From 735b19cf5d6f383cfaa95e42abd5e116bea59c27 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Thu, 2 Nov 2023 10:20:55 +0800 Subject: [PATCH 1/2] fix CVE-2023-31122 --- ...ort-CVE-2023-31122-out-of-bound-Read.patch | 28 +++++++++++++++++++ httpd.spec | 9 +++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-31122-out-of-bound-Read.patch diff --git a/backport-CVE-2023-31122-out-of-bound-Read.patch b/backport-CVE-2023-31122-out-of-bound-Read.patch new file mode 100644 index 0000000..aebeaeb --- /dev/null +++ b/backport-CVE-2023-31122-out-of-bound-Read.patch @@ -0,0 +1,28 @@ +From c41eb3b14a3d1eb2e3c42c4728cc52a22748851a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 16 Oct 2023 06:39:44 +0000 +Subject: [PATCH] mod_macro: out of bounds Read + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/c41eb3b14a3d1eb2e3c42c4728cc52a22748851a + +--- + modules/core/mod_macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/core/mod_macro.c b/modules/core/mod_macro.c +index 04af43b..cc42d0b 100644 +--- a/modules/core/mod_macro.c ++++ b/modules/core/mod_macro.c +@@ -465,7 +465,7 @@ static const char *process_content(apr_pool_t * pool, + for (i = 0; i < contents->nelts; i++) { + const char *errmsg; + /* copy the line and substitute macro parameters */ +- strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1); ++ apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN); + errmsg = substitute_macro_args(line, MAX_STRING_LEN, + macro, replacements, used); + if (errmsg) { +-- +2.23.0 + diff --git a/httpd.spec b/httpd.spec index 36121a8..020a373 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 18 +Release: 19 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -108,6 +108,7 @@ Patch54: backport-Fix-double-encoding-of-the-uri-path-of-the-request.pa Patch55: backport-do-not-match-the-extention-against-possible-query-string.patch Patch56: backport-Do-not-double-encode-encoded-slashes.patch Patch57: backport-Check-before-forwarding-that-a-nocanon-path-has-not-been-rewritten.patch +Patch58: backport-CVE-2023-31122-out-of-bound-Read.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -544,6 +545,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Nov 02 2023 chengyechun - 2.4.51-19 +- Type:CVE +- ID:CVE-2023-31122 +- SUG:NA +- DESC:fix CVE-2023-31122 + * Wed Aug 09 2023 panchenbo - 2.4.51-18 - Type:bugfix - ID: -- Gitee From 582813ecea11765123a41bcbf8c15d88f68f66b3 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Thu, 2 Nov 2023 15:15:56 +0800 Subject: [PATCH 2/2] fix CVE-2023-45802 --- ...02-improved-early-cleanup-of-streams.patch | 141 ++++++++++++++++++ httpd.spec | 9 +- 2 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch diff --git a/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch b/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch new file mode 100644 index 0000000..c36c830 --- /dev/null +++ b/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch @@ -0,0 +1,141 @@ +From decce82a706abd78dfc32821a03ad93841d7758a Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 16 Oct 2023 09:05:00 +0000 +Subject: [PATCH] mod_http2: improved early cleanup of streams + +Conflict:Some features of mod_http2 are added and most code of mod_http2 +is reconstructed in the pre-patch(9767274b884). Therefore, the pre-patch +is not integrated. As a result, We need context adaptation. +Reference:https://github.com/apache/httpd/commit/decce82a706abd78dfc32821a03ad93841d7758a + +--- + changes-entries/h2_cleanup.txt. | 2 ++ + modules/http2/h2_mplx.c | 26 ++++++++++++++++++++++---- + modules/http2/h2_mplx.h | 3 ++- + modules/http2/h2_session.c | 18 +++++++++++++++++- + modules/http2/h2_stream.c | 2 +- + 5 files changed, 44 insertions(+), 7 deletions(-) + create mode 100644 changes-entries/h2_cleanup.txt. + +diff --git a/changes-entries/h2_cleanup.txt. b/changes-entries/h2_cleanup.txt. +new file mode 100644 +index 0000000..d330b6a +--- /dev/null ++++ b/changes-entries/h2_cleanup.txt. +@@ -0,0 +1,2 @@ ++* mod_http2: import early cleanup of streams ++ [Stefan Eissing] +diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c +index e02ad4e..db8db8a 100644 +--- a/modules/http2/h2_mplx.c ++++ b/modules/http2/h2_mplx.c +@@ -1158,14 +1158,32 @@ static int reset_is_acceptable(h2_stream *stream) + return 1; /* otherwise, be forgiving */ + } + +-apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id) ++apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id, h2_stream *stream) + { +- h2_stream *stream; + apr_status_t status = APR_SUCCESS; ++ int registered; + + H2_MPLX_ENTER_ALWAYS(m); +- stream = h2_ihash_get(m->streams, stream_id); +- if (stream && !reset_is_acceptable(stream)) { ++ registered = (h2_ihash_get(m->streams, stream_id) != Null); ++ if (!stream) { ++ /* a RST might arrive so late, we have already forgotten ++ * about it. Seems ok. */ ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1, ++ H2_MPLX_MSG(m, "RST on unknown stream %d"), stream_id); ++ AP_DEBUG_ASSERT(!registered); ++ } ++ else if (!registered) { ++ /* a RST on a stream that mplx has not been told about, but ++ * which the session knows. Very early and annoying. */ ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1, ++ H2_STRM_MSG(stream, "very earyly RST, drop")); ++ h2_stream_set_monior(stream, NULL); ++ h2_stream_rst(stream, H2_ERR_STREAM_CLOSED); ++ h2_stream_dispatch(stream, H2_SEV_EOS_SENT); ++ m_stream_cleanup(m, stream); ++ m_be_annoyed(m); ++ } ++ else if (!reset_is_acceptable(stream)) { + status = m_be_annoyed(m); + } + H2_MPLX_LEAVE(m); +diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h +index c61629d..4a05de2 100644 +--- a/modules/http2/h2_mplx.h ++++ b/modules/http2/h2_mplx.h +@@ -187,7 +187,8 @@ typedef int h2_mplx_stream_cb(struct h2_stream *s, void *ctx); + + apr_status_t h2_mplx_m_stream_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx); + +-apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id); ++apr_status_t h2_mplx_m_client_rst(h2_mplx *m, int stream_id, ++ struct h2_stream *stream); + + /** + * Master connection has entered idle mode. +diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c +index dc883b5..afd9edb 100644 +--- a/modules/http2/h2_session.c ++++ b/modules/http2/h2_session.c +@@ -391,6 +391,10 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, + session->id, (int)frame->hd.stream_id, + (int)frame->rst_stream.error_code); + stream = get_stream(session, frame->hd.stream_id); ++ if (stream) { ++ rv = h2_stream_recv_frame(stream, NGHTTP2_RST_STREAM, frame->hd.flags, ++ frame->hd.length + H2_FRAME_HDR_LEN); ++ } + if (stream && stream->initiated_on) { + /* A stream reset on a request we sent it. Normal, when the + * client does not want it. */ +@@ -399,7 +403,8 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, + else { + /* A stream reset on a request it sent us. Could happen in a browser + * when the user navigates away or cancels loading - maybe. */ +- h2_mplx_m_client_rst(session->mplx, frame->hd.stream_id); ++ h2_mplx_m_client_rst(session->mplx, frame->hd.stream_id, ++ stream); + ++session->streams_reset; + } + break; +@@ -780,6 +785,17 @@ static apr_status_t session_cleanup(h2_session *session, const char *trigger) + "goodbye, clients will be confused, should not happen")); + } + ++ if (!h2_iq_empty(seesion->ready_to_process)) { ++ int sid; ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ H2_SSSN_LOG(APLOG(), session, ++ "cleanup, resetting %d streams in ready-to-process"), ++ h2_iq_count(session->ready_to_process)); ++ while ((sid = h2_iq_shift(session->ready_to_process)) > 0) { ++ h2_mplx_m_client_rst(session->mplx, sid, get_stream(session, sid)); ++ } ++ } ++ + transit(session, trigger, H2_SESSION_ST_CLEANUP); + h2_mplx_m_release_and_join(session->mplx, session->iowait); + session->mplx = NULL; +diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c +index 4fec537..49d89cb 100644 +--- a/modules/http2/h2_stream.c ++++ b/modules/http2/h2_stream.c +@@ -120,7 +120,7 @@ static int trans_on_event[][H2_SS_MAX] = { + { S_XXX, S_ERR, S_ERR, S_CL_L, S_CLS, S_XXX, S_XXX, S_XXX, },/* EV_CLOSED_L*/ + { S_ERR, S_ERR, S_ERR, S_CL_R, S_ERR, S_CLS, S_NOP, S_NOP, },/* EV_CLOSED_R*/ + { S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_NOP, S_NOP, },/* EV_CANCELLED*/ +-{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_XXX, },/* EV_EOS_SENT*/ ++{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_NOP, },/* EV_EOS_SENT*/ + }; + + static int on_map(h2_stream_state_t state, int map[H2_SS_MAX]) +-- +2.23.0 + diff --git a/httpd.spec b/httpd.spec index 020a373..73fbdd8 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 19 +Release: 20 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -109,6 +109,7 @@ Patch55: backport-do-not-match-the-extention-against-possible-query-str Patch56: backport-Do-not-double-encode-encoded-slashes.patch Patch57: backport-Check-before-forwarding-that-a-nocanon-path-has-not-been-rewritten.patch Patch58: backport-CVE-2023-31122-out-of-bound-Read.patch +Patch59: backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -545,6 +546,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Nov 02 2023 chengyechun - 2.4.51-20 +- Type:CVE +- ID:CVE-2023-45802 +- SUG:NA +- DESC:fix CVE-2023-45802 + * Thu Nov 02 2023 chengyechun - 2.4.51-19 - Type:CVE - ID:CVE-2023-31122 -- Gitee