Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
This commit is contained in:
parent
e48d1ff2b5
commit
7d7f7cade3
126
httpd-2.4.53-CVE-2022-29404.patch
Normal file
126
httpd-2.4.53-CVE-2022-29404.patch
Normal file
@ -0,0 +1,126 @@
|
||||
diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en
|
||||
index bb6b90a..d14aed4 100644
|
||||
--- a/docs/manual/mod/core.html.en
|
||||
+++ b/docs/manual/mod/core.html.en
|
||||
@@ -2796,16 +2796,16 @@ subrequests</td></tr>
|
||||
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Restricts the total size of the HTTP request body sent
|
||||
from the client</td></tr>
|
||||
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>LimitRequestBody <var>bytes</var></code></td></tr>
|
||||
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LimitRequestBody 0</code></td></tr>
|
||||
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>LimitRequestBody 1073741824</code></td></tr>
|
||||
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
|
||||
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>All</td></tr>
|
||||
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Core</td></tr>
|
||||
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>core</td></tr>
|
||||
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>In Apache HTTP Server 2.4.53 and earlier, the default value
|
||||
+ was 0 (unlimited)</td></tr>
|
||||
</table>
|
||||
- <p>This directive specifies the number of <var>bytes</var> from 0
|
||||
- (meaning unlimited) to 2147483647 (2GB) that are allowed in a
|
||||
- request body. See the note below for the limited applicability
|
||||
- to proxy requests.</p>
|
||||
+ <p>This directive specifies the number of <var>bytes</var>
|
||||
+ that are allowed in a request body. A value of <var>0</var> means unlimited.</p>
|
||||
|
||||
<p>The <code class="directive">LimitRequestBody</code> directive allows
|
||||
the user to set a limit on the allowed size of an HTTP request
|
||||
@@ -2831,12 +2831,6 @@ from the client</td></tr>
|
||||
|
||||
<pre class="prettyprint lang-config">LimitRequestBody 102400</pre>
|
||||
|
||||
-
|
||||
- <div class="note"><p>For a full description of how this directive is interpreted by
|
||||
- proxy requests, see the <code class="module"><a href="../mod/mod_proxy.html">mod_proxy</a></code> documentation.</p>
|
||||
- </div>
|
||||
-
|
||||
-
|
||||
</div>
|
||||
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
|
||||
<div class="directive-section"><h2><a name="LimitRequestFields" id="LimitRequestFields">LimitRequestFields</a> <a name="limitrequestfields" id="limitrequestfields">Directive</a></h2>
|
||||
diff --git a/docs/manual/mod/mod_proxy.html.en b/docs/manual/mod/mod_proxy.html.en
|
||||
index ee7b1e3..233d234 100644
|
||||
--- a/docs/manual/mod/mod_proxy.html.en
|
||||
+++ b/docs/manual/mod/mod_proxy.html.en
|
||||
@@ -463,9 +463,6 @@ ProxyPass "/examples" "http://backend.example.com/examples" timeout=10</pre>
|
||||
Content-Length header, but the server is configured to filter incoming
|
||||
request bodies.</p>
|
||||
|
||||
- <p><code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code> only applies to
|
||||
- request bodies that the server will spool to disk</p>
|
||||
-
|
||||
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
|
||||
<div class="section">
|
||||
<h2><a name="x-headers" id="x-headers">Reverse Proxy Request Headers</a></h2>
|
||||
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
|
||||
index 43e8c6d..33c78f3 100644
|
||||
--- a/modules/http/http_filters.c
|
||||
+++ b/modules/http/http_filters.c
|
||||
@@ -1703,6 +1703,7 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
|
||||
{
|
||||
const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
|
||||
const char *lenp = apr_table_get(r->headers_in, "Content-Length");
|
||||
+ apr_off_t limit_req_body = ap_get_limit_req_body(r);
|
||||
|
||||
r->read_body = read_policy;
|
||||
r->read_chunked = 0;
|
||||
@@ -1738,6 +1739,11 @@ AP_DECLARE(int) ap_setup_client_block(request_rec *r, int read_policy)
|
||||
return HTTP_REQUEST_ENTITY_TOO_LARGE;
|
||||
}
|
||||
|
||||
+ if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
|
||||
+ /* will be logged when the body is discarded */
|
||||
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
|
||||
+ }
|
||||
+
|
||||
#ifdef AP_DEBUG
|
||||
{
|
||||
/* Make sure ap_getline() didn't leave any droppings. */
|
||||
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
|
||||
index bc86253..85f2f9c 100644
|
||||
--- a/modules/proxy/proxy_util.c
|
||||
+++ b/modules/proxy/proxy_util.c
|
||||
@@ -4260,13 +4260,10 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
|
||||
apr_bucket *e;
|
||||
apr_off_t bytes, fsize = 0;
|
||||
apr_file_t *tmpfile = NULL;
|
||||
- apr_off_t limit;
|
||||
|
||||
*bytes_spooled = 0;
|
||||
body_brigade = apr_brigade_create(p, bucket_alloc);
|
||||
|
||||
- limit = ap_get_limit_req_body(r);
|
||||
-
|
||||
do {
|
||||
if (APR_BRIGADE_EMPTY(input_brigade)) {
|
||||
rv = ap_proxy_read_input(r, backend, input_brigade,
|
||||
@@ -4284,17 +4281,6 @@ PROXY_DECLARE(int) ap_proxy_spool_input(request_rec *r,
|
||||
apr_brigade_length(input_brigade, 1, &bytes);
|
||||
|
||||
if (*bytes_spooled + bytes > max_mem_spool) {
|
||||
- /*
|
||||
- * LimitRequestBody does not affect Proxy requests (Should it?).
|
||||
- * Let it take effect if we decide to store the body in a
|
||||
- * temporary file on disk.
|
||||
- */
|
||||
- if (limit && (*bytes_spooled + bytes > limit)) {
|
||||
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
|
||||
- "Request body is larger than the configured "
|
||||
- "limit of %" APR_OFF_T_FMT, limit);
|
||||
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
|
||||
- }
|
||||
/* can't spool any more in memory; write latest brigade to disk */
|
||||
if (tmpfile == NULL) {
|
||||
const char *temp_dir;
|
||||
diff --git a/server/core.c b/server/core.c
|
||||
index 3d44e0e..682259f 100644
|
||||
--- a/server/core.c
|
||||
+++ b/server/core.c
|
||||
@@ -71,7 +71,7 @@
|
||||
|
||||
/* LimitRequestBody handling */
|
||||
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
|
||||
-#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
|
||||
+#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
|
||||
|
||||
/* LimitXMLRequestBody handling */
|
||||
#define AP_LIMIT_UNSET ((long) -1)
|
@ -124,6 +124,8 @@ Patch201: httpd-2.4.53-CVE-2022-28615.patch
|
||||
Patch202: httpd-2.4.53-CVE-2022-31813.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2095002
|
||||
Patch203: httpd-2.4.53-CVE-2022-28614.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2095012
|
||||
Patch204: httpd-2.4.53-CVE-2022-29404.patch
|
||||
|
||||
License: ASL 2.0
|
||||
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
|
||||
@ -295,6 +297,7 @@ written in the Lua programming language.
|
||||
%patch201 -p1 -b .CVE-2022-28615
|
||||
%patch202 -p1 -b .CVE-2022-31813
|
||||
%patch203 -p1 -b .CVE-2022-28614
|
||||
%patch204 -p1 -b .CVE-2022-29404
|
||||
|
||||
# Patch in the vendor string
|
||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||
@ -862,6 +865,7 @@ exit $rv
|
||||
- Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
|
||||
by hop-by-hop mechanism
|
||||
- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
|
||||
- Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
|
||||
|
||||
* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
|
||||
- Related: #2065677 - httpd minimisation for ubi-micro
|
||||
|
Loading…
Reference in New Issue
Block a user