diff --git a/backport-001-CVE-2021-40438.patch b/backport-001-CVE-2021-40438.patch new file mode 100644 index 0000000000000000000000000000000000000000..36140d81ec58e6cfef907a7889d68be84eee1caa --- /dev/null +++ b/backport-001-CVE-2021-40438.patch @@ -0,0 +1,55 @@ +From 496c863776c68bd08cdbeb7d8fa5935ba63b76c2 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Fri, 3 Sep 2021 16:52:38 +0000 +Subject: [PATCH] Merge r1892814, r1892853 from trunk: + +mod_proxy: Faster unix socket path parsing in the "proxy:" URL. + +The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to +strstr(,"unix:") since it's at the start of the string. + + +mod_proxy: Follow up to r1892814. + +Save some few cycles in ap_proxy_de_socketfy() too. + + +Submitted by: ylavic +Reviewed by: ylavic, covener, rpluem + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892874 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy.c | 2 +- + modules/proxy/proxy_util.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + create mode 100644 changes-entries/fix_uds_filename.txt + +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 60634d344c7..354bb8f660f 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1975,7 +1975,7 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url) + * the UDS path... ignore it + */ + if (!ap_cstr_casecmpn(url, "unix:", 5) && +- ((ptr = ap_strchr_c(url, '|')) != NULL)) { ++ ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) { + /* move past the 'unix:...|' UDS path info */ + const char *ret, *c; + +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index 3c4ea72aba7..812c32f3584 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2281,8 +2281,8 @@ static void fix_uds_filename(request_rec *r, char **url) + if (!r || !r->filename) return; + + if (!strncmp(r->filename, "proxy:", 6) && +- (ptr2 = ap_strcasestr(r->filename, "unix:")) && +- (ptr = ap_strchr(ptr2, '|'))) { ++ !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) && ++ (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) { + apr_uri_t urisock; + apr_status_t rv; + *ptr = '\0'; diff --git a/backport-002-CVE-2021-40438.patch b/backport-002-CVE-2021-40438.patch new file mode 100644 index 0000000000000000000000000000000000000000..9f78ba144adc4a4f386b7a27e61f94d9cb6d9f1b --- /dev/null +++ b/backport-002-CVE-2021-40438.patch @@ -0,0 +1,115 @@ +From d4901cb32133bc0e59ad193a29d1665597080d67 Mon Sep 17 00:00:00 2001 +From: Ruediger Pluem +Date: Wed, 8 Sep 2021 07:00:09 +0000 +Subject: [PATCH] Merge r1892986, r1892987 from trunk: + +mod_proxy: Follow up to r1892814. + +* modules/proxy/proxy_util.c(fix_uds_filename): + Sanity checks on the configured UDS path, fail with 500 if invalid since + continuing through proxy processing wouldn't work as expected. + + + +mod_proxy: Follow up to r1892986: APLOGNO() + +Stefan get out of this body! :) + + +Submitted by: ylavic +Reviewed by: rpluem, ylavic, covener + +Github: closes #265 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893101 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/proxy_util.c | 55 +++++++++++++++++++++++--------------- + 1 files changed, 34 insertions(+), 21 deletions(-) + +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2088,33 +2088,42 @@ static int ap_proxy_retry_worker(const c + * were passed a UDS url (eg: from mod_proxy) and adjust uds_path + * as required. + */ +-static void fix_uds_filename(request_rec *r, char **url) ++static int fix_uds_filename(request_rec *r, char **url) + { +- char *ptr, *ptr2; +- if (!r || !r->filename) return; ++ char *uds_url = r->filename + 6, *origin_url; + + if (!strncmp(r->filename, "proxy:", 6) && +- !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) && +- (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) { ++ !ap_cstr_casecmpn(uds_url, "unix:", 5) && ++ (origin_url = ap_strchr(uds_url + 5, '|'))) { ++ char *uds_path = NULL; ++ apr_size_t url_len; + apr_uri_t urisock; + apr_status_t rv; +- *ptr = '\0'; +- rv = apr_uri_parse(r->pool, ptr2, &urisock); +- if (rv == APR_SUCCESS) { +- char *rurl = ptr+1; +- char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path); +- apr_table_setn(r->notes, "uds_path", sockpath); +- *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */ +- /* r->filename starts w/ "proxy:", so add after that */ +- memmove(r->filename+6, rurl, strlen(rurl)+1); +- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, +- "*: rewrite of url due to UDS(%s): %s (%s)", +- sockpath, *url, r->filename); ++ ++ *origin_url = '\0'; ++ rv = apr_uri_parse(r->pool, uds_url, &urisock); ++ *origin_url++ = '|'; ++ ++ if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) { ++ uds_path = ap_runtime_dir_relative(r->pool, urisock.path); + } +- else { +- *ptr = '|'; ++ if (!uds_path) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292) ++ "Invalid proxy UDS filename (%s)", r->filename); ++ return 0; + } ++ apr_table_setn(r->notes, "uds_path", uds_path); ++ ++ /* Remove the UDS path from *url and r->filename */ ++ url_len = strlen(origin_url); ++ *url = apr_pstrmemdup(r->pool, origin_url, url_len); ++ memcpy(uds_url, *url, url_len + 1); ++ ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, ++ "*: rewrite of url due to UDS(%s): %s (%s)", ++ uds_path, *url, r->filename); + } ++ return 1; + } + + PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, +@@ -2132,7 +2141,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + "%s: found worker %s for %s", + (*worker)->s->scheme, (*worker)->s->name, *url); + *balancer = NULL; +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + access_status = OK; + } + else if (r->proxyreq == PROXYREQ_PROXY) { +@@ -2163,7 +2174,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + * regarding the Connection header in the request. + */ + apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1"); +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + } + } + } diff --git a/backport-CVE-2021-34798.patch b/backport-CVE-2021-34798.patch new file mode 100644 index 0000000000000000000000000000000000000000..ac979e98eafe17af31287ce1e999487e5f569b3b --- /dev/null +++ b/backport-CVE-2021-34798.patch @@ -0,0 +1,33 @@ +From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 7 Sep 2021 16:05:31 +0000 +Subject: [PATCH] Merge r1878092 from trunk: + +Fix a NULL pointer dereference + +* server/scoreboard.c (ap_increment_counts): In certain cases like certain + invalid requests r->method might be NULL here. r->method_number defaults + to M_GET and hence is M_GET in these cases. + +Submitted by: rpluem +Reviewed by: covener, ylavic, jfclere + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/scoreboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/server/scoreboard.c b/server/scoreboard.c +index b40b45df590..12dd56abead 100644 +--- a/server/scoreboard.c ++++ b/server/scoreboard.c +@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r) + if (pfn_ap_logio_get_last_bytes != NULL) { + bytes = pfn_ap_logio_get_last_bytes(r->connection); + } +- else if (r->method_number == M_GET && r->method[0] == 'H') { ++ else if (r->method_number == M_GET && r->method && r->method[0] == 'H') { + bytes = 0; + } + else { diff --git a/backport-CVE-2021-36160.patch b/backport-CVE-2021-36160.patch new file mode 100644 index 0000000000000000000000000000000000000000..921e2faba4a74f1768a39cb1c85b767b00f08367 --- /dev/null +++ b/backport-CVE-2021-36160.patch @@ -0,0 +1,62 @@ +From b364cad72b48dd40fbc2850e525b845406520f0b Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Thu, 2 Sep 2021 09:53:43 +0000 +Subject: [PATCH] mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. + +When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the +worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO +directly from the given URL. + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68 +--- + changes-entries/uwsgi_path_info.txt | 1 + + modules/proxy/mod_proxy_uwsgi.c | 22 +++++----------------- + 1 files changed, 5 insertions(+), 17 deletions(-) + create mode 100644 changes-entries/uwsgi_path_info.txt + +diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c +index 7723d7b5c4f..971eaa59dc0 100644 +--- a/modules/proxy/mod_proxy_uwsgi.c ++++ b/modules/proxy/mod_proxy_uwsgi.c +@@ -456,11 +456,8 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker, + const char *proxyname, apr_port_t proxyport) + { + int status; +- int delta = 0; +- int decode_status; + proxy_conn_rec *backend = NULL; + apr_pool_t *p = r->pool; +- size_t w_len; + char server_portstr[32]; + char *u_path_info; + apr_uri_t *uri; +@@ -472,23 +469,14 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker, + + uri = apr_palloc(r->pool, sizeof(*uri)); + +- /* ADD PATH_INFO */ +-#if AP_MODULE_MAGIC_AT_LEAST(20111130,0) +- w_len = strlen(worker->s->name); +-#else +- w_len = strlen(worker->name); +-#endif +- u_path_info = r->filename + 6 + w_len; +- if (u_path_info[0] != '/') { +- delta = 1; +- } +- decode_status = ap_unescape_url(url + w_len - delta); +- if (decode_status) { ++ /* ADD PATH_INFO (unescaped) */ ++ u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/'); ++ if (!u_path_info || ap_unescape_url(u_path_info) != OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100) +- "unable to decode uri: %s", url + w_len - delta); ++ "unable to decode uwsgi uri: %s", url); + return HTTP_INTERNAL_SERVER_ERROR; + } +- apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta); ++ apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info); + + + /* Create space for state information */ diff --git a/httpd.spec b/httpd.spec index 7e4d824f56c654b6f4f6566a5a191197257b2fca..b999ae026afae5b24a67a9d5010b08c68e5f4249 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.48 -Release: 1 +Release: 2 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -69,6 +69,10 @@ Patch16: httpd-2.4.43-gettid.patch Patch17: httpd-2.4.43-r1861793+.patch Patch18: httpd-2.4.43-r1828172+.patch Patch19: httpd-2.4.46-htcacheclean-dont-break.patch +Patch20: backport-CVE-2021-34798.patch +Patch21: backport-CVE-2021-36160.patch +Patch22: backport-001-CVE-2021-40438.patch +Patch23: backport-002-CVE-2021-40438.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -501,6 +505,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Sep 28 2021 gaihuiying - 2.4.48-2 +- Type:cves +- ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438 +- SUG:restart +- DESC:fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438 + * Tue Jul 13 2021 gaihuiying - 2.4.48-1 - Type:requirement - ID:NA