From 89640cc30d72faf9a95edc540fc17c2fae241ddc Mon Sep 17 00:00:00 2001
From: wangxp006 <wangxp006@163.com>
Date: Wed, 27 Oct 2021 10:52:58 +0800
Subject: [PATCH] fix CVE CVE-2021-34798 CVE-2021-36160

---
 backport-CVE-2021-34798.patch | 33 +++++++++++++++++++
 backport-CVE-2021-36160.patch | 62 +++++++++++++++++++++++++++++++++++
 httpd.spec                    | 10 +++++-
 3 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-34798.patch
 create mode 100644 backport-CVE-2021-36160.patch

diff --git a/backport-CVE-2021-34798.patch b/backport-CVE-2021-34798.patch
new file mode 100644
index 0000000..ac979e9
--- /dev/null
+++ b/backport-CVE-2021-34798.patch
@@ -0,0 +1,33 @@
+From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Tue, 7 Sep 2021 16:05:31 +0000
+Subject: [PATCH] Merge r1878092 from trunk:
+
+Fix a NULL pointer dereference
+
+* server/scoreboard.c (ap_increment_counts): In certain cases like certain
+  invalid requests r->method might be NULL here. r->method_number defaults
+  to M_GET and hence is M_GET in these cases.
+
+Submitted by: rpluem
+Reviewed by: covener, ylavic, jfclere
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/scoreboard.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/server/scoreboard.c b/server/scoreboard.c
+index b40b45df590..12dd56abead 100644
+--- a/server/scoreboard.c
++++ b/server/scoreboard.c
+@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
+     if (pfn_ap_logio_get_last_bytes != NULL) {
+         bytes = pfn_ap_logio_get_last_bytes(r->connection);
+     }
+-    else if (r->method_number == M_GET && r->method[0] == 'H') {
++    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
+         bytes = 0;
+     }
+     else {
diff --git a/backport-CVE-2021-36160.patch b/backport-CVE-2021-36160.patch
new file mode 100644
index 0000000..921e2fa
--- /dev/null
+++ b/backport-CVE-2021-36160.patch
@@ -0,0 +1,62 @@
+From b364cad72b48dd40fbc2850e525b845406520f0b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Thu, 2 Sep 2021 09:53:43 +0000
+Subject: [PATCH] mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
+
+When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
+worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
+directly from the given URL.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/uwsgi_path_info.txt |  1 +
+ modules/proxy/mod_proxy_uwsgi.c     | 22 +++++-----------------
+ 1 files changed, 5 insertions(+), 17 deletions(-)
+ create mode 100644 changes-entries/uwsgi_path_info.txt
+
+diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
+index 7723d7b5c4f..971eaa59dc0 100644
+--- a/modules/proxy/mod_proxy_uwsgi.c
++++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -456,11 +456,8 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
+                          const char *proxyname, apr_port_t proxyport)
+ {
+     int status;
+-    int delta = 0;
+-    int decode_status;
+     proxy_conn_rec *backend = NULL;
+     apr_pool_t *p = r->pool;
+-    size_t w_len;
+     char server_portstr[32];
+     char *u_path_info;
+     apr_uri_t *uri;
+@@ -472,23 +469,14 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
+ 
+     uri = apr_palloc(r->pool, sizeof(*uri));
+ 
+-    /* ADD PATH_INFO */
+-#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
+-    w_len = strlen(worker->s->name);
+-#else
+-    w_len = strlen(worker->name);
+-#endif
+-    u_path_info = r->filename + 6 + w_len;
+-    if (u_path_info[0] != '/') {
+-        delta = 1;
+-    }
+-    decode_status = ap_unescape_url(url + w_len - delta);
+-    if (decode_status) {
++    /* ADD PATH_INFO (unescaped) */
++    u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
++    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
+-                      "unable to decode uri: %s", url + w_len - delta);
++                      "unable to decode uwsgi uri: %s", url);
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+-    apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta);
++    apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
+ 
+ 
+     /* Create space for state information */
diff --git a/httpd.spec b/httpd.spec
index 954aff0..17b26b2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.46
-Release:          3
+Release:          4
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -71,6 +71,8 @@ Patch17:          httpd-2.4.43-r1861793+.patch
 Patch18:          httpd-2.4.43-r1828172+.patch 
 Patch19:          httpd-2.4.46-htcacheclean-dont-break.patch 
 Patch20:          Pass-key-IDs-with-the-tpm2-prefix-to-the-tpm2-engine.patch
+Patch21:          backport-CVE-2021-34798.patch
+Patch22:          backport-CVE-2021-36160.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -504,6 +506,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Oct 27 2021 wangxp006 <wangxp006@huawei.com> - 2.4.46-4
+- Type:CVE
+- ID:CVE-2021-34798 CVE-2021-36160
+- SUG:NA
+- DESC: fix CVE CVE-2021-34798 CVE-2021-36160
+
 * Fri Mar 19 2021 Roberto Sassu <roberto.sassu@huawei.com> - 2.4.46-3
 - Type:enhancement
 - ID:NA
-- 
Gitee