Add patch to fix CVE-2023-27522
This commit is contained in:
parent
d4da8c8e59
commit
74b0a567f5
|
@ -0,0 +1,107 @@
|
||||||
|
From 45e46db92b5387fdaf6c57e65ac9716c9b8574da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Mayorov <pmayorov@cloudlinux.com>
|
||||||
|
Date: Wed, 15 Mar 2023 14:00:11 +0300
|
||||||
|
Subject: [PATCH] CVE-2023-27522
|
||||||
|
Taken main fix from the following upstream commit:
|
||||||
|
commit d753ea76b5972a85349b68c31b59d04c60014f2d
|
||||||
|
Author: Eric Covener <covener@apache.org>
|
||||||
|
Date: Sun Mar 5 20:22:52 2023 +0000
|
||||||
|
Merge r1907980 from trunk:
|
||||||
|
mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation
|
||||||
|
Reviewed By: ylavic, covener, gbechis, rpluem
|
||||||
|
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
|
||||||
|
Signed-off-by: Pavel Mayorov <pmayorov@cloudlinux.com>
|
||||||
|
---
|
||||||
|
modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++----------
|
||||||
|
1 file changed, 35 insertions(+), 14 deletions(-)
|
||||||
|
diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
|
||||||
|
index 9dcbed1..a1b564d 100644
|
||||||
|
--- a/modules/proxy/mod_proxy_uwsgi.c
|
||||||
|
+++ b/modules/proxy/mod_proxy_uwsgi.c
|
||||||
|
@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
|
||||||
|
pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
|
||||||
|
|
||||||
|
len = ap_getline(buffer, sizeof(buffer), rp, 1);
|
||||||
|
-
|
||||||
|
if (len <= 0) {
|
||||||
|
- /* oops */
|
||||||
|
+ /* invalid or empty */
|
||||||
|
return HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
backend->worker->s->read += len;
|
||||||
|
-
|
||||||
|
- if (len >= sizeof(buffer) - 1) {
|
||||||
|
- /* oops */
|
||||||
|
+ if ((apr_size_t)len >= sizeof(buffer)) {
|
||||||
|
+ /* too long */
|
||||||
|
return HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
/* Position of http status code */
|
||||||
|
if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
|
||||||
|
status_start = 9;
|
||||||
|
@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
|
||||||
|
status_start = 7;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- /* oops */
|
||||||
|
- return HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
+ /* not HTTP */
|
||||||
|
+ return HTTP_BAD_GATEWAY;
|
||||||
|
}
|
||||||
|
status_end = status_start + 3;
|
||||||
|
|
||||||
|
@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
|
||||||
|
}
|
||||||
|
r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
|
||||||
|
|
||||||
|
- /* start parsing headers */
|
||||||
|
+ /* parse headers */
|
||||||
|
while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
|
||||||
|
+ if ((apr_size_t)len >= sizeof(buffer)) {
|
||||||
|
+ /* too long */
|
||||||
|
+ len = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
value = strchr(buffer, ':');
|
||||||
|
- /* invalid header skip */
|
||||||
|
- if (!value)
|
||||||
|
- continue;
|
||||||
|
- *value = '\0';
|
||||||
|
- ++value;
|
||||||
|
+ if (!value) {
|
||||||
|
+ /* invalid header */
|
||||||
|
+ len = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ *value++ = '\0';
|
||||||
|
+ if (*ap_scan_http_token(buffer)) {
|
||||||
|
+ /* invalid name */
|
||||||
|
+ len = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
while (apr_isspace(*value))
|
||||||
|
++value;
|
||||||
|
for (end = &value[strlen(value) - 1];
|
||||||
|
end > value && apr_isspace(*end); --end)
|
||||||
|
*end = '\0';
|
||||||
|
+ if (*ap_scan_http_field_content(value)) {
|
||||||
|
+ /* invalid value */
|
||||||
|
+ len = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
apr_table_add(r->headers_out, buffer, value);
|
||||||
|
}
|
||||||
|
+ if (len < 0) {
|
||||||
|
+ /* Reset headers, but not to NULL because things below the chain expect
|
||||||
|
+ * this to be non NULL e.g. the ap_content_length_filter.
|
||||||
|
+ */
|
||||||
|
+ r->headers_out = apr_table_make(r->pool, 1);
|
||||||
|
+ return HTTP_BAD_GATEWAY;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
|
||||||
|
ap_set_content_type(r, apr_pstrdup(r->pool, buf));
|
||||||
|
--
|
||||||
|
2.39.2
|
|
@ -13,7 +13,7 @@
|
||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.37
|
Version: 2.4.37
|
||||||
Release: 47%{?dist}.2.alma
|
Release: 47%{?dist}.2.alma.1
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source2: httpd.logrotate
|
Source2: httpd.logrotate
|
||||||
|
@ -219,6 +219,9 @@ Patch223: httpd-2.4.37-CVE-2022-22720.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1966738
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1966738
|
||||||
Patch224: httpd-2.4.37-CVE-2020-13950.patch
|
Patch224: httpd-2.4.37-CVE-2020-13950.patch
|
||||||
|
|
||||||
|
# AlmaLinux patches
|
||||||
|
Patch1000: httpd-2.4.37-CVE-2023-27522.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
|
@ -425,6 +428,9 @@ interface for storing and accessing per-user session data.
|
||||||
%patch223 -p1 -b .CVE-2022-22720
|
%patch223 -p1 -b .CVE-2022-22720
|
||||||
%patch224 -p1 -b .CVE-2020-13950
|
%patch224 -p1 -b .CVE-2020-13950
|
||||||
|
|
||||||
|
# AlmaLinux patches
|
||||||
|
%patch1000 -p1 -b .CVE-2023-27522
|
||||||
|
|
||||||
# Patch in the vendor string
|
# Patch in the vendor string
|
||||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||||
sed -i 's/@RELEASE@/%{release}/' server/core.c
|
sed -i 's/@RELEASE@/%{release}/' server/core.c
|
||||||
|
@ -929,6 +935,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 01 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.4.37-47.2.alma.1
|
||||||
|
- Add patch to fix CVE-2023-27522
|
||||||
|
|
||||||
* Wed Jun 22 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-47.2.alma
|
* Wed Jun 22 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-47.2.alma
|
||||||
- include AlmaLinux in version string
|
- include AlmaLinux in version string
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue