Add patch to fix CVE-2023-27522

2023-08-01 16:09:01 +03:00 · 2023-08-01 16:09:01 +03:00 · e6f9659dfd
commit e6f9659dfd
parent efecfe4386
2 changed files with 117 additions and 1 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
@ -0,0 +1,107 @@
 From 45e46db92b5387fdaf6c57e65ac9716c9b8574da Mon Sep 17 00:00:00 2001
 From: Pavel Mayorov <pmayorov@cloudlinux.com>
 Date: Wed, 15 Mar 2023 14:00:11 +0300
 Subject: [PATCH] CVE-2023-27522
 Taken main fix from the following upstream commit:
    commit d753ea76b5972a85349b68c31b59d04c60014f2d
    Author: Eric Covener <covener@apache.org>
    Date:   Sun Mar 5 20:22:52 2023 +0000
    Merge r1907980 from trunk:
    mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation
    Reviewed By: ylavic, covener, gbechis, rpluem
    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
 Signed-off-by: Pavel Mayorov <pmayorov@cloudlinux.com>
 ---
 modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 14 deletions(-)
 diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
 index 9dcbed1..a1b564d 100644
 --- a/modules/proxy/mod_proxy_uwsgi.c
 +++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
     pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
     len = ap_getline(buffer, sizeof(buffer), rp, 1);
 -
     if (len <= 0) {
 -        /* oops */
 +        /* invalid or empty */
         return HTTP_INTERNAL_SERVER_ERROR;
     }
 -
     backend->worker->s->read += len;
 -
 -    if (len >= sizeof(buffer) - 1) {
 -        /* oops */
 +    if ((apr_size_t)len >= sizeof(buffer)) {
 +        /* too long */
         return HTTP_INTERNAL_SERVER_ERROR;
     }
 +
     /* Position of http status code */
     if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
         status_start = 9;
@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
         status_start = 7;
     }
     else {
 -        /* oops */
 -        return HTTP_INTERNAL_SERVER_ERROR;
 +        /* not HTTP */
 +        return HTTP_BAD_GATEWAY;
     }
     status_end = status_start + 3;
@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
     }
     r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
 -    /* start parsing headers */
 +    /* parse headers */
     while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
 +        if ((apr_size_t)len >= sizeof(buffer)) {
 +            /* too long */
 +            len = -1;
 +            break;
 +        }
         value = strchr(buffer, ':');
 -        /* invalid header skip */
 -        if (!value)
 -            continue;
 -        *value = '\0';
 -        ++value;
 +        if (!value) {
 +            /* invalid header */
 +            len = -1;
 +            break;
 +        }
 +        *value++ = '\0';
 +        if (*ap_scan_http_token(buffer)) {
 +            /* invalid name */
 +            len = -1;
 +            break;
 +        }
         while (apr_isspace(*value))
             ++value;
         for (end = &value[strlen(value) - 1];
              end > value && apr_isspace(*end); --end)
             *end = '\0';
 +        if (*ap_scan_http_field_content(value)) {
 +            /* invalid value */
 +            len = -1;
 +            break;
 +        }
         apr_table_add(r->headers_out, buffer, value);
     }
 +    if (len < 0) {
 +        /* Reset headers, but not to NULL because things below the chain expect
 +         * this to be non NULL e.g. the ap_content_length_filter.
 +         */
 +        r->headers_out = apr_table_make(r->pool, 1);
 +        return HTTP_BAD_GATEWAY;
 +    }
     if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
         ap_set_content_type(r, apr_pstrdup(r->pool, buf));
 -- 
 2.39.2
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.53
-Release: 11%{?dist}.5
+Release: 11%{?dist}.5.alma
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -141,6 +141,9 @@ Patch209: httpd-2.4.53-CVE-2022-36760.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
 Patch210: httpd-2.4.53-CVE-2023-25690.patch
 # AlmaLinux patches
 Patch1000: httpd-2.4.37-CVE-2023-27522.patch
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
 BuildRequires: perl-interpreter, perl-generators, systemd-devel
@ -321,6 +324,9 @@ written in the Lua programming language.
 %patch209 -p1 -b .CVE-2022-36760
 %patch210 -p1 -b .CVE-2023-25690
 %patch1000 -p1 -b .CVE-2023-27522
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 sed -i 's/@RELEASE@/%{release}/' server/core.c
@ -879,6 +885,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Tue Aug 01 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.4.53-11.5.alma
 - Add patch to fix CVE-2023-27522
 * Fri Apr 28 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-11.5
 - Resolves: #2190324 - mod_rewrite regression with CVE-2023-25690