mod_xml2enc: fix media type handling

Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)
2024-02-10 02:08:34 +00:00 · 2024-02-05 16:06:21 +01:00
4 changed files with 70 additions and 3 deletions
--- a/.httpd.metadata
+++ b/.httpd.metadata
@ -0,0 +1,3 @@
+01044512374941fad939ec4b1537428cc7edc769 httpd-2.4.57.tar.bz2
+5cac6152cf2f175cc35ca0cf9d00b797c949b273 httpd-2.4.57.tar.bz2.asc
+b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS
--- a/httpd-2.4.57-CVE-2023-31122.patch
+++ b/httpd-2.4.57-CVE-2023-31122.patch
@ -0,0 +1,11 @@
+--- a/modules/core/mod_macro.c	2023/10/16 06:19:16	1912992
+++ b/modules/core/mod_macro.c	2023/10/16 06:38:32	1912993
+@@ -483,7 +483,7 @@
+     for (i = 0; i < contents->nelts; i++) {
+         const char *errmsg;
+         /* copy the line and substitute macro parameters */
+-        strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1);
+        apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN);
+         errmsg = substitute_macro_args(line, MAX_STRING_LEN,
+                                        macro, replacements, used);
+         if (errmsg) {
--- a/httpd-2.4.57-r1884505+.patch
+++ b/httpd-2.4.57-r1884505+.patch
@ -0,0 +1,39 @@
+# ./pullrev.sh 1884505 1915625
+http://svn.apache.org/viewvc?view=revision&revision=1884505
+http://svn.apache.org/viewvc?view=revision&revision=1915625
+
+--- httpd-2.4.57/modules/filters/mod_xml2enc.c
+++ httpd-2.4.57/modules/filters/mod_xml2enc.c
+@@ -329,7 +329,7 @@
+     apr_bucket* bstart;
+     apr_size_t insz = 0;
+     int pending_meta = 0;
+-    char *ctype;
+    char *mtype;
+     char *p;
+ 
+     if (!ctx || !f->r->content_type) {
+@@ -338,13 +338,17 @@
+         return ap_pass_brigade(f->next, bb) ;
+     }
+ 
+-    ctype = apr_pstrdup(f->r->pool, f->r->content_type);
+-    for (p = ctype; *p; ++p)
+-        if (isupper(*p))
+-            *p = tolower(*p);
+    /* Extract the media type, ignoring parameters in content-type. */
+    mtype = apr_pstrdup(f->r->pool, f->r->content_type);
+    if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
+    ap_str_tolower(mtype);
+ 
+-    /* only act if starts-with "text/" or contains "xml" */
+-    if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml"))  {
+    /* Accept text/ types, plus any XML media type per RFC 7303. */
+    if (!(strncmp(mtype, "text/", 5) == 0
+          || strcmp(mtype, "application/xml") == 0
+          || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
+              && (p = strstr(mtype, "+xml")) != NULL
+              && strlen(p) == 4 /* ensures +xml is a suffix */))) {
+         ap_remove_output_filter(f);
+         return ap_pass_brigade(f->next, bb) ;
+     }
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.57
-Release: 6%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -118,11 +118,15 @@ Patch69: httpd-2.4.57-covscan.patch
 Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2217726
 Patch71: httpd-2.4.57-davenoent.patch
-
+# https://issues.redhat.com/browse/RHEL-17686
+Patch72: httpd-2.4.57-r1884505+.patch

 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=...
-# Patch200: ...
+#
+# https://bugzilla.redhat.com/show_bug.cgi?id=2245332
+Patch200: httpd-2.4.57-CVE-2023-31122.patch
+

 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@ -292,7 +296,9 @@ written in the Lua programming language.
 %patch69 -p1 -b .covstan
 %patch70 -p1 -b .duplicate-key
 %patch71 -p1 -b .davenoent
+%patch72 -p1 -b .r1884505+

+%patch200 -p1 -b .CVE-2023-31122

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -853,6 +859,14 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Wed Feb  7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
+- mod_xml2enc: fix media type handling
+  Resolves: RHEL-17686
+
+* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
+- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
+  vulnerability (CVE-2023-31122)
+
 * Wed Oct  4 2023 Joe Orton <jorton@redhat.com> - 2.4.57-6
 - Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
 - mod_dav_fs: add global mutex around lockdb interaction
Author	SHA1	Message	Date
Joe Orton	ff4c2c66c0	mod_xml2enc: fix media type handling	2024-02-10 02:08:34 +00:00
Luboš Uhliarik	df3e6a5147	Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)	2024-02-05 16:06:21 +01:00