Add patch to fix CVE-2023-27522

Merge branch 'c8-stream-2.4' into a8-stream-2.4
Fix changelog
2023-08-01 16:05:13 +03:00 · 2022-06-22 09:25:21 +00:00 · 2022-05-10 11:09:07 +00:00 · 2022-05-10 07:28:16 +00:00 · 2022-03-24 17:41:46 +00:00 · 2022-03-24 13:56:15 +00:00
2 changed files with 127 additions and 2 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
@ -0,0 +1,107 @@
+From 45e46db92b5387fdaf6c57e65ac9716c9b8574da Mon Sep 17 00:00:00 2001
+From: Pavel Mayorov <pmayorov@cloudlinux.com>
+Date: Wed, 15 Mar 2023 14:00:11 +0300
+Subject: [PATCH] CVE-2023-27522
+Taken main fix from the following upstream commit:
+    commit d753ea76b5972a85349b68c31b59d04c60014f2d
+    Author: Eric Covener <covener@apache.org>
+    Date:   Sun Mar 5 20:22:52 2023 +0000
+    Merge r1907980 from trunk:
+    mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation
+    Reviewed By: ylavic, covener, gbechis, rpluem
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
+Signed-off-by: Pavel Mayorov <pmayorov@cloudlinux.com>
+---
+ modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
+index 9dcbed1..a1b564d 100644
+--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+     pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
+ 
+     len = ap_getline(buffer, sizeof(buffer), rp, 1);
+-
+     if (len <= 0) {
+-        /* oops */
+        /* invalid or empty */
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+-
+     backend->worker->s->read += len;
+-
+-    if (len >= sizeof(buffer) - 1) {
+-        /* oops */
+    if ((apr_size_t)len >= sizeof(buffer)) {
+        /* too long */
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+
+     /* Position of http status code */
+     if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
+         status_start = 9;
+@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+         status_start = 7;
+     }
+     else {
+-        /* oops */
+-        return HTTP_INTERNAL_SERVER_ERROR;
+        /* not HTTP */
+        return HTTP_BAD_GATEWAY;
+     }
+     status_end = status_start + 3;
+ 
+@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+     }
+     r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
+ 
+-    /* start parsing headers */
+    /* parse headers */
+     while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+        if ((apr_size_t)len >= sizeof(buffer)) {
+            /* too long */
+            len = -1;
+            break;
+        }
+         value = strchr(buffer, ':');
+-        /* invalid header skip */
+-        if (!value)
+-            continue;
+-        *value = '\0';
+-        ++value;
+        if (!value) {
+            /* invalid header */
+            len = -1;
+            break;
+        }
+        *value++ = '\0';
+        if (*ap_scan_http_token(buffer)) {
+            /* invalid name */
+            len = -1;
+            break;
+        }
+         while (apr_isspace(*value))
+             ++value;
+         for (end = &value[strlen(value) - 1];
+              end > value && apr_isspace(*end); --end)
+             *end = '\0';
+        if (*ap_scan_http_field_content(value)) {
+            /* invalid value */
+            len = -1;
+            break;
+        }
+         apr_table_add(r->headers_out, buffer, value);
+     }
+    if (len < 0) {
+        /* Reset headers, but not to NULL because things below the chain expect
+         * this to be non NULL e.g. the ap_content_length_filter.
+         */
+        r->headers_out = apr_table_make(r->pool, 1);
+        return HTTP_BAD_GATEWAY;
+    }
+ 
+     if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
+         ap_set_content_type(r, apr_pstrdup(r->pool, buf));
+-- 
+2.39.2
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -3,7 +3,7 @@
 %define suexec_caller apache
 %define mmn 20120211
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
+%define vstring %(source /etc/os-release; echo ${NAME})
 %if 0%{?fedora} > 26 || 0%{?rhel} > 7
 %global mpm event
 %else
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 47%{?dist}.2
+Release: 47%{?dist}.2.alma.1
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -219,6 +219,9 @@ Patch223: httpd-2.4.37-CVE-2022-22720.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1966738
 Patch224: httpd-2.4.37-CVE-2020-13950.patch

+# AlmaLinux patches
+Patch1000: httpd-2.4.37-CVE-2023-27522.patch
+
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -425,6 +428,9 @@ interface for storing and accessing per-user session data.
 %patch223 -p1 -b .CVE-2022-22720
 %patch224 -p1 -b .CVE-2020-13950

+# AlmaLinux patches
+%patch1000 -p1 -b .CVE-2023-27522
+
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 sed -i 's/@RELEASE@/%{release}/' server/core.c
@ -929,6 +935,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Tue Aug 01 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.4.37-47.2.alma.1
+- Add patch to fix CVE-2023-27522
+
+* Wed Jun 22 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-47.2.alma
+- include AlmaLinux in version string
+
 * Wed Jun 15 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-47.2
 - Resolves: #2097247 - CVE-2020-13950 httpd:2.4/httpd: mod_proxy NULL pointer
  dereference
@ -937,6 +949,12 @@ rm -rf $RPM_BUILD_ROOT
 - Resolves: #2065248 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling
  vulnerability in Apache HTTP Server 2.4.52 and earlier

+* Fri Feb 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.2
+- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference
+  via malformed requests
+- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in
+  ap_escape_quotes() via malicious input
+
 * Thu Jan 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-47
 - Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
  or SSRF in forward proxy configurations
Author	SHA1	Message	Date
eabdullin	74b0a567f5	Add patch to fix CVE-2023-27522	2023-08-01 16:05:13 +03:00
eabdullin	d4da8c8e59	Merge branch 'c8-stream-2.4' into a8-stream-2.4	2022-06-22 09:25:21 +00:00
Andrew Lukoshko	daf51ad347	Fix changelog	2022-05-10 11:09:07 +00:00
eabdullin	44948b4e5a	Merge branch 'c8-stream-2.4' into a8-stream-2.4	2022-05-10 07:28:16 +00:00
Andrew Lukoshko	77afbda43c	Fix alma dist	2022-03-24 17:41:46 +00:00
eabdullin	0afc2f5f9f	Merge branch 'c8-stream-2.4' into a8-stream-2.4	2022-03-24 13:56:15 +00:00
eabdullin	5897347d31	Merge branch 'c8-stream-2.4' into a8-stream-2.4	2022-01-25 12:52:09 +00:00
eabdullin	eddf0294a3	AlmaLinux changes	2021-11-17 15:47:40 +03:00
eabdullin	ccfc9398cd	AlmaLinux changes	2021-11-17 15:44:48 +03:00
Andrew Lukoshko	9b0dd37f86	Merge branch 'c8-stream-2.4' into a8-stream-2.4	2021-10-14 17:10:26 +00:00
Andrew Lukoshko	28d7b6fc3a	AlmaLinux changes	2021-09-15 09:34:40 +00:00