Merge branch '8c-stream-2.4-tmp' with version 2.4.37-56.7 into i8-stream-2.4

i8-stream-2.4 changed/i8-stream-2.4/httpd-2.4.37-56.module+el8.8.0+19808+379766d6.7.inferit
Sergey Cherevko 1 year ago
commit 3827446d2b
Signed by: scherevko
GPG Key ID: D87CBBC16D2E4A72

@ -0,0 +1,89 @@
diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index 9dcbed1..a1b564d 100644
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
len = ap_getline(buffer, sizeof(buffer), rp, 1);
-
if (len <= 0) {
- /* oops */
+ /* invalid or empty */
return HTTP_INTERNAL_SERVER_ERROR;
}
-
backend->worker->s->read += len;
-
- if (len >= sizeof(buffer) - 1) {
- /* oops */
+ if ((apr_size_t)len >= sizeof(buffer)) {
+ /* too long */
return HTTP_INTERNAL_SERVER_ERROR;
}
+
/* Position of http status code */
if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
status_start = 9;
@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
status_start = 7;
}
else {
- /* oops */
- return HTTP_INTERNAL_SERVER_ERROR;
+ /* not HTTP */
+ return HTTP_BAD_GATEWAY;
}
status_end = status_start + 3;
@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
}
r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
- /* start parsing headers */
+ /* parse headers */
while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+ if ((apr_size_t)len >= sizeof(buffer)) {
+ /* too long */
+ len = -1;
+ break;
+ }
value = strchr(buffer, ':');
- /* invalid header skip */
- if (!value)
- continue;
- *value = '\0';
- ++value;
+ if (!value) {
+ /* invalid header */
+ len = -1;
+ break;
+ }
+ *value++ = '\0';
+ if (*ap_scan_http_token(buffer)) {
+ /* invalid name */
+ len = -1;
+ break;
+ }
while (apr_isspace(*value))
++value;
for (end = &value[strlen(value) - 1];
end > value && apr_isspace(*end); --end)
*end = '\0';
+ if (*ap_scan_http_field_content(value)) {
+ /* invalid value */
+ len = -1;
+ break;
+ }
apr_table_add(r->headers_out, buffer, value);
}
+ if (len < 0) {
+ /* Reset headers, but not to NULL because things below the chain expect
+ * this to be non NULL e.g. the ap_content_length_filter.
+ */
+ r->headers_out = apr_table_make(r->pool, 1);
+ return HTTP_BAD_GATEWAY;
+ }
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(r->pool, buf));

@ -13,7 +13,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.37 Version: 2.4.37
Release: 56%{?dist}.6.inferit Release: 56%{?dist}.7.inferit
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate Source2: httpd.logrotate
@ -248,6 +248,8 @@ Patch236: httpd-2.4.37-CVE-2006-20001.patch
Patch237: httpd-2.4.37-CVE-2022-36760.patch Patch237: httpd-2.4.37-CVE-2022-36760.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
Patch238: httpd-2.4.37-CVE-2023-25690.patch Patch238: httpd-2.4.37-CVE-2023-25690.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2176211
Patch239: httpd-2.4.37-CVE-2023-27522.patch
License: ASL 2.0 License: ASL 2.0
Group: System Environment/Daemons Group: System Environment/Daemons
@ -469,6 +471,7 @@ interface for storing and accessing per-user session data.
%patch236 -p1 -b .CVE-2006-20001 %patch236 -p1 -b .CVE-2006-20001
%patch237 -p1 -b .CVE-2022-36760 %patch237 -p1 -b .CVE-2022-36760
%patch238 -p1 -b .CVE-2023-25690 %patch238 -p1 -b .CVE-2023-25690
%patch239 -p1 -b .CVE-2023-27522
# Patch in the vendor string # Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -976,6 +979,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Tue Dec 19 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.4.37-56.7.inferit
- Update to version 2.4.37-56.7
* Tue Dec 19 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.4.37-56.6.inferit * Tue Dec 19 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.4.37-56.6.inferit
- Update to version 2.4.37-56.6 - Update to version 2.4.37-56.6
@ -983,6 +989,13 @@ rm -rf $RPM_BUILD_ROOT
- MSVSphere changes, symlinking and creating alias for test-page-background.png (by Alexey Lyubimov <a.lyubimov@msvsphere-os.ru>) - MSVSphere changes, symlinking and creating alias for test-page-background.png (by Alexey Lyubimov <a.lyubimov@msvsphere-os.ru>)
- Rebuilt for MSVSphere 8.8 - Rebuilt for MSVSphere 8.8
* Sun Dec 10 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.4.37-56.6
- Rebuilt for MSVSphere 8.8
* Wed Aug 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.7
- Resolves: #2236177 - CVE-2023-27522 httpd:2.4/httpd: mod_proxy_uwsgi HTTP
response splitting
* Thu Apr 27 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.6 * Thu Apr 27 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.6
- Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690 - Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690

Loading…
Cancel
Save