rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads

Browse Source 
in AJP getter functions (CVE-2026-33857)
This commit is contained in:
Luboš Uhliarik 2026-05-13 15:58:31 +02:00
parent 8bb28bf05d
commit 82acd1a876
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
httpd-2.4.37-CVE-2026-33857.patch Normal file
View File

@ -0,0 +1,49 @@
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index a1c009f..6443b36 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
{
apr_uint32_t value;
- if ((msg->pos + 3) > msg->len) {
+ if ((msg->pos + 3) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint32");
}
@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint16");
}
@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
}
@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
*/
apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
}
@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint8");
}

5
httpd.spec
View File

@ -303,6 +303,8 @@ Patch254: httpd-2.4.37-CVE-2025-58098.patch
Patch255: httpd-2.4.37-CVE-2026-28780.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2465299
Patch256: httpd-2.4.37-CVE-2026-33007.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2464953
Patch257: httpd-2.4.37-CVE-2026-33857.patch
License: ASL 2.0
Group: System Environment/Daemons
@ -549,6 +551,7 @@ interface for storing and accessing per-user session data.
%patch254 -p1 -b .CVE-2025-58098
%patch255 -p1 -b .CVE-2026-28780
%patch256 -p1 -b .CVE-2026-33007
%patch257 -p1 -b .CVE-2026-33857
%patch96 -p1 -b .r1922080
@ -1065,6 +1068,8 @@ rm -rf $RPM_BUILD_ROOT
Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
- Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer dereference can
cause a child process crash (CVE-2026-33007)
- Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads
in AJP getter functions (CVE-2026-33857)
* Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
- Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass