From 4e955b0b8d5903891b8f39e1f7b22edf3b6e62d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 20 Jul 2022 16:41:33 +0200
Subject: [PATCH] Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp:
 Possible request

  smuggling
---
 httpd-2.4.53-CVE-2022-26377.patch | 26 ++++++++++++++++++++++++++
 httpd.spec                        | 11 +++++++++--
 2 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 httpd-2.4.53-CVE-2022-26377.patch

diff --git a/httpd-2.4.53-CVE-2022-26377.patch b/httpd-2.4.53-CVE-2022-26377.patch
new file mode 100644
index 0000000..0b05fec
--- /dev/null
+++ b/httpd-2.4.53-CVE-2022-26377.patch
@@ -0,0 +1,26 @@
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index e2992fc..46d42bc 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -246,9 +246,18 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
+     /* read the first block of data */
+     input_brigade = apr_brigade_create(p, r->connection->bucket_alloc);
+     tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+-    if (tenc && (ap_cstr_casecmp(tenc, "chunked") == 0)) {
+-        /* The AJP protocol does not want body data yet */
+-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked");
++    if (tenc) {
++        if (ap_cstr_casecmp(tenc, "chunked") == 0) {
++            /* The AJP protocol does not want body data yet */
++            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870)
++                          "request is chunked");
++        }
++        else {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
++                          "%s Transfer-Encoding is not supported",
++                          tenc);
++            return HTTP_INTERNAL_SERVER_ERROR;
++        }
+     } else {
+         /* Get client provided Content-Length header */
+         content_length = get_content_length(r);
diff --git a/httpd.spec b/httpd.spec
index 444fe9d..080ee35 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.53
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -116,7 +116,8 @@ Patch67: httpd-2.4.51-r1811831.patch
 Patch68: httpd-2.4.53-r1878890.patch
 
 # Security fixes
-#Patch200: patchname
+# https://bugzilla.redhat.com/show_bug.cgi?id=2094997
+Patch200: httpd-2.4.53-CVE-2022-26377.patch
 
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -284,6 +285,8 @@ written in the Lua programming language.
 %patch67 -p1 -b .r1811831
 %patch68 -p1 -b .r1878890
 
+##patch200 -p1 -b .CVE-2022-26377
+
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 sed -i 's/@RELEASE@/%{release}/' server/core.c
@@ -842,6 +845,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Jul 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-7
+- Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request
+  smuggling
+
 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
 - Related: #2065677 - httpd minimisation for ubi-micro