import httpd-2.4.37-43.module+el8.5.0+14370+51c6d843.2

2022-03-15 05:10:36 -04:00 · 2022-03-15 05:10:36 -04:00 · e774410994
commit e774410994
parent 407b246534
3 changed files with 47 additions and 1 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2021-34798.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2021-34798.patch
@ -0,0 +1,13 @@
+diff --git a/server/scoreboard.c b/server/scoreboard.c
+index 23e3d70..7b01bdf 100644
+--- a/server/scoreboard.c
+++ b/server/scoreboard.c
+@@ -376,7 +376,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
+     if (pfn_ap_logio_get_last_bytes != NULL) {
+         bytes = pfn_ap_logio_get_last_bytes(r->connection);
+     }
+-    else if (r->method_number == M_GET && r->method[0] == 'H') {
+    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
+         bytes = 0;
+     }
+     else {
--- a/SOURCES/httpd-2.4.37-CVE-2021-39275.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2021-39275.patch
@ -0,0 +1,21 @@
+diff --git a/server/util.c b/server/util.c
+index e0c558c..2a5dd04 100644
+--- a/server/util.c
+++ b/server/util.c
+@@ -2460,13 +2460,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
+      * in front of every " that doesn't already have one.
+      */
+     while (*inchr != '\0') {
+-        if ((*inchr == '\\') && (inchr[1] != '\0')) {
+-            *outchr++ = *inchr++;
+-            *outchr++ = *inchr++;
+-        }
+         if (*inchr == '"') {
+             *outchr++ = '\\';
+         }
+        if ((*inchr == '\\') && (inchr[1] != '\0')) {
+            *outchr++ = *inchr++;
+        }
+         if (*inchr != '\0') {
+             *outchr++ = *inchr++;
+         }
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 43%{?dist}.1
+Release: 43%{?dist}.2
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -198,6 +198,10 @@ Patch214: httpd-2.4.37-CVE-2021-40438.patch
 Patch215: httpd-2.4.37-CVE-2021-26691.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2034674
 Patch216: httpd-2.4.37-CVE-2021-44790.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2005128
+Patch217: httpd-2.4.37-CVE-2021-34798.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2005119
+Patch218: httpd-2.4.37-CVE-2021-39275.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@ -394,6 +398,8 @@ interface for storing and accessing per-user session data.
 %patch214 -p1 -b .CVE-2021-40438
 %patch215 -p1 -b .CVE-2021-26691
 %patch216 -p1 -b .CVE-2021-44790
+%patch217 -p1 -b .CVE-2021-34798
+%patch218 -p1 -b .CVE-2021-39275

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -899,6 +905,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Fri Feb 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.2
+- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference
+  via malformed requests
+- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in
+  ap_escape_quotes() via malicious input
+
 * Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.1
 - Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer
  overflow when parsing multipart content