From 4e955b0b8d5903891b8f39e1f7b22edf3b6e62d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 20 Jul 2022 16:41:33 +0200 Subject: [PATCH] Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling --- httpd-2.4.53-CVE-2022-26377.patch | 26 ++++++++++++++++++++++++++ httpd.spec | 11 +++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 httpd-2.4.53-CVE-2022-26377.patch diff --git a/httpd-2.4.53-CVE-2022-26377.patch b/httpd-2.4.53-CVE-2022-26377.patch new file mode 100644 index 0000000..0b05fec --- /dev/null +++ b/httpd-2.4.53-CVE-2022-26377.patch @@ -0,0 +1,26 @@ +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index e2992fc..46d42bc 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -246,9 +246,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + /* read the first block of data */ + input_brigade = apr_brigade_create(p, r->connection->bucket_alloc); + tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); +- if (tenc && (ap_cstr_casecmp(tenc, "chunked") == 0)) { +- /* The AJP protocol does not want body data yet */ +- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked"); ++ if (tenc) { ++ if (ap_cstr_casecmp(tenc, "chunked") == 0) { ++ /* The AJP protocol does not want body data yet */ ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) ++ "request is chunked"); ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) ++ "%s Transfer-Encoding is not supported", ++ tenc); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + } else { + /* Get client provided Content-Length header */ + content_length = get_content_length(r); diff --git a/httpd.spec b/httpd.spec index 444fe9d..080ee35 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.53 -Release: 6%{?dist} +Release: 7%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -116,7 +116,8 @@ Patch67: httpd-2.4.51-r1811831.patch Patch68: httpd-2.4.53-r1878890.patch # Security fixes -#Patch200: patchname +# https://bugzilla.redhat.com/show_bug.cgi?id=2094997 +Patch200: httpd-2.4.53-CVE-2022-26377.patch License: ASL 2.0 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto @@ -284,6 +285,8 @@ written in the Lua programming language. %patch67 -p1 -b .r1811831 %patch68 -p1 -b .r1878890 +##patch200 -p1 -b .CVE-2022-26377 + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i 's/@RELEASE@/%{release}/' server/core.c @@ -842,6 +845,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jul 20 2022 Luboš Uhliarik - 2.4.53-7 +- Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request + smuggling + * Mon Jun 27 2022 Luboš Uhliarik - 2.4.53-6 - Related: #2065677 - httpd minimisation for ubi-micro