AlmaLinux changes

2021-11-17 15:47:40 +03:00 · 2021-11-17 15:47:40 +03:00 · eddf0294a3
commit eddf0294a3
parent ccfc9398cd 101cf8a43f
3 changed files with 157 additions and 2 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2021-26691.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2021-26691.patch
@ -0,0 +1,13 @@
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 049255d..af70f6b 100644
+--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+     int *count = v;
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
+    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 
--- a/SOURCES/httpd-2.4.37-CVE-2021-40438.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2021-40438.patch
@ -0,0 +1,126 @@
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index fb897a9..38dbb24 100644
+--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
+@@ -619,6 +619,13 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs)
+             return 6;
+         }
+         break;
+
+    case 'u':
+    case 'U':
+        if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
+            *sqs = 1;
+            return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
+        }
+     }
+ 
+     return 0;
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index f383996..6a9ef55 100644
+--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
+@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
+      * the UDS path... ignore it
+      */
+     if (!strncasecmp(url, "unix:", 5) &&
+-        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
+        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
+
+         /* move past the 'unix:...|' UDS path info */
+         const char *ret, *c;
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 7714b6c..3dd570c 100644
+--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
+@@ -2084,33 +2084,45 @@ static int ap_proxy_retry_worker(const char *proxy_function, proxy_worker *worke
+  * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
+  * as required.  
+  */
+-static void fix_uds_filename(request_rec *r, char **url) 
+static int fix_uds_filename(request_rec *r, char **url) 
+ {
+-    char *ptr, *ptr2;
+-    if (!r || !r->filename) return;
+    char *uds_url = r->filename + 6, *origin_url;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
+-            (ptr = ap_strchr(ptr2, '|'))) {
+            !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
+            (origin_url = ap_strchr(uds_url + 5, '|'))) {
+        char *uds_path = NULL;
+        apr_size_t url_len;
+         apr_uri_t urisock;
+         apr_status_t rv;
+-        *ptr = '\0';
+-        rv = apr_uri_parse(r->pool, ptr2, &urisock);
+-        if (rv == APR_SUCCESS) {
+-            char *rurl = ptr+1;
+-            char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path);
+-            apr_table_setn(r->notes, "uds_path", sockpath);
+-            *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */
+-            /* r->filename starts w/ "proxy:", so add after that */
+-            memmove(r->filename+6, rurl, strlen(rurl)+1);
+-            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+-                    "*: rewrite of url due to UDS(%s): %s (%s)",
+-                    sockpath, *url, r->filename);
+-        }
+-        else {
+-            *ptr = '|';
+-        }
+-    }
+
+        *origin_url = '\0';
+        rv = apr_uri_parse(r->pool, uds_url, &urisock);
+        *origin_url++ = '|';
+
+        if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
+                                                  || !urisock.hostname[0])) {
+             uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
+        }
+
+        if (!uds_path) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
+                     "Invalid proxy UDS filename (%s)", r->filename);
+             return 0;
+        }
+        apr_table_setn(r->notes, "uds_path", uds_path);
+
+        /* Remove the UDS path from *url and r->filename */
+        url_len = strlen(origin_url);
+        *url = apr_pstrmemdup(r->pool, origin_url, url_len);
+        memcpy(uds_url, *url, url_len + 1);
+
+        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+                 "*: rewrite of url due to UDS(%s): %s (%s)",
+                 uds_path, *url, r->filename);
+     }
+
+     return 1;
+ }
+ 
+ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+@@ -2128,7 +2140,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+                           "%s: found worker %s for %s",
+                           (*worker)->s->scheme, (*worker)->s->name, *url);
+             *balancer = NULL;
+-            fix_uds_filename(r, url);
+            if (!fix_uds_filename(r, url)) {
+                     return HTTP_INTERNAL_SERVER_ERROR;
+            }
+             access_status = OK;
+         }
+         else if (r->proxyreq == PROXYREQ_PROXY) {
+@@ -2159,7 +2173,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+                  * regarding the Connection header in the request.
+                  */
+                 apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
+-                fix_uds_filename(r, url);
+                if (!fix_uds_filename(r, url)) {
+                     return HTTP_INTERNAL_SERVER_ERROR;
+                }
+             }
+         }
+     }
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 41%{?dist}
+Release: 43%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -193,6 +193,10 @@ Patch211: httpd-2.4.37-CVE-2020-11984.patch
 Patch212: httpd-2.4.37-CVE-2021-30641.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1968307
 Patch213: httpd-2.4.37-CVE-2021-26690.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2005117
+Patch214: httpd-2.4.37-CVE-2021-40438.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1966732
+Patch215: httpd-2.4.37-CVE-2021-26691.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@ -386,6 +390,8 @@ interface for storing and accessing per-user session data.
 %patch211 -p1 -b .CVE-2020-11984
 %patch212 -p1 -b .CVE-2021-30641
 %patch213 -p1 -b .CVE-2021-26690
+%patch214 -p1 -b .CVE-2021-40438
+%patch215 -p1 -b .CVE-2021-26691

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -891,9 +897,19 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
-* Sun Oct 10 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-41.alma
+* Wed Oct 27 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-43.alma
 - include AlmaLinux in version string

+* Tue Oct 26 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43
+- Related: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
+  a crafted request uri-path
+
+* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-42
+- Resolves: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
+  a crafted request uri-path
+- Resolves: #2014063 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
+  mod_session
+
 * Fri Jul 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-41
 - Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
 - Resolves: #1905613 - mod_ssl does not like valid certificate chain