Fix Password leak for HTTP based authentication CVE-2019-3500 (rhbz

aria2.spec

@@ -2,11 +2,12 @@
 
 Name:           aria2
 Version:        1.34.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        High speed download utility with resuming and segmented downloading
 License:        GPLv2+ with exceptions
 URL:            http://aria2.github.io/
 Source0:        https://github.com/tatsuhiro-t/%{name}/releases/download/release-%{version}/%{name}-%{version}.tar.xz
+Patch0:         mask-headers-37368130ca7.patch
 
 BuildRequires:  bison
 BuildRequires:  c-ares-devel
@@ -18,6 +19,7 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  make
 BuildRequires:  sqlite-devel
+BuildRequires:  git-core
 
 %description
 aria2 is a download utility with resuming and segmented downloading.
@@ -40,7 +42,7 @@ Currently it has following features:
 - Limiting download/upload speed
 
 %prep
-%setup -q
+%autosetup -S git
 
 %build
 %configure CXX="g++ -std=c++11" \
@@ -76,6 +78,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/%{name}
 %{_mandir}/*/man1/aria2c.1.gz
 
 %changelog
+* Wed Mar 27 2019 Athmane Madjoudj <athmane@fedoraproject.org> - 1.34.0-4
+- Fix Password leak for HTTP based authentication CVE-2019-3500 (rhbz #1663991 #1663992 #1663993)
+
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.34.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 

mask-headers-37368130ca7.patch

@@ -0,0 +1,46 @@
+From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sat, 5 Jan 2019 09:32:40 +0900
+Subject: [PATCH] Mask headers
+
+---
+ src/HttpConnection.cc | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc
+index 77cb9d27a..be5b97723 100644
+--- a/src/HttpConnection.cc
++++ b/src/HttpConnection.cc
+@@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request)
+   std::string result;
+   std::string line;
+   while (getline(istr, line)) {
+-    if (util::startsWith(line, "Authorization: Basic")) {
+-      result += "Authorization: Basic ********\n";
++    if (util::istartsWith(line, "Authorization: ")) {
++      result += "Authorization: <snip>\n";
+     }
+-    else if (util::startsWith(line, "Proxy-Authorization: Basic")) {
+-      result += "Proxy-Authorization: Basic ********\n";
++    else if (util::istartsWith(line, "Proxy-Authorization: ")) {
++      result += "Proxy-Authorization: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Cookie: ")) {
++      result += "Cookie: <snip>\n";
++    }
++    else if (util::istartsWith(line, "Set-Cookie: ")) {
++      result += "Set-Cookie: <snip>\n";
+     }
+     else {
+       result += line;
+@@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse()
+   const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor();
+   if (proc->parse(socketRecvBuffer_->getBuffer(),
+                   socketRecvBuffer_->getBufferLength())) {
+-    A2_LOG_INFO(
+-        fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str()));
++    A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_,
++                    eraseConfidentialInfo(proc->getHeaderString()).c_str()));
+     auto result = proc->getResult();
+     if (result->getStatusCode() / 100 == 1) {
+       socketRecvBuffer_->drain(proc->getLastBytesProcessed());