From 7bec448cb8b29185ff91c04332fc9c32e6ccb3cc Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Tue, 2 Jul 2024 03:00:50 +0300
Subject: [PATCH] import httpd-2.4.37-65.module+el8.10.0+21982+14717793

---
 SOURCES/httpd-2.4.37-CVE-2023-31122.patch | 11 ++++
 SOURCES/httpd-2.4.37-CVE-2023-38709.patch | 74 +++++++++++++++++++++++
 SOURCES/httpd-2.4.57-r1884505+.patch      | 39 ++++++++++++
 SPECS/httpd.spec                          | 23 ++++++-
 4 files changed, 146 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2023-31122.patch
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2023-38709.patch
 create mode 100644 SOURCES/httpd-2.4.57-r1884505+.patch

diff --git a/SOURCES/httpd-2.4.37-CVE-2023-31122.patch b/SOURCES/httpd-2.4.37-CVE-2023-31122.patch
new file mode 100644
index 0000000..c2aa207
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2023-31122.patch
@@ -0,0 +1,11 @@
+--- a/modules/core/mod_macro.c	2023/10/16 06:19:16	1912992
++++ b/modules/core/mod_macro.c	2023/10/16 06:38:32	1912993
+@@ -483,7 +483,7 @@
+     for (i = 0; i < contents->nelts; i++) {
+         const char *errmsg;
+         /* copy the line and substitute macro parameters */
+-        strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1);
++        apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN);
+         errmsg = substitute_macro_args(line, MAX_STRING_LEN,
+                                        macro, replacements, used);
+         if (errmsg) {
diff --git a/SOURCES/httpd-2.4.37-CVE-2023-38709.patch b/SOURCES/httpd-2.4.37-CVE-2023-38709.patch
new file mode 100644
index 0000000..53bbbd4
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2023-38709.patch
@@ -0,0 +1,74 @@
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index 393343a..16cb23c 100644
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1348,6 +1348,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+          */
+         apr_table_clear(r->headers_out);
+         apr_table_clear(r->err_headers_out);
++        r->content_type = r->content_encoding = NULL;
++        r->content_languages = NULL;
++        r->clength = r->chunked = 0;
+         apr_brigade_cleanup(b);
+ 
+         /* Don't recall ap_die() if we come back here (from its own internal
+@@ -1364,8 +1367,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         APR_BRIGADE_INSERT_TAIL(b, e);
+         e = apr_bucket_eos_create(c->bucket_alloc);
+         APR_BRIGADE_INSERT_TAIL(b, e);
+-        r->content_type = r->content_encoding = NULL;
+-        r->content_languages = NULL;
+         ap_set_content_length(r, 0);
+         recursive_error = 1;
+     }
+@@ -1392,6 +1393,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     if (!apr_is_empty_table(r->err_headers_out)) {
+         r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
+                                            r->headers_out);
++        apr_table_clear(r->err_headers_out);
+     }
+ 
+     /*
+@@ -1411,6 +1413,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         fixup_vary(r);
+     }
+ 
++
++    /*
++     * Control cachability for non-cacheable responses if not already set by
++     * some other part of the server configuration.
++     */
++    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
++        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
++        ap_recent_rfc822_date(date, r->request_time);
++        apr_table_addn(r->headers_out, "Expires", date);
++    }
++
+     /*
+      * Now remove any ETag response header field if earlier processing
+      * says so (such as a 'FileETag None' directive).
+@@ -1423,6 +1436,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     basic_http_header_check(r, &protocol);
+     ap_set_keepalive(r);
+ 
++    /* 204/304 responses don't have content related headers */
+     if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
+         apr_table_unset(r->headers_out, "Transfer-Encoding");
+         apr_table_unset(r->headers_out, "Content-Length");
+@@ -1465,16 +1479,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         apr_table_setn(r->headers_out, "Content-Language", field);
+     }
+ 
+-    /*
+-     * Control cachability for non-cacheable responses if not already set by
+-     * some other part of the server configuration.
+-     */
+-    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+-        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+-        ap_recent_rfc822_date(date, r->request_time);
+-        apr_table_addn(r->headers_out, "Expires", date);
+-    }
+-
+     /* This is a hack, but I can't find anyway around it.  The idea is that
+      * we don't want to send out 0 Content-Lengths if it is a head request.
+      * This happens when modules try to outsmart the server, and return
diff --git a/SOURCES/httpd-2.4.57-r1884505+.patch b/SOURCES/httpd-2.4.57-r1884505+.patch
new file mode 100644
index 0000000..97bc6a8
--- /dev/null
+++ b/SOURCES/httpd-2.4.57-r1884505+.patch
@@ -0,0 +1,39 @@
+# ./pullrev.sh 1884505 1915625
+http://svn.apache.org/viewvc?view=revision&revision=1884505
+http://svn.apache.org/viewvc?view=revision&revision=1915625
+
+--- httpd-2.4.57/modules/filters/mod_xml2enc.c
++++ httpd-2.4.57/modules/filters/mod_xml2enc.c
+@@ -329,7 +329,7 @@
+     apr_bucket* bstart;
+     apr_size_t insz = 0;
+     int pending_meta = 0;
+-    char *ctype;
++    char *mtype;
+     char *p;
+ 
+     if (!ctx || !f->r->content_type) {
+@@ -338,13 +338,17 @@
+         return ap_pass_brigade(f->next, bb) ;
+     }
+ 
+-    ctype = apr_pstrdup(f->r->pool, f->r->content_type);
+-    for (p = ctype; *p; ++p)
+-        if (isupper(*p))
+-            *p = tolower(*p);
++    /* Extract the media type, ignoring parameters in content-type. */
++    mtype = apr_pstrdup(f->r->pool, f->r->content_type);
++    if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
++    ap_str_tolower(mtype);
+ 
+-    /* only act if starts-with "text/" or contains "xml" */
+-    if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml"))  {
++    /* Accept text/ types, plus any XML media type per RFC 7303. */
++    if (!(strncmp(mtype, "text/", 5) == 0
++          || strcmp(mtype, "application/xml") == 0
++          || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
++              && (p = strstr(mtype, "+xml")) != NULL
++              && strlen(p) == 4 /* ensures +xml is a suffix */))) {
+         ap_remove_output_filter(f);
+         return ap_pass_brigade(f->next, bb) ;
+     }
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index a3ce992..2b2e7a0 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 62%{?dist}
+Release: 65%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -169,6 +169,8 @@ Patch91: httpd-2.4.37-add-SNI-support.patch
 Patch92: httpd-2.4.37-mod_status-duplicate-key.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2221083
 Patch93: httpd-2.4.37-r1885607.patch
+# https://issues.redhat.com/browse/RHEL-14321
+Patch94: httpd-2.4.57-r1884505+.patch
 
 # Security fixes
 Patch200: httpd-2.4.37-r1851471.patch
@@ -254,6 +256,10 @@ Patch237: httpd-2.4.37-CVE-2022-36760.patch
 Patch238: httpd-2.4.37-CVE-2023-25690.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176211
 Patch239: httpd-2.4.37-CVE-2023-27522.patch
+# https://issues.redhat.com/browse/RHEL-14448
+Patch240: httpd-2.4.37-CVE-2023-31122.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2273491
+Patch241: httpd-2.4.37-CVE-2023-38709.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -437,6 +443,7 @@ interface for storing and accessing per-user session data.
 %patch91 -p1 -b .SNI
 %patch92 -p1 -b .mod_status-dupl
 %patch93 -p1 -b .r1885607
+%patch94 -p1 -b .r1884505+
 
 %patch200 -p1 -b .r1851471
 %patch201 -p1 -b .CVE-2019-0211
@@ -478,6 +485,8 @@ interface for storing and accessing per-user session data.
 %patch237 -p1 -b .CVE-2022-36760
 %patch238 -p1 -b .CVE-2023-25690
 %patch239 -p1 -b .CVE-2023-27522
+%patch240 -p1 -b .CVE-2023-31122
+%patch241 -p1 -b .CVE-2023-38709
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -983,6 +992,18 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Jun 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65
+- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response
+  splitting (CVE-2023-38709)
+
+* Fri Feb 16 2024 Joe Orton <jorton@redhat.com> - 2.4.37-64
+- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read
+  vulnerability (CVE-2023-31122)
+
+* Wed Feb 14 2024 Joe Orton <jorton@redhat.com> - 2.4.37-63
+- mod_xml2enc: fix media type handling
+  Resolves: RHEL-14321
+
 * Thu Aug 17 2023 Johnny Hughes <jhughes@redhat.com> - 2.4.37-62
 - change for CentOS Stream Branding