packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!136 fix CVE-2022-36760 CVE-2006-2001 CVE-2022-37436

Browse Source 
From: @seuzw 
Reviewed-by: @kircher 
Signed-off-by: @kircher
This commit is contained in:
openeuler-ci-bot 2023-02-02 06:38:40 +00:00 committed by Gitee
commit b470434654
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 201 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-CVE-2006-20001.patch Normal file
View File

@ -0,0 +1,35 @@
From b00b92bb9d1497414abf6ca1b679bcc8ad32a443 Mon Sep 17 00:00:00 2001
From: notroj <notroj@redhat.com>
Date: Mon, 9 Jan 2023 08:07:58 PM GMT+0800
Subject: [PATCH] modules/dav/main/util(dav_process_if_header):Fix error
Conflict:NA
Reference:https://github.com/apache/httpd/commit/b00b92bb9d1497414abf6ca1b679bcc8ad32a443
---
modules/dav/main/util.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
index 08ebe27..2a2c7aa 100644
--- a/modules/dav/main/util.c
+++ b/modules/dav/main/util.c
@@ -756,8 +756,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
"for the same state.");
}
condition = DAV_IF_COND_NOT;
+ list += 2;
+ }
+ else {
+ return dav_new_error(r->pool, HTTP_BAD_REQUEST,
+ DAV_ERR_IF_UNK_CHAR, 0,
+ "Invaild \"If:\" header: "
+ "Unexpected character in List");
}
- list += 2;
break;
case ' ':
--
2.23.0

28
backport-CVE-2022-36760.patch Normal file
View File

@ -0,0 +1,28 @@
From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Tue, 10 Jan 2023 09:19:03 PM GMT+0800
Subject: [PATCH] mod_proxy_ajp:cleanup on error
Conflict:NA
Reference:https://github.com/apache/httpd/commit/5efc9507c487c37dfe2a279a4a0335cad701cd5f
---
modules/proxy/mod_proxy_ajp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
index a77a86b..89da918 100644
--- a/modules/proxy/mod_proxy_ajp.c
+++ b/modules/proxy/mod_proxy_ajp.c
@@ -256,6 +256,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
"%s Transfer-Encoding is not supported",
tenc);
+ /* We had a failure : Close connection to backend */
+ conn->close = 1;
return HTTP_INTERNAL_SERVER_ERROR;
}
} else {
--
2.23.0

128
backport-CVE-2022-37436.patch Normal file
View File

@ -0,0 +1,128 @@
From 2192bd4200083a0d20bf601c2fc9d635e7e4dbfc Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.com>
Date: Tue, 10 Jan 2023 09:18:42 PM GMT+0800
Subject: [PATCH] mod_proxy_http:fail on bad header
Conflict:NA
Reference:https://github.com/apache/httpd/commit/2192bd4200083a0d20bf601c2fc9d635e7e4dbfc
---
modules/proxy/mod_proxy_http.c | 46 ++++++++++++++++++++--------------
server/protocol.c | 2 ++
2 files changed, 29 insertions(+), 19 deletions(-)
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 3e5c056..2c374e7 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -792,7 +792,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c,
* any sense at all, since we depend on buffer still containing
* what was read by ap_getline() upon return.
*/
-static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
+static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr,
char *buffer, int size,
conn_rec *c, int *pread_len)
{
@@ -824,19 +824,26 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
rc = ap_proxygetline(tmp_bb, buffer, size, rr,
AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len);
- if (len <= 0)
- break;
- if (APR_STATUS_IS_ENOSPC(rc)) {
- /* The header could not fit in the provided buffer, warn.
- * XXX: falls through with the truncated header, 5xx instead?
- */
- int trunc = (len > 128 ? 128 : len) / 2;
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)
- "header size is over the limit allowed by "
- "ResponseFieldSize (%d bytes). "
- "Bad response header: '%.*s[...]%s'",
- size, trunc, buffer, buffer + len - trunc);
+ if (rc != APR_SUCCESS) {
+ if (APR_STATUS_IS_ENOSPC(rc)) {
+ int trunc = (len > 128 ? 128 : len) / 2;
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)
+ "header size is over the limit allowed by "
+ "ResponseFieldSize (%d bytes). "
+ "Bad response header: '%.*s[...]%s'",
+ size, trunc, buffer, buffer + len - trunc);
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404)
+ "Error reading headers from backend");
+ }
+ r->headers_out = NULL;
+ return rc;
+ }
+
+ if (len <= 0) {
+ break;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer);
@@ -859,7 +866,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
if (psc->badopt == bad_error) {
/* Nope, it wasn't even an extra HTTP header. Give up. */
r->headers_out = NULL;
- return;
+ return APR_EINVAL;
}
else if (psc->badopt == bad_body) {
/* if we've already started loading headers_out, then
@@ -873,13 +880,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
"in headers returned by %s (%s)",
r->uri, r->method);
*pread_len = len;
- return;
+ return APR_SUCCESS;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099)
"No HTTP headers returned by %s (%s)",
r->uri, r->method);
- return;
+ return APR_SUCCESS;
}
}
}
@@ -909,6 +916,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
process_proxy_header(r, dconf, buffer, value);
saw_headers = 1;
}
+ return APR_SUCCESS;
}
@@ -1207,10 +1215,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req)
"Set-Cookie", NULL);
/* shove the headers direct into r->headers_out */
- ap_proxy_read_headers(r, backend->r, buffer, response_field_size,
- origin, &pread_len);
+ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size,
+ origin, &pread_len);
- if (r->headers_out == NULL) {
+ if (rc != APR_SUCCESS || r->headers_out == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106)
"bad HTTP/%d.%d header returned by %s (%s)",
major, minor, r->uri, r->method);
diff --git a/server/protocol.c b/server/protocol.c
index 7adc7f7..fa9f3f8 100644
--- a/server/protocol.c
+++ b/server/protocol.c
@@ -508,6 +508,8 @@ cleanup:
/* PR#43039: We shouldn't accept NULL bytes within the line */
bytes_handled = strlen(*s);
if (bytes_handled < *read) {
+ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf,
+ "NULL bytes in headers", *s, *read, 0);
*read = bytes_handled;
if (rv == APR_SUCCESS) {
rv = APR_EINVAL;
--
2.23.0

11
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd
Summary: Apache HTTP Server
Version: 2.4.51
Release: 12
Release: 13
License: ASL 2.0
URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -94,6 +94,9 @@ Patch40: backport-fix-lua-request-with-cast-first.patch
Patch41: backport-Handle-children-killed-pathologically.patch
Patch42: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch
Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch
Patch44: backport-CVE-2022-36760.patch
Patch45: backport-CVE-2006-20001.patch
Patch46: backport-CVE-2022-37436.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -526,6 +529,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Feb 2 2023 seuzw <930zhaowei@163.com> - 2.4.51-13
- Type:cves
- ID:CVE-2022-36760,CVE-2006-20001,CVE-2022-37436
- SUG:restart
- DESC:fix CVE-2022-36760,CVE-2006-20001,CVE-2022-37436
* Thu Dec 22 2022 chengyechun <chengyechun1@huawei.com> - 2.4.51-12
- Type:bugfix
- ID: