import mod_http2-1.15.7-5.module+el8.6.0+13996+01710940

2022-05-10 03:10:44 -04:00 · 2022-05-10 03:10:44 -04:00 · 0bfa611d9f
commit 0bfa611d9f
parent 59cc14eac5
3 changed files with 107 additions and 1 deletions
--- a/SOURCES/mod_http2-1.15.7-CVE-2021-33193.patch
+++ b/SOURCES/mod_http2-1.15.7-CVE-2021-33193.patch
@ -0,0 +1,81 @@
+diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c
+index 5893c8b..1131440 100644
+--- a/mod_http2/h2_request.c
+++ b/mod_http2/h2_request.c
+@@ -206,75 +206,13 @@ h2_request *h2_request_clone(apr_pool_t *p, const h2_request *src)
+     return dst;
+ }
+ 
+-#if !AP_MODULE_MAGIC_AT_LEAST(20150222, 13)
+-static request_rec *my_ap_create_request(conn_rec *c)
+-{
+-    apr_pool_t *p;
+-    request_rec *r;
+-
+-    apr_pool_create(&p, c->pool);
+-    apr_pool_tag(p, "request");
+-    r = apr_pcalloc(p, sizeof(request_rec));
+-    AP_READ_REQUEST_ENTRY((intptr_t)r, (uintptr_t)c);
+-    r->pool            = p;
+-    r->connection      = c;
+-    r->server          = c->base_server;
+-    
+-    r->user            = NULL;
+-    r->ap_auth_type    = NULL;
+-    
+-    r->allowed_methods = ap_make_method_list(p, 2);
+-
+-    r->headers_in      = apr_table_make(r->pool, 5);
+-    r->trailers_in     = apr_table_make(r->pool, 5);
+-    r->subprocess_env  = apr_table_make(r->pool, 25);
+-    r->headers_out     = apr_table_make(r->pool, 12);
+-    r->err_headers_out = apr_table_make(r->pool, 5);
+-    r->trailers_out    = apr_table_make(r->pool, 5);
+-    r->notes           = apr_table_make(r->pool, 5);
+-    
+-    r->request_config  = ap_create_request_config(r->pool);
+-    /* Must be set before we run create request hook */
+-    
+-    r->proto_output_filters = c->output_filters;
+-    r->output_filters  = r->proto_output_filters;
+-    r->proto_input_filters = c->input_filters;
+-    r->input_filters   = r->proto_input_filters;
+-    ap_run_create_request(r);
+-    r->per_dir_config  = r->server->lookup_defaults;
+-    
+-    r->sent_bodyct     = 0;                      /* bytect isn't for body */
+-    
+-    r->read_length     = 0;
+-    r->read_body       = REQUEST_NO_BODY;
+-    
+-    r->status          = HTTP_OK;  /* Until further notice */
+-    r->header_only     = 0;
+-    r->the_request     = NULL;
+-    
+-    /* Begin by presuming any module can make its own path_info assumptions,
+-     * until some module interjects and changes the value.
+-     */
+-    r->used_path_info = AP_REQ_DEFAULT_PATH_INFO;
+-    
+-    r->useragent_addr = c->client_addr;
+-    r->useragent_ip = c->client_ip;
+-    
+-    return r;
+-}
+-#endif
+-
+ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
+ {
+-    int access_status = HTTP_OK;    
+    int access_status = HTTP_OK;
+     const char *rpath;
+     const char *s;
+ 
+-#if AP_MODULE_MAGIC_AT_LEAST(20150222, 13)
+     request_rec *r = ap_create_request(c);
+-#else
+-    request_rec *r = my_ap_create_request(c);
+-#endif
+ 
+     r->headers_in = apr_table_clone(r->pool, req->headers);
+ 
--- a/SOURCES/mod_http2-1.15.7-CVE-2021-44224.patch
+++ b/SOURCES/mod_http2-1.15.7-CVE-2021-44224.patch
@ -0,0 +1,13 @@
+diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c
+index 1131440..89a0b47 100644
+--- a/mod_http2/h2_request.c
+++ b/mod_http2/h2_request.c
+@@ -267,7 +267,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
+                                NULL, r, r->connection);
+     
+     if (access_status != HTTP_OK
+-        || (access_status = ap_run_post_read_request(r))) {
+        || (access_status = ap_post_read_request(r))) {
+         /* Request check post hooks failed. An example of this would be a
+          * request for a vhost where h2 is disabled --> 421.
+          */
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	1.15.7
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	module implementing HTTP/2 for Apache 2
 Group:		System Environment/Daemons
 License:	ASL 2.0
@ -11,6 +11,8 @@ URL:		https://icing.github.io/mod_h2/
 Source0:	https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2-%{version}.tar.gz
 Patch1:		mod_http2-1.15.7-CVE-2020-9490.patch
 Patch2:		mod_http2-1.15.7-CVE-2020-11993.patch
+Patch3:		mod_http2-1.15.7-CVE-2021-33193.patch
+Patch4:		mod_http2-1.15.7-CVE-2021-44224.patch
 BuildRequires:	pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
 Requires:	httpd-mmn = %{_httpd_mmn}
 Conflicts:      httpd < 2.4.25-8
@ -24,6 +26,8 @@ top of libnghttp2 for httpd 2.4 servers.
 %setup -q
 %patch1 -p1 -b .CVE-2020-9490
 %patch2 -p1 -b .CVE-2020-11993
+%patch3 -p1 -b .CVE-2021-33193
+%patch4 -p1 -b .CVE-2021-44224

 %build
 %configure
@ -50,6 +54,14 @@ make check
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Mon Jan 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-5
+- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
+  or SSRF in forward proxy configurations
+
+* Thu Jan 06 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-4
+- Resolves: #1966728 - CVE-2021-33193 httpd:2.4/mod_http2: httpd:
+  Request splitting via HTTP/2 method injection and mod_proxy
+
 * Fri Oct 30 2020 Lubos Uhliarik <luhliari@redhat.com> - 1.15.7-3
 - Resolves: #1869077 - CVE-2020-11993 httpd:2.4/mod_http2: httpd:
  mod_http2 concurrent pool usage