Jetty: Add patch for CVE-2021-28165 - Jetty #6072 -

Jetty server high CPU when client send data length > 17408 This affects SSL connections only, which is not part of our default setup. Adapted from workaround at: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w Put the new checks directly in the unwrap() method, rather than subclassing SslConnection, as that would require config file changes.

Jetty: Add patch for CVE-2021-28165 - Jetty #6072 -
78168be8 · zzz · 41e46448 · 78168be8 · 78168be8 · 78168be8
Verified Commit 78168be8 authored 3 years ago by zzz
--- a/apps/jetty/build.xml
+++ b/apps/jetty/build.xml
@@ -169,7 +169,14 @@
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-continuation-${jetty.ver}.jar" tofile="jettylib/jetty-continuation.jar" />
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-deploy-${jetty.ver}.jar" tofile="jettylib/jetty-deploy.jar" />
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-http-${jetty.ver}.jar" tofile="jettylib/jetty-http.jar" />
+<!--
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" tofile="jettylib/jetty-io.jar" />
+-->
+      <!-- comment out above line and uncomment below and the patches section further down if we need patches -->
+        <jar destfile="jettylib/jetty-io.jar"  manifest="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" filesetmanifest="mergewithoutmain" >
+            <zipfileset excludes="**/SslConnection.class" src="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" />
+            <zipfileset src="build/jetty-io-patch.jar" />
+        </jar>
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-jmx-${jetty.ver}.jar" tofile="jettylib/org.mortbay.jmx.jar" />
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-rewrite-${jetty.ver}.jar" tofile="jettylib/jetty-rewrite-handler.jar" />
        <copy preservelastmodified="true" file="${jetty.base}/lib/jetty-security-${jetty.ver}.jar" tofile="jettylib/jetty-security.jar" />
@@ -486,11 +493,25 @@
            classpath="" >
            <compilerarg line="${javac.compilerargs}" />
        </javac>
+        <mkdir dir="./build/objPatches2" />
+        <javac 
+            srcdir="./patches/jetty-io/src/main/java" 
+            debug="true" deprecation="on" source="${javac.version}" target="${javac.version}" 
+            release="${javac.release}"
+            destdir="./build/objPatches2" 
+            includeAntRuntime="false"
+            encoding="UTF-8" >
+            <compilerarg line="${javac.compilerargs}" />
+            <classpath>
+                <pathelement location="${jetty.base}/lib/jetty-io-${jetty.ver}.jar" />
+                <pathelement location="${jetty.base}/lib/jetty-util-${jetty.ver}.jar" />
+            </classpath>
+        </javac>
    </target>

    <target name="jarPatches" depends="compilePatches, jarPatchesUpToDate" unless="jarPatches.uptodate" >
-        <jar destfile="./build/jetty-util-patch.jar" basedir="./build/objPatches" includes="**/*.class" >
-        </jar>
+        <jar destfile="./build/jetty-util-patch.jar" basedir="./build/objPatches" includes="**/*.class" />
+        <jar destfile="./build/jetty-io-patch.jar" basedir="./build/objPatches2" includes="**/*.class" />
    </target>    

    <target name="jarPatchesUpToDate" >
@@ -499,6 +520,7 @@
                <equals arg1="${with-libjetty9-java}" arg2="true" />
                <uptodate property="jarPatches.uptodate" targetfile="jettylib/jetty-i2p.jar" >
                    <srcfiles dir= "build/objPatches" includes="**/*.class" />
+                    <srcfiles dir= "build/objPatches2" includes="**/*.class" />
                </uptodate>
            </or>
        </condition>

--- a/apps/jetty/patches/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
+++ b/apps/jetty/patches/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
@@ -358,7 +358,17 @@ public class SslConnection extends AbstractConnection

    protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
    {
-        return sslEngine.unwrap(input, output);
+        // CVE-2021-28165 - Jetty #6072
+        // https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
+        SSLEngineResult results = sslEngine.unwrap(input, output);
+        if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||
+            results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
+            BufferUtil.space(input) == 0)
+        {
+            BufferUtil.clear(input);
+            throw new SSLHandshakeException("Encrypted buffer max length exceeded");
+        }
+        return results;
    }

    @Override

--- a/history.txt
+++ b/history.txt
+2021-04-24 zzz
+ * Jetty: Patch for CVE-2021-28165 Jetty #6072 -
+   Jetty server high CPU when client send data length > 17408
+
+2021-04-24 zlatinb
+ * SusiMail: Fix stream closed exception reading new mail
+   (trac ticket #2202, gitlab ticket #17)
+
+2021-04-23 idk
+ * Router: Fix update on Windows from very old versions (gitlab ticket #16)
+
 2021-04-20 zzz
- * SSU: Fix setting addresses from interfaces at startup
+ * NTCP:
+   - Set outbound addresses at startup when force-firewalled
+   - More NTCP1 removal cleanup
+ * SSU:
+   - Fix setting addresses from interfaces at startup
+   - Don't start peer test when shutting down
  
 2021-04-18 zzz
 * Proxy: Decode IDN hostnames in error pages

--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
    /** deprecated */
    public final static String ID = "Git";
    public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 13;
+    public final static long BUILD = 14;

    /** for example "-test" */
    public final static String EXTRA = "";