From 6e1a380098d4fe9cd4846b1563e70792d36dda69 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 15 Sep 2025 12:23:51 +0000
Subject: [PATCH] import CS mod_security-2.9.6-3.el9

---
 .../mod_security-2.9.6-CVE-2025-47947.patch   | 48 +++++++++++++++++++
 .../mod_security-2.9.6-CVE-2025-48866.patch   | 25 ++++++++++
 SPECS/mod_security.spec                       | 14 +++++-
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/mod_security-2.9.6-CVE-2025-47947.patch
 create mode 100644 SOURCES/mod_security-2.9.6-CVE-2025-48866.patch

diff --git a/SOURCES/mod_security-2.9.6-CVE-2025-47947.patch b/SOURCES/mod_security-2.9.6-CVE-2025-47947.patch
new file mode 100644
index 0000000..18a81c3
--- /dev/null
+++ b/SOURCES/mod_security-2.9.6-CVE-2025-47947.patch
@@ -0,0 +1,48 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-47947
+
+https://github.com/owasp-modsecurity/ModSecurity/commit/26161b907e792e53d01c7293e630240db13e28b3
+
+--- modsecurity-2.9.6/apache2/modsecurity.h.cve47947
++++ modsecurity-2.9.6/apache2/modsecurity.h
+@@ -693,6 +693,7 @@
+     unsigned int             value_origin_offset;
+     unsigned int             value_origin_len;
+     const char              *origin;
++    unsigned int             marked_for_sanitization;
+ };
+ 
+ struct msc_string {
+--- modsecurity-2.9.6/apache2/msc_json.c.cve47947
++++ modsecurity-2.9.6/apache2/msc_json.c
+@@ -58,6 +58,7 @@
+             arg->name, arg->value);
+     }
+ 
++    arg->marked_for_sanitization = 0;
+     apr_table_addn(msr->arguments,
+         log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
+ 
+--- modsecurity-2.9.6/apache2/msc_parsers.c.cve47947
++++ modsecurity-2.9.6/apache2/msc_parsers.c
+@@ -340,6 +340,7 @@
+  */
+ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+ {
++    arg->marked_for_sanitization = 0;
+     if (msr->txcfg->debuglog_level >= 5) {
+         msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
+                 arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+--- modsecurity-2.9.6/apache2/re_actions.c.cve47947
++++ modsecurity-2.9.6/apache2/re_actions.c
+@@ -1413,8 +1413,9 @@
+             telts = (const apr_table_entry_t*)tarr->elts;
+             for (i = 0; i < tarr->nelts; i++) {
+                 msc_arg *arg = (msc_arg *)telts[i].val;
+-                if (strcasecmp(sargname, arg->name) == 0) {
++                if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
+                     apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
++                    arg->marked_for_sanitization = 1;
+                 }
+             }
+             break;
diff --git a/SOURCES/mod_security-2.9.6-CVE-2025-48866.patch b/SOURCES/mod_security-2.9.6-CVE-2025-48866.patch
new file mode 100644
index 0000000..b4e4f08
--- /dev/null
+++ b/SOURCES/mod_security-2.9.6-CVE-2025-48866.patch
@@ -0,0 +1,25 @@
+From 614c6e18a734bd31a483abc2fa2faf217dcb81c3 Mon Sep 17 00:00:00 2001
+From: Ervin Hegedus <airween@gmail.com>
+Date: Sat, 24 May 2025 12:04:39 +0200
+Subject: [PATCH] fix: add ARGS to sanitize list only if it's not added yet in
+ case of sanitizeArg
+
+---
+ apache2/re_actions.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apache2/re_actions.c b/apache2/re_actions.c
+index 4a922d27f..febc4759e 100644
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1455,8 +1455,9 @@ static apr_status_t msre_action_sanitizeArg_execute(modsec_rec *msr, apr_pool_t
+     for (i = 0; i < tarr->nelts; i++) {
+         msc_arg *arg = (msc_arg *)telts[i].val;
+ 
+-        if (strcasecmp(sargname, arg->name) == 0) {
++        if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
+             apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
++            arg->marked_for_sanitization = 1;
+         }
+     }
+ 
diff --git a/SPECS/mod_security.spec b/SPECS/mod_security.spec
index 65638cf..8b578ae 100644
--- a/SPECS/mod_security.spec
+++ b/SPECS/mod_security.spec
@@ -10,7 +10,7 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security
 Version: 2.9.6
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz
@@ -21,6 +21,10 @@ Patch0: modsecurity-2.9.3-lua-54.patch
 Patch1: modsecurity-2.9.3-apulibs.patch
 Patch2: mod_security-2.9.3-remote-rules-timeout.patch
 
+# Security patches
+Patch100: mod_security-2.9.6-CVE-2025-47947.patch
+Patch101: mod_security-2.9.6-CVE-2025-48866.patch
+
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 %if 0%{?fedora} || 0%{?rhel} > 7
 # Ensure apache user exists for file ownership
@@ -143,6 +147,14 @@ install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
 %endif
 
 %changelog
+* Tue Aug 19 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-3
+- Resolves: RHEL-100098 - mod_security: ModSecurity Denial of Service
+  Vulnerability (CVE-2025-48866)
+
+* Mon Aug 18 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-2
+- Resolves: RHEL-93014 - mod_security: ModSecurity Has Possible DoS
+  Vulnerability (CVE-2025-47947)
+
 * Wed Nov 16 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.9.6-1
 - new version 2.9.6
 - Resolves: #2143211 - [RFE] upgrade mod_security to 2.9.6