rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()

Browse Source
This commit is contained in:
Luboš Uhliarik 2022-07-21 17:19:23 +02:00
parent 3e971cd869
commit e48d1ff2b5
2 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
httpd-2.4.53-CVE-2022-28614.patch Normal file
View File

@ -0,0 +1,61 @@
From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 1 Jun 2022 12:34:16 +0000
Subject: [PATCH] Merge r1901500 from trunk:
handle large writes in ap_rputs
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901501 13f79535-47bb-0310-9956-ffa450edef68
---
include/http_protocol.h | 22 +++++++++++++++++++++-
server/protocol.c | 3 +++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/include/http_protocol.h b/include/http_protocol.h
index 20bd2022266..94c481e5f43 100644
--- a/include/http_protocol.h
+++ b/include/http_protocol.h
@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
*/
static APR_INLINE int ap_rputs(const char *str, request_rec *r)
{
- return ap_rwrite(str, (int)strlen(str), r);
+ apr_size_t len;
+
+ len = strlen(str);
+
+ for (;;) {
+ if (len <= INT_MAX) {
+ return ap_rwrite(str, (int)len, r);
+ }
+ else {
+ int rc;
+
+ rc = ap_rwrite(str, INT_MAX, r);
+ if (rc < 0) {
+ return rc;
+ }
+ else {
+ str += INT_MAX;
+ len -= INT_MAX;
+ }
+ }
+ }
}
/**
diff --git a/server/protocol.c b/server/protocol.c
index 298f61e1fb8..7adc7f75c10 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
{
+ if (nbyte < 0)
+ return -1;
+
if (r->connection->aborted)
return -1;

4
httpd.spec
View File

@ -122,6 +122,8 @@ Patch200: httpd-2.4.53-CVE-2022-26377.patch
Patch201: httpd-2.4.53-CVE-2022-28615.patch Patch201: httpd-2.4.53-CVE-2022-28615.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2095020 # https://bugzilla.redhat.com/show_bug.cgi?id=2095020
Patch202: httpd-2.4.53-CVE-2022-31813.patch Patch202: httpd-2.4.53-CVE-2022-31813.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2095002
Patch203: httpd-2.4.53-CVE-2022-28614.patch
License: ASL 2.0 License: ASL 2.0
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@ -292,6 +294,7 @@ written in the Lua programming language.
%patch200 -p1 -b .CVE-2022-26377 %patch200 -p1 -b .CVE-2022-26377
%patch201 -p1 -b .CVE-2022-28615 %patch201 -p1 -b .CVE-2022-28615
%patch202 -p1 -b .CVE-2022-31813 %patch202 -p1 -b .CVE-2022-31813
%patch203 -p1 -b .CVE-2022-28614
# Patch in the vendor string # Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -858,6 +861,7 @@ exit $rv
ap_strcmp_match() ap_strcmp_match()
- Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped - Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
by hop-by-hop mechanism by hop-by-hop mechanism
- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
- Related: #2065677 - httpd minimisation for ubi-micro - Related: #2065677 - httpd minimisation for ubi-micro