Merge branch '8c-stream-2.4-tmp' with version 2.4.37-56.7 into i8-stream-2.4

1 year ago · 3827446d2b
parent 03d3e52bb0 afa426fd2b
commit 3827446d2b
2 changed files with 103 additions and 1 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2023-27522.patch
@ -0,0 +1,89 @@
+diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
+index 9dcbed1..a1b564d 100644
+--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+     pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
+ 
+     len = ap_getline(buffer, sizeof(buffer), rp, 1);
+-
+     if (len <= 0) {
+-        /* oops */
+        /* invalid or empty */
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+-
+     backend->worker->s->read += len;
+-
+-    if (len >= sizeof(buffer) - 1) {
+-        /* oops */
+    if ((apr_size_t)len >= sizeof(buffer)) {
+        /* too long */
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+
+     /* Position of http status code */
+     if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
+         status_start = 9;
+@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+         status_start = 7;
+     }
+     else {
+-        /* oops */
+-        return HTTP_INTERNAL_SERVER_ERROR;
+        /* not HTTP */
+        return HTTP_BAD_GATEWAY;
+     }
+     status_end = status_start + 3;
+ 
+@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
+     }
+     r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
+ 
+-    /* start parsing headers */
+    /* parse headers */
+     while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+        if ((apr_size_t)len >= sizeof(buffer)) {
+            /* too long */
+            len = -1;
+            break;
+        }
+         value = strchr(buffer, ':');
+-        /* invalid header skip */
+-        if (!value)
+-            continue;
+-        *value = '\0';
+-        ++value;
+        if (!value) {
+            /* invalid header */
+            len = -1;
+            break;
+        }
+        *value++ = '\0';
+        if (*ap_scan_http_token(buffer)) {
+            /* invalid name */
+            len = -1;
+            break;
+        }
+         while (apr_isspace(*value))
+             ++value;
+         for (end = &value[strlen(value) - 1];
+              end > value && apr_isspace(*end); --end)
+             *end = '\0';
+        if (*ap_scan_http_field_content(value)) {
+            /* invalid value */
+            len = -1;
+            break;
+        }
+         apr_table_add(r->headers_out, buffer, value);
+     }
+    if (len < 0) {
+        /* Reset headers, but not to NULL because things below the chain expect
+         * this to be non NULL e.g. the ap_content_length_filter.
+         */
+        r->headers_out = apr_table_make(r->pool, 1);
+        return HTTP_BAD_GATEWAY;
+    }
+ 
+     if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
+         ap_set_content_type(r, apr_pstrdup(r->pool, buf));
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 56%{?dist}.6.inferit
+Release: 56%{?dist}.7.inferit
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -248,6 +248,8 @@ Patch236: httpd-2.4.37-CVE-2006-20001.patch
 Patch237: httpd-2.4.37-CVE-2022-36760.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
 Patch238: httpd-2.4.37-CVE-2023-25690.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2176211
+Patch239: httpd-2.4.37-CVE-2023-27522.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@ -469,6 +471,7 @@ interface for storing and accessing per-user session data.
 %patch236 -p1 -b .CVE-2006-20001
 %patch237 -p1 -b .CVE-2022-36760
 %patch238 -p1 -b .CVE-2023-25690
+%patch239 -p1 -b .CVE-2023-27522

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -976,6 +979,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Tue Dec 19 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.4.37-56.7.inferit
+- Update to version 2.4.37-56.7
+
 * Tue Dec 19 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2.4.37-56.6.inferit
 - Update to version 2.4.37-56.6

@ -983,6 +989,13 @@ rm -rf $RPM_BUILD_ROOT
 - MSVSphere changes, symlinking and creating alias for test-page-background.png (by Alexey Lyubimov <a.lyubimov@msvsphere-os.ru>)
 - Rebuilt for MSVSphere 8.8

+* Sun Dec 10 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.4.37-56.6
+- Rebuilt for MSVSphere 8.8
+
+* Wed Aug 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.7
+- Resolves: #2236177 - CVE-2023-27522 httpd:2.4/httpd: mod_proxy_uwsgi HTTP
+  response splitting
+
 * Thu Apr 27 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.6
 - Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690