Jetty: Add patch for CVE-2021-28165 - Jetty #6072 -

Jetty server high CPU when client send data length > 17408

This affects SSL connections only, which is not part of our default setup.
Adapted from workaround at:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
Put the new checks directly in the unwrap() method,
rather than subclassing SslConnection, as that would require config file changes.

apps/jetty/build.xml

@@ -169,7 +169,14 @@
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-continuation-${jetty.ver}.jar" tofile="jettylib/jetty-continuation.jar" />
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-deploy-${jetty.ver}.jar" tofile="jettylib/jetty-deploy.jar" />
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-http-${jetty.ver}.jar" tofile="jettylib/jetty-http.jar" />
+<!--
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" tofile="jettylib/jetty-io.jar" />
+-->
+      <!-- comment out above line and uncomment below and the patches section further down if we need patches -->
+        <jar destfile="jettylib/jetty-io.jar"  manifest="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" filesetmanifest="mergewithoutmain" >
+            <zipfileset excludes="**/SslConnection.class" src="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" />
+            <zipfileset src="build/jetty-io-patch.jar" />
+        </jar>
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-jmx-${jetty.ver}.jar" tofile="jettylib/org.mortbay.jmx.jar" />
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-rewrite-${jetty.ver}.jar" tofile="jettylib/jetty-rewrite-handler.jar" />
         <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-security-${jetty.ver}.jar" tofile="jettylib/jetty-security.jar" />
@@ -486,11 +493,25 @@
             classpath="" >
             <compilerarg line="${javac.compilerargs}" />
         </javac>
+        <mkdir dir="./build/objPatches2" />
+        <javac 
+            srcdir="./patches/jetty-io/src/main/java" 
+            debug="true" deprecation="on" source="${javac.version}" target="${javac.version}" 
+            release="${javac.release}"
+            destdir="./build/objPatches2" 
+            includeAntRuntime="false"
+            encoding="UTF-8" >
+            <compilerarg line="${javac.compilerargs}" />
+            <classpath>
+                <pathelement location="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" />
+                <pathelement location="${jetty.base}/lib/jetty-util-${jetty.ver}.jar" />
+            </classpath>
+        </javac>
     </target>
 
     <target name="jarPatches" depends="compilePatches, jarPatchesUpToDate" unless="jarPatches.uptodate" >
-        <jar destfile="./build/jetty-util-patch.jar" basedir="./build/objPatches" includes="**/*.class" >
-        </jar>
+        <jar destfile="./build/jetty-util-patch.jar" basedir="./build/objPatches" includes="**/*.class" />
+        <jar destfile="./build/jetty-io-patch.jar" basedir="./build/objPatches2" includes="**/*.class" />
     </target>    
 
     <target name="jarPatchesUpToDate" >
@@ -499,6 +520,7 @@
                 <equals arg1="${with-libjetty9-java}" arg2="true" />
                 <uptodate property="jarPatches.uptodate" targetfile="jettylib/jetty-i2p.jar" >
                     <srcfiles dir= "build/objPatches" includes="**/*.class" />
+                    <srcfiles dir= "build/objPatches2" includes="**/*.class" />
                 </uptodate>
             </or>
         </condition>

apps/jetty/patches/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java

@@ -358,7 +358,17 @@ public class SslConnection extends AbstractConnection
 
     protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
     {
-        return sslEngine.unwrap(input, output);
+        // CVE-2021-28165 - Jetty #6072
+        // https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
+        SSLEngineResult results = sslEngine.unwrap(input, output);
+        if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||
+            results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
+            BufferUtil.space(input) == 0)
+        {
+            BufferUtil.clear(input);
+            throw new SSLHandshakeException("Encrypted buffer max length exceeded");
+        }
+        return results;
     }
 
     @Override

history.txt

@@ -1,5 +1,21 @@
+2021-04-24 zzz
+ * Jetty: Patch for CVE-2021-28165 Jetty #6072 -
+   Jetty server high CPU when client send data length > 17408
+
+2021-04-24 zlatinb
+ * SusiMail: Fix stream closed exception reading new mail
+   (trac ticket #2202, gitlab ticket #17)
+
+2021-04-23 idk
+ * Router: Fix update on Windows from very old versions (gitlab ticket #16)
+
 2021-04-20 zzz
- * SSU: Fix setting addresses from interfaces at startup
+ * NTCP:
+   - Set outbound addresses at startup when force-firewalled
+   - More NTCP1 removal cleanup
+ * SSU:
+   - Fix setting addresses from interfaces at startup
+   - Don't start peer test when shutting down
 
 2021-04-18 zzz
  * Proxy: Decode IDN hostnames in error pages

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Git";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 13;
+    public final static long BUILD = 14;
 
     /** for example "-test" */
     public final static String EXTRA = "";