From f2147f9d24498705026650136db1c8b126dc3edd Mon Sep 17 00:00:00 2001 From: eaglegai Date: Tue, 28 Sep 2021 14:33:59 +0800 Subject: [PATCH] fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438 --- backport-001-CVE-2021-40438.patch | 51 +++++++++++++ backport-002-CVE-2021-40438.patch | 115 ++++++++++++++++++++++++++++++ backport-CVE-2021-34798.patch | 33 +++++++++ backport-CVE-2021-36160.patch | 65 +++++++++++++++++ httpd.spec | 12 +++- 5 files changed, 275 insertions(+), 1 deletion(-) create mode 100644 backport-001-CVE-2021-40438.patch create mode 100644 backport-002-CVE-2021-40438.patch create mode 100644 backport-CVE-2021-34798.patch create mode 100644 backport-CVE-2021-36160.patch diff --git a/backport-001-CVE-2021-40438.patch b/backport-001-CVE-2021-40438.patch new file mode 100644 index 0000000..824addd --- /dev/null +++ b/backport-001-CVE-2021-40438.patch @@ -0,0 +1,51 @@ +From 496c863776c68bd08cdbeb7d8fa5935ba63b76c2 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Fri, 3 Sep 2021 16:52:38 +0000 +Subject: [PATCH] Merge r1892814, r1892853 from trunk: + +mod_proxy: Faster unix socket path parsing in the "proxy:" URL. + +The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to +strstr(,"unix:") since it's at the start of the string. + + +mod_proxy: Follow up to r1892814. + +Save some few cycles in ap_proxy_de_socketfy() too. + + +Submitted by: ylavic +Reviewed by: ylavic, covener, rpluem + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892874 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy.c | 2 +- + modules/proxy/proxy_util.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + create mode 100644 changes-entries/fix_uds_filename.txt + +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1703,7 +1703,7 @@ PROXY_DECLARE(const char *) ap_proxy_de_ + * the UDS path... ignore it + */ + if (!strncasecmp(url, "unix:", 5) && +- ((ptr = ap_strchr_c(url, '|')) != NULL)) { ++ ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) { + /* move past the 'unix:...|' UDS path info */ + const char *ret, *c; + +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2094,8 +2094,8 @@ static void fix_uds_filename(request_rec + if (!r || !r->filename) return; + + if (!strncmp(r->filename, "proxy:", 6) && +- (ptr2 = ap_strcasestr(r->filename, "unix:")) && +- (ptr = ap_strchr(ptr2, '|'))) { ++ !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) && ++ (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) { + apr_uri_t urisock; + apr_status_t rv; + *ptr = '\0'; diff --git a/backport-002-CVE-2021-40438.patch b/backport-002-CVE-2021-40438.patch new file mode 100644 index 0000000..9f78ba1 --- /dev/null +++ b/backport-002-CVE-2021-40438.patch @@ -0,0 +1,115 @@ +From d4901cb32133bc0e59ad193a29d1665597080d67 Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem +Date: Wed, 8 Sep 2021 07:00:09 +0000 +Subject: [PATCH] Merge r1892986, r1892987 from trunk: + +mod_proxy: Follow up to r1892814. + +* modules/proxy/proxy_util.c(fix_uds_filename): + Sanity checks on the configured UDS path, fail with 500 if invalid since + continuing through proxy processing wouldn't work as expected. + + + +mod_proxy: Follow up to r1892986: APLOGNO() + +Stefan get out of this body! :) + + +Submitted by: ylavic +Reviewed by: rpluem, ylavic, covener + +Github: closes #265 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893101 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/proxy_util.c | 55 +++++++++++++++++++++++--------------- + 1 files changed, 34 insertions(+), 21 deletions(-) + +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2088,33 +2088,42 @@ static int ap_proxy_retry_worker(const c + * were passed a UDS url (eg: from mod_proxy) and adjust uds_path + * as required. + */ +-static void fix_uds_filename(request_rec *r, char **url) ++static int fix_uds_filename(request_rec *r, char **url) + { +- char *ptr, *ptr2; +- if (!r || !r->filename) return; ++ char *uds_url = r->filename + 6, *origin_url; + + if (!strncmp(r->filename, "proxy:", 6) && +- !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) && +- (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) { ++ !ap_cstr_casecmpn(uds_url, "unix:", 5) && ++ (origin_url = ap_strchr(uds_url + 5, '|'))) { ++ char *uds_path = NULL; ++ apr_size_t url_len; + apr_uri_t urisock; + apr_status_t rv; +- *ptr = '\0'; +- rv = apr_uri_parse(r->pool, ptr2, &urisock); +- if (rv == APR_SUCCESS) { +- char *rurl = ptr+1; +- char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path); +- apr_table_setn(r->notes, "uds_path", sockpath); +- *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */ +- /* r->filename starts w/ "proxy:", so add after that */ +- memmove(r->filename+6, rurl, strlen(rurl)+1); +- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, +- "*: rewrite of url due to UDS(%s): %s (%s)", +- sockpath, *url, r->filename); ++ ++ *origin_url = '\0'; ++ rv = apr_uri_parse(r->pool, uds_url, &urisock); ++ *origin_url++ = '|'; ++ ++ if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) { ++ uds_path = ap_runtime_dir_relative(r->pool, urisock.path); + } +- else { +- *ptr = '|'; ++ if (!uds_path) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292) ++ "Invalid proxy UDS filename (%s)", r->filename); ++ return 0; + } ++ apr_table_setn(r->notes, "uds_path", uds_path); ++ ++ /* Remove the UDS path from *url and r->filename */ ++ url_len = strlen(origin_url); ++ *url = apr_pstrmemdup(r->pool, origin_url, url_len); ++ memcpy(uds_url, *url, url_len + 1); ++ ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, ++ "*: rewrite of url due to UDS(%s): %s (%s)", ++ uds_path, *url, r->filename); + } ++ return 1; + } + + PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, +@@ -2132,7 +2141,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + "%s: found worker %s for %s", + (*worker)->s->scheme, (*worker)->s->name, *url); + *balancer = NULL; +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + access_status = OK; + } + else if (r->proxyreq == PROXYREQ_PROXY) { +@@ -2163,7 +2174,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + * regarding the Connection header in the request. + */ + apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1"); +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + } + } + } diff --git a/backport-CVE-2021-34798.patch b/backport-CVE-2021-34798.patch new file mode 100644 index 0000000..ac979e9 --- /dev/null +++ b/backport-CVE-2021-34798.patch @@ -0,0 +1,33 @@ +From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 7 Sep 2021 16:05:31 +0000 +Subject: [PATCH] Merge r1878092 from trunk: + +Fix a NULL pointer dereference + +* server/scoreboard.c (ap_increment_counts): In certain cases like certain + invalid requests r->method might be NULL here. r->method_number defaults + to M_GET and hence is M_GET in these cases. + +Submitted by: rpluem +Reviewed by: covener, ylavic, jfclere + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/scoreboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/scoreboard.c b/server/scoreboard.c +index b40b45df590..12dd56abead 100644 +--- a/server/scoreboard.c ++++ b/server/scoreboard.c +@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r) + if (pfn_ap_logio_get_last_bytes != NULL) { + bytes = pfn_ap_logio_get_last_bytes(r->connection); + } +- else if (r->method_number == M_GET && r->method[0] == 'H') { ++ else if (r->method_number == M_GET && r->method && r->method[0] == 'H') { + bytes = 0; + } + else { diff --git a/backport-CVE-2021-36160.patch b/backport-CVE-2021-36160.patch new file mode 100644 index 0000000..c9e36e9 --- /dev/null +++ b/backport-CVE-2021-36160.patch @@ -0,0 +1,65 @@ +From 6d9672bf096592fe16c1840f73fa947fd458ee68 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Fri, 3 Sep 2021 17:00:07 +0000 +Subject: [PATCH] Merge r1892805 from trunk: + +mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. + +When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the +worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO +directly from the given URL. + + +Submitted by: ylavic +Reviewed by: ylavic, covener, rpluem + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892875 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy_uwsgi.c | 22 +++++----------------- + 1 files changed, 5 insertions(+), 17 deletions(-) + create mode 100644 changes-entries/uwsgi_path_info.txt + +--- a/modules/proxy/mod_proxy_uwsgi.c ++++ b/modules/proxy/mod_proxy_uwsgi.c +@@ -453,11 +453,8 @@ static int uwsgi_handler(request_rec *r, + const char *proxyname, apr_port_t proxyport) + { + int status; +- int delta = 0; +- int decode_status; + proxy_conn_rec *backend = NULL; + apr_pool_t *p = r->pool; +- size_t w_len; + char server_portstr[32]; + char *u_path_info; + apr_uri_t *uri; +@@ -469,23 +466,14 @@ static int uwsgi_handler(request_rec *r, + + uri = apr_palloc(r->pool, sizeof(*uri)); + +- /* ADD PATH_INFO */ +-#if AP_MODULE_MAGIC_AT_LEAST(20111130,0) +- w_len = strlen(worker->s->name); +-#else +- w_len = strlen(worker->name); +-#endif +- u_path_info = r->filename + 6 + w_len; +- if (u_path_info[0] != '/') { +- delta = 1; +- } +- decode_status = ap_unescape_url(url + w_len - delta); +- if (decode_status) { ++ /* ADD PATH_INFO (unescaped) */ ++ u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/'); ++ if (!u_path_info || ap_unescape_url(u_path_info) != OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100) +- "unable to decode uri: %s", url + w_len - delta); ++ "unable to decode uwsgi uri: %s", url); + return HTTP_INTERNAL_SERVER_ERROR; + } +- apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta); ++ apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info); + + + /* Create space for state information */ diff --git a/httpd.spec b/httpd.spec index 51b1f98..21edeaa 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.43 -Release: 6 +Release: 7 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -74,6 +74,10 @@ Patch20: CVE-2020-13950.patch Patch21: CVE-2020-35452.patch Patch22: CVE-2021-30641.patch Patch23: CVE-2021-26690.patch +Patch24: backport-CVE-2021-34798.patch +Patch25: backport-CVE-2021-36160.patch +Patch26: backport-001-CVE-2021-40438.patch +Patch27: backport-002-CVE-2021-40438.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -510,6 +514,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Sep 28 2021 gaihuiying - 2.4.43-7 +- Type:cves +- ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438 +- SUG:restart +- DESC:fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438 + * Fri Jul 23 2021 lijingyuan - 2.4.43-6 - Type:cves - ID:CVE-2021-30641 CVE-2021-26690 -- Gitee