diff --git a/backport-CVE-2006-20001.patch b/backport-CVE-2006-20001.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb6688e48588e99df2dc7afd2916eb422c6e4f8b --- /dev/null +++ b/backport-CVE-2006-20001.patch @@ -0,0 +1,35 @@ +From b00b92bb9d1497414abf6ca1b679bcc8ad32a443 Mon Sep 17 00:00:00 2001 +From: notroj +Date: Mon, 9 Jan 2023 08:07:58 PM GMT+0800 +Subject: [PATCH] modules/dav/main/util(dav_process_if_header):Fix error + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/b00b92bb9d1497414abf6ca1b679bcc8ad32a443 + +--- + modules/dav/main/util.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c +index 08ebe27..2a2c7aa 100644 +--- a/modules/dav/main/util.c ++++ b/modules/dav/main/util.c +@@ -756,8 +756,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) + "for the same state."); + } + condition = DAV_IF_COND_NOT; ++ list += 2; ++ } ++ else { ++ return dav_new_error(r->pool, HTTP_BAD_REQUEST, ++ DAV_ERR_IF_UNK_CHAR, 0, ++ "Invaild \"If:\" header: " ++ "Unexpected character in List"); + } +- list += 2; + break; + + case ' ': +-- +2.23.0 + diff --git a/backport-CVE-2022-36760.patch b/backport-CVE-2022-36760.patch new file mode 100644 index 0000000000000000000000000000000000000000..3964d3b66ce6c24d099beff8604cc634dd3c49cd --- /dev/null +++ b/backport-CVE-2022-36760.patch @@ -0,0 +1,28 @@ +From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 09:19:03 PM GMT+0800 +Subject: [PATCH] mod_proxy_ajp:cleanup on error + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/5efc9507c487c37dfe2a279a4a0335cad701cd5f + +--- + modules/proxy/mod_proxy_ajp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index a77a86b..89da918 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -256,6 +256,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) + "%s Transfer-Encoding is not supported", + tenc); ++ /* We had a failure : Close connection to backend */ ++ conn->close = 1; + return HTTP_INTERNAL_SERVER_ERROR; + } + } else { +-- +2.23.0 + diff --git a/backport-CVE-2022-37436.patch b/backport-CVE-2022-37436.patch new file mode 100644 index 0000000000000000000000000000000000000000..f73a40d16c3acaa3b414a7c5a1f1620400554b34 --- /dev/null +++ b/backport-CVE-2022-37436.patch @@ -0,0 +1,128 @@ +From 2192bd4200083a0d20bf601c2fc9d635e7e4dbfc Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 09:18:42 PM GMT+0800 +Subject: [PATCH] mod_proxy_http:fail on bad header + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/2192bd4200083a0d20bf601c2fc9d635e7e4dbfc + +--- + modules/proxy/mod_proxy_http.c | 46 ++++++++++++++++++++-------------- + server/protocol.c | 2 ++ + 2 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 3e5c056..2c374e7 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -792,7 +792,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c, + * any sense at all, since we depend on buffer still containing + * what was read by ap_getline() upon return. + */ +-static void ap_proxy_read_headers(request_rec *r, request_rec *rr, ++static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr, + char *buffer, int size, + conn_rec *c, int *pread_len) + { +@@ -824,19 +824,26 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + rc = ap_proxygetline(tmp_bb, buffer, size, rr, + AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len); + +- if (len <= 0) +- break; + +- if (APR_STATUS_IS_ENOSPC(rc)) { +- /* The header could not fit in the provided buffer, warn. +- * XXX: falls through with the truncated header, 5xx instead? +- */ +- int trunc = (len > 128 ? 128 : len) / 2; +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) +- "header size is over the limit allowed by " +- "ResponseFieldSize (%d bytes). " +- "Bad response header: '%.*s[...]%s'", +- size, trunc, buffer, buffer + len - trunc); ++ if (rc != APR_SUCCESS) { ++ if (APR_STATUS_IS_ENOSPC(rc)) { ++ int trunc = (len > 128 ? 128 : len) / 2; ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) ++ "header size is over the limit allowed by " ++ "ResponseFieldSize (%d bytes). " ++ "Bad response header: '%.*s[...]%s'", ++ size, trunc, buffer, buffer + len - trunc); ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404) ++ "Error reading headers from backend"); ++ } ++ r->headers_out = NULL; ++ return rc; ++ } ++ ++ if (len <= 0) { ++ break; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer); +@@ -859,7 +866,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + if (psc->badopt == bad_error) { + /* Nope, it wasn't even an extra HTTP header. Give up. */ + r->headers_out = NULL; +- return; ++ return APR_EINVAL; + } + else if (psc->badopt == bad_body) { + /* if we've already started loading headers_out, then +@@ -873,13 +880,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + "in headers returned by %s (%s)", + r->uri, r->method); + *pread_len = len; +- return; ++ return APR_SUCCESS; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099) + "No HTTP headers returned by %s (%s)", + r->uri, r->method); +- return; ++ return APR_SUCCESS; + } + } + } +@@ -909,6 +916,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + process_proxy_header(r, dconf, buffer, value); + saw_headers = 1; + } ++ return APR_SUCCESS; + } + + +@@ -1207,10 +1215,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req) + "Set-Cookie", NULL); + + /* shove the headers direct into r->headers_out */ +- ap_proxy_read_headers(r, backend->r, buffer, response_field_size, +- origin, &pread_len); ++ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size, ++ origin, &pread_len); + +- if (r->headers_out == NULL) { ++ if (rc != APR_SUCCESS || r->headers_out == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106) + "bad HTTP/%d.%d header returned by %s (%s)", + major, minor, r->uri, r->method); +diff --git a/server/protocol.c b/server/protocol.c +index 7adc7f7..fa9f3f8 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -508,6 +508,8 @@ cleanup: + /* PR#43039: We shouldn't accept NULL bytes within the line */ + bytes_handled = strlen(*s); + if (bytes_handled < *read) { ++ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf, ++ "NULL bytes in headers", *s, *read, 0); + *read = bytes_handled; + if (rv == APR_SUCCESS) { + rv = APR_EINVAL; +-- +2.23.0 + diff --git a/httpd.spec b/httpd.spec index f6083180be03c1da264017f2cffda159015fe64b..dce436f4f828e7cce2027ec72da4e059b2b41cdf 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 11 +Release: 12 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -94,6 +94,9 @@ Patch40: backport-fix-lua-request-with-cast-first.patch Patch41: backport-Handle-children-killed-pathologically.patch Patch42: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch +Patch44: backport-CVE-2022-36760.patch +Patch45: backport-CVE-2006-20001.patch +Patch46: backport-CVE-2022-37436.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -526,7 +529,13 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Mon Dec 12 2022 chengyehcun - 2.4.51-11 +* Mon Jan 30 2023 chengyechun - 2.4.51-12 +- Type:CVE +- ID:CVE-2022-36760, CVE-2006-20001, CVE-2022-37436 +- SUG:restart +- DESC:fix CVE-2022-36760,CVE-2006-20001,CVE-2022-37436 + +* Mon Dec 12 2022 chengyechun - 2.4.51-11 - Type:bugfix - ID:NA - SUG:restart