Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()

2022-07-21 17:19:23 +02:00 · 2022-07-21 17:19:23 +02:00 · e48d1ff2b5
parent 3e971cd869
commit e48d1ff2b5
2 changed files with 65 additions and 0 deletions
--- a/httpd-2.4.53-CVE-2022-28614.patch
+++ b/httpd-2.4.53-CVE-2022-28614.patch
@ -0,0 +1,61 @@
+From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:34:16 +0000
+Subject: [PATCH] Merge r1901500 from trunk:
+
+handle large writes in ap_rputs
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901501 13f79535-47bb-0310-9956-ffa450edef68
+---
+ include/http_protocol.h | 22 +++++++++++++++++++++-
+ server/protocol.c       |  3 +++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/include/http_protocol.h b/include/http_protocol.h
+index 20bd2022266..94c481e5f43 100644
+--- a/include/http_protocol.h
+++ b/include/http_protocol.h
+@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
+  */
+ static APR_INLINE int ap_rputs(const char *str, request_rec *r)
+ {
+-    return ap_rwrite(str, (int)strlen(str), r);
+    apr_size_t len;
+
+    len = strlen(str);
+
+    for (;;) {
+        if (len <= INT_MAX) {
+            return ap_rwrite(str, (int)len, r);
+        }
+        else {
+            int rc;
+
+            rc = ap_rwrite(str, INT_MAX, r);
+            if (rc < 0) {
+                return rc;
+            }
+            else {
+                str += INT_MAX;
+                len -= INT_MAX;
+            }
+        }
+    }
+ }
+ 
+ /**
+diff --git a/server/protocol.c b/server/protocol.c
+index 298f61e1fb8..7adc7f75c10 100644
+--- a/server/protocol.c
+++ b/server/protocol.c
+@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
+ 
+ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
+ {
+    if (nbyte < 0)
+        return -1;
+
+     if (r->connection->aborted)
+         return -1;
+ 
--- a/httpd.spec
+++ b/httpd.spec
@ -122,6 +122,8 @@ Patch200: httpd-2.4.53-CVE-2022-26377.patch
 Patch201: httpd-2.4.53-CVE-2022-28615.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095020
 Patch202: httpd-2.4.53-CVE-2022-31813.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2095002
+Patch203: httpd-2.4.53-CVE-2022-28614.patch

 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@ -292,6 +294,7 @@ written in the Lua programming language.
 %patch200 -p1 -b .CVE-2022-26377
 %patch201 -p1 -b .CVE-2022-28615
 %patch202 -p1 -b .CVE-2022-31813
+%patch203 -p1 -b .CVE-2022-28614

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -858,6 +861,7 @@ exit $rv
  ap_strcmp_match()
 - Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
  by hop-by-hop mechanism
+- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()

 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
 - Related: #2065677 - httpd minimisation for ubi-micro