From c2ebe1555324f650f85693ef533c727c8bbaa590 Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Wed, 29 Sep 2021 17:30:22 +0800
Subject: [PATCH] fix CVE-2021-40438 fully and correctly fix CVE-2021-39275

---
 backport-001-CVE-2021-39275.patch | 23 ++++++++++++++++++
 backport-002-CVE-2021-39275.patch | 32 +++++++++++++++++++++++++
 backport-003-CVE-2021-40438.patch | 30 +++++++++++++++++++++++
 backport-004-CVE-2021-40438.patch | 40 +++++++++++++++++++++++++++++++
 httpd.spec                        | 13 +++++++++-
 5 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 backport-001-CVE-2021-39275.patch
 create mode 100644 backport-002-CVE-2021-39275.patch
 create mode 100644 backport-003-CVE-2021-40438.patch
 create mode 100644 backport-004-CVE-2021-40438.patch

diff --git a/backport-001-CVE-2021-39275.patch b/backport-001-CVE-2021-39275.patch
new file mode 100644
index 0000000..38545a8
--- /dev/null
+++ b/backport-001-CVE-2021-39275.patch
@@ -0,0 +1,23 @@
+From d8bce6f575abb29997bba358b31842bf757776c6 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 4 Aug 2021 11:48:38 +0000
+Subject: [PATCH] fix ap_escape_quotes with pre-escaped quotes
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892012 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/server/util.c b/server/util.c
+index 72aa54d31d1..2d7708ae851 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2621,7 +2621,7 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
+      * in front of every " that doesn't already have one.
+      */
+     while (*inchr != '\0') {
+-        if ((*inchr == '\\') && (inchr[1] != '\0')) {
++        while ((*inchr == '\\') && (inchr[1] != '\0')) {
+             *outchr++ = *inchr++;
+             *outchr++ = *inchr++;
+         }
diff --git a/backport-002-CVE-2021-39275.patch b/backport-002-CVE-2021-39275.patch
new file mode 100644
index 0000000..9a2bf76
--- /dev/null
+++ b/backport-002-CVE-2021-39275.patch
@@ -0,0 +1,32 @@
+From e0fec7d48dab1924c5a6b48819ce1cf420733f62 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Wed, 18 Aug 2021 14:35:41 +0000
+Subject: [PATCH] * Follow the same logic that is used for calculating the
+ length
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892418 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/server/util.c b/server/util.c
+index e44e39afe3e..6bc5063bc39 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2621,13 +2621,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
+      * in front of every " that doesn't already have one.
+      */
+     while (*inchr != '\0') {
+-        while ((*inchr == '\\') && (inchr[1] != '\0')) {
+-            *outchr++ = *inchr++;
+-            *outchr++ = *inchr++;
+-        }
+         if (*inchr == '"') {
+             *outchr++ = '\\';
+         }
++        if ((*inchr == '\\') && (inchr[1] != '\0')) {
++            *outchr++ = *inchr++;
++        }
+         if (*inchr != '\0') {
+             *outchr++ = *inchr++;
+         }
diff --git a/backport-003-CVE-2021-40438.patch b/backport-003-CVE-2021-40438.patch
new file mode 100644
index 0000000..64abdad
--- /dev/null
+++ b/backport-003-CVE-2021-40438.patch
@@ -0,0 +1,30 @@
+From 6e768a811c59ca6a0769b72681aaef381823339f Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Thu, 23 Sep 2021 12:29:03 +0000
+Subject: [PATCH] Merge of r1893516 from trunk:
+
+   *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules.  PR 57691 + 65590.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893556 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/mappers/mod_rewrite.c   | 7 +++++++
+ 1 files changed, 7 insertions(+)
+ 
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -617,6 +617,13 @@ static unsigned is_absolute_uri(char *ur
+             return 6;
+         }
+         break;
++
++    case 'u':
++    case 'U':
++        if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
++            *sqs = 1;
++            return 5;
++        }
+     }
+ 
+     return 0;
diff --git a/backport-004-CVE-2021-40438.patch b/backport-004-CVE-2021-40438.patch
new file mode 100644
index 0000000..d886b77
--- /dev/null
+++ b/backport-004-CVE-2021-40438.patch
@@ -0,0 +1,40 @@
+From 81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Thu, 23 Sep 2021 12:31:53 +0000
+Subject: [PATCH] backport of 1893519,1893532 from trunk:
+
+  *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
+     had no hostname ("unix:/..."), also in mod_rewrite's is_absolulte_uri().
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893559 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/mappers/mod_rewrite.c          | 2 +-
+ modules/proxy/proxy_util.c             | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 changes-entries/uds_empty_hostname.txt
+
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -622,7 +622,7 @@ static unsigned is_absolute_uri(char *ur
+     case 'U':
+         if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
+             *sqs = 1;
+-            return 5;
++            return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
+         }
+     }
+ 
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2217,7 +2217,8 @@ static int fix_uds_filename(request_rec
+         rv = apr_uri_parse(r->pool, uds_url, &urisock);
+         *origin_url++ = '|';
+ 
+-        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
++        if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
++                                                  || !urisock.hostname[0])) {
+             uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
+         }
+         if (!uds_path) {
diff --git a/httpd.spec b/httpd.spec
index e81d398..27239ef 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.43
-Release:          9
+Release:          10
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -78,6 +78,10 @@ Patch24:          backport-CVE-2021-34798.patch
 Patch25:          backport-CVE-2021-36160.patch
 Patch26:          backport-001-CVE-2021-40438.patch
 Patch27:          backport-002-CVE-2021-40438.patch
+Patch28:          backport-003-CVE-2021-40438.patch
+Patch29:          backport-004-CVE-2021-40438.patch
+Patch30:          backport-001-CVE-2021-39275.patch
+Patch31:          backport-002-CVE-2021-39275.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -514,6 +518,13 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Sep 29 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.43-10
+- Type:cves
+- ID:CVE-2021-40438 CVE-2021-39275
+- SUG:restart
+- DESC:fix CVE-2021-40438 fully and correctly
+       fix CVE-2021-39275
+
 * Tue Sep 28 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.43-9
 - Type:cves
 - ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438
-- 
Gitee