b/main/aria2/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=aria2
 pkgver=1.33.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Download utility for HTTP(S), (S)FTP, Bittorrent, and Metalink"
 url="https://aria2.github.io/"
 arch="all"
@@ -12,9 +12,15 @@ depends="ca-certificates"
 makedepends="gnutls-dev expat-dev sqlite-dev c-ares-dev"
 checkdepends="cppunit-dev"
 subpackages="$pkgname-doc $pkgname-bash-completion:bashcomp:noarch"
-source="https://github.com/aria2/$pkgname/releases/download/release-$pkgver/$pkgname-$pkgver.tar.xz"
+source="https://github.com/aria2/$pkgname/releases/download/release-$pkgver/$pkgname-$pkgver.tar.xz
+	CVE-2019-3500.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   1.33.1-r1:
+#     - CVE-2019-3500
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -48,4 +54,5 @@ bashcomp() {
 		"$subpkgdir"/usr/share/bash-completion/completions/_aria2c
 }
 
-sha512sums="5379768a0960e46ed616a2540508d0dda4172c8d1a05021e50243241adb64448f5fa01878868ea206ec6b462fea39fa82284bb0f78ceec299eb289f94815b94a  aria2-1.33.1.tar.xz"
+sha512sums="5379768a0960e46ed616a2540508d0dda4172c8d1a05021e50243241adb64448f5fa01878868ea206ec6b462fea39fa82284bb0f78ceec299eb289f94815b94a  aria2-1.33.1.tar.xz
+e81d6cf69652b4a2adb67a13434d3e37f1c69ce2a99a8d4b12f3e056c6c530218d6593aaeb1ca8b2691e4f28a0d53b29319d067c4f89eb0e4b2e8368f1c38319  CVE-2019-3500.patch"
diff --git a/main/aria2/CVE-2019-3500.patch b/main/aria2/CVE-2019-3500.patch
new file mode 100644
index 0000000000..694681d888
--- /dev/null
+++ b/main/aria2/CVE-2019-3500.patch
@@ -0,0 +1,46 @@
+From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 5 Jan 2019 09:32:40 +0900
+Subject: [PATCH] Mask headers
+
+---
+ src/HttpConnection.cc | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc
+index 77cb9d27a..be5b97723 100644
+--- a/src/HttpConnection.cc
++++ b/src/HttpConnection.cc
+@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request)
+   std::string result;
+   std::string line;
+   while (getline(istr, line)) {
+-    if (util::startsWith(line, "Authorization: Basic")) {
+-      result += "Authorization: Basic ********\n";
++    if (util::istartsWith(line, "Authorization: ")) {
++      result += "Authorization: <snip>\n";
+     }
+-    else if (util::startsWith(line, "Proxy-Authorization: Basic")) {
+-      result += "Proxy-Authorization: Basic ********\n";
++    else if (util::istartsWith(line, "Proxy-Authorization: ")) {
++      result += "Proxy-Authorization: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Cookie: ")) {
++      result += "Cookie: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Set-Cookie: ")) {
++      result += "Set-Cookie: <snip>\n";
+     }
+     else {
+       result += line;
+@@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse()
+   const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor();
+   if (proc->parse(socketRecvBuffer_->getBuffer(),
+                   socketRecvBuffer_->getBufferLength())) {
+-    A2_LOG_INFO(
+-        fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str()));
++    A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_,
++                    eraseConfidentialInfo(proc->getHeaderString()).c_str()));
+     auto result = proc->getResult();
+     if (result->getStatusCode() / 100 == 1) {
+       socketRecvBuffer_->drain(proc->getLastBytesProcessed());