From b981a203d95960031f9311ad9113c37e089b7d68 Mon Sep 17 00:00:00 2001 From: chengyechun Date: Wed, 14 Dec 2022 10:54:40 +0800 Subject: [PATCH] change default value of HeartbeatMaxServers fix setting and comparison of IPs fileds avoid voerflow in case of indecently large session make ap_escape_quotes() work correctly fix lua_request with cast first Handle children killed pathologically q --- ...andle-children-killed-pathologically.patch | 108 ++++++++++++++++++ ...-and-avoid-overflow-of-large-session.patch | 49 ++++++++ ...1589986-r1589995-r1633528-from-trunk.patch | 62 ++++++++++ ...or-HeartbeatMaxServers-default-value.patch | 28 +++++ ...port-fix-lua-request-with-cast-first.patch | 28 +++++ ...setting-and-comparison-of-IPs-fields.patch | 47 ++++++++ ...make-ap_escape_quotes-work-correctly.patch | 73 ++++++++++++ ...equests-to-well-known-acme-challenge.patch | 39 +++++++ httpd.spec | 22 +++- 9 files changed, 455 insertions(+), 1 deletion(-) create mode 100644 backport-Handle-children-killed-pathologically.patch create mode 100644 backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch create mode 100644 backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch create mode 100644 backport-fix-error-HeartbeatMaxServers-default-value.patch create mode 100644 backport-fix-lua-request-with-cast-first.patch create mode 100644 backport-fix-setting-and-comparison-of-IPs-fields.patch create mode 100644 backport-make-ap_escape_quotes-work-correctly.patch create mode 100644 backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch diff --git a/backport-Handle-children-killed-pathologically.patch b/backport-Handle-children-killed-pathologically.patch new file mode 100644 index 0000000..2096d4d --- /dev/null +++ b/backport-Handle-children-killed-pathologically.patch @@ -0,0 +1,108 @@ +From 5f33010a643ac7c67b7733484797d41366e328ecdb Mon Sep 17 00:00:00 2001 +From: icing +Date: Tue, 30 Aug 2022 14:47:19 +0800 +Subject: [PATCH] Handle children killed pathologically + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/5f3010a643ac7c67b733484797d41366e328ecdb + +--- + server/mpm/event/event.c | 26 +++++++++++++++++++++++--- + server/mpm/worker/worker.c | 26 +++++++++++++++++++++++--- + 2 files changed, 46 insertions(+), 6 deletions(-) + +diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c +index dddff35..5969c88 100644 +--- a/server/mpm/event/event.c ++++ b/server/mpm/event/event.c +@@ -2983,6 +2983,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets) + + static void server_main_loop(int remaining_children_to_start, int num_buckets) + { ++ int successive_kills = 0; + int child_slot; + apr_exit_why_e exitwhy; + int status, processed_status; +@@ -3072,11 +3073,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets) + /* Don't perform idle maintenance when a child dies, + * only do it when there's a timeout. Remember only a + * finite number of children can die, and it's pretty +- * pathological for a lot to die suddenly. ++ * pathological for a lot to die suddenly. If a child is ++ * killed by a signal (faulting) we want to restart it ASAP ++ * though, up to 3 successive faults or we stop this until ++ * a timeout happens again (to avoid the flood of fork()ed ++ * process that keep being killed early). + */ +- continue; ++ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) { ++ continue; ++ } ++ if (++successive_kills >= 3) { ++ if (successive_kills % 10 == 3) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ++ ap_server_conf, APLOGNO(10392) ++ "children are killed successively!"); ++ } ++ continue; ++ } ++ ++remaining_children_to_start; ++ } ++ else { ++ successive_kills = 0; + } +- else if (remaining_children_to_start) { ++ ++ if (remaining_children_to_start) { + /* we hit a 1 second timeout in which none of the previous + * generation of children needed to be reaped... so assume + * they're all done, and pick up the slack if any is left. +diff --git a/server/mpm/worker/worker.c b/server/mpm/worker/worker.c +index bd56f61..30d5aeb 100644 +--- a/server/mpm/worker/worker.c ++++ b/server/mpm/worker/worker.c +@@ -1569,6 +1569,7 @@ static void perform_idle_server_maintenance(int child_bucket, int num_buckets) + + static void server_main_loop(int remaining_children_to_start, int num_buckets) + { ++ int successive_kills = 0; + ap_generation_t old_gen; + int child_slot; + apr_exit_why_e exitwhy; +@@ -1663,11 +1664,30 @@ static void server_main_loop(int remaining_children_to_start, int num_buckets) + /* Don't perform idle maintenance when a child dies, + * only do it when there's a timeout. Remember only a + * finite number of children can die, and it's pretty +- * pathological for a lot to die suddenly. ++ * pathological for a lot to die suddenly. If a child is ++ * killed by a signal (faulting) we want to restart if ASAP ++ * though, up to 3 successive faults or we stop this until ++ * a timeout happens again (to avoid the flood of fork()ed ++ * processes that keep being killed early). + */ +- continue; ++ if (child_slot < 0 || !APR_PROC_CHECK_SIGNALED(exitwhy)) { ++ continue; ++ } ++ if (++successive_kills >= 3) { ++ if (successive_kills % 10 == 3) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ++ ap_server_conf, APLOGNO(10392) ++ "children are killed successively!"); ++ } ++ continue; ++ } ++ ++remaining_children_to_start; ++ } ++ else { ++ successive_kills = 0; + } +- else if (remaining_children_to_start) { ++ ++ if (remaining_children_to_start) { + /* we hit a 1 second timeout in which none of the previous + * generation of children needed to be reaped... so assume + * they're all done, and pick up the slack if any is left. +-- +2.23.0 + diff --git a/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch b/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch new file mode 100644 index 0000000..a08eb83 --- /dev/null +++ b/backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch @@ -0,0 +1,49 @@ +From 0befd97dfe19e23921b4cc5412d6177f2cab6aac Mon Sep 17 00:00:00 2001 +From: jimjag +Date: Tue May 17 18:14:29 2022 UTC +Subject: [PATCH] mod_session:Harden mod_session and avoid overflow of large session + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/0befd97dfe19e23921b4cc5412d6177f2cab6aac + +--- + modules/session/mod_session.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index ec4ac2e..fa8d406 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -317,7 +317,8 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, + + static int identity_count(void *v, const char *key, const char *val) + { +- int *count = v; ++ apr_size_t *count = v; ++ + *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } +@@ -325,7 +326,8 @@ static int identity_count(void *v, const char *key, const char *val) + static int identity_concat(void *v, const char *key, const char *val) + { + char *slider = v; +- int length = strlen(slider); ++ apr_size_t length = strlen(slider); ++ + slider += length; + if (length) { + *slider = '&'; +@@ -355,7 +357,8 @@ static int identity_concat(void *v, const char *key, const char *val) + static apr_status_t session_identity_encode(request_rec * r, session_rec * z) + { + char *buffer = NULL; +- int length = 0; ++ apr_size_t length = 0; ++ + if (z->expiry) { + char *expiry = apr_psprintf(z->pool, "%" APR_INT64_T_FMT, z->expiry); + apr_table_setn(z->entries, SESSION_EXPIRY, expiry); +-- +2.23.0 + diff --git a/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch b/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch new file mode 100644 index 0000000..553a5d4 --- /dev/null +++ b/backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch @@ -0,0 +1,62 @@ +From 73ce13be5aa9ae541472bc6a8a2f7de8dd2db34 Mon Sep 17 00:00:00 2001 +From: Christophe Jaillet +Date: Sat, 19 Feb 2022 13:47:02 UTC +Subject: [PATCH] Merge r1589986 r1589985 r1633528 from trunk + + *) Add the ldap function to the expression API, allowing ldap filters + and distinguished names based on expression to be excaped correctly + to guared against LDAP injection. + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/73ce13be5aa9ae5414772bc6a8a2f7de8dd2db34 + +--- + server/util_expr_eval.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/server/util_expr_eval.c b/server/util_expr_eval.c +index 2e031d0..75295ba 100644 +--- a/server/util_expr_eval.c ++++ b/server/util_expr_eval.c +@@ -32,6 +32,10 @@ + #include "apr_fnmatch.h" + #include "apr_base64.h" + #include "apr_sha1.h" ++#include "apr_version.h" ++#if APR_VERSION_AT_LEAST(1,5,0) ++#include "apr_escape.h" ++#endif + + #include /* for INT_MAX */ + +@@ -1087,9 +1091,16 @@ static const char *sha1_func(ap_expr_eval_ctx_t *ctx, const void *data, + static const char *md5_func(ap_expr_eval_ctx_t *ctx, const void *data, + const char *arg) + { +- return ap_md5(ctx->p, (const unsigned char *)arg); ++ return ap_md5(ctx->p, (const unsigned char *)arg); + } + ++#if APR_VERSION_AT_LEAST(1,6,0) ++static const char *ldap_func(ap_expr_eval_ctx_t *ctx, const void *data, ++ const char *arg) ++{ ++ return apr_pescape_ldap(ctx->p, arg, APR_ESCAPE_STRING, APR_ESCAPE_LDAP_ALL); ++} ++#endif + + #define MAX_FILE_SIZE 10*1024*1024 + static const char *file_func(ap_expr_eval_ctx_t *ctx, const void *data, +@@ -1667,6 +1678,9 @@ static const struct expr_provider_single string_func_providers[] = { + { unbase64_func, "unbase64", NULL, 0 }, + { sha1_func, "sha1", NULL, 0 }, + { md5_func, "md5", NULL, 0 }, ++#if APR_VERSION_AT_LEAST(1,6,0) ++ { ldap_func, "ldap", NULL, 0 }, ++#endif + { NULL, NULL, NULL} + }; + +-- +2.23.0 + diff --git a/backport-fix-error-HeartbeatMaxServers-default-value.patch b/backport-fix-error-HeartbeatMaxServers-default-value.patch new file mode 100644 index 0000000..eb5b75f --- /dev/null +++ b/backport-fix-error-HeartbeatMaxServers-default-value.patch @@ -0,0 +1,28 @@ +From b64b0488b12dc81df972bff4747d9b9c68fbad3f Mon Sep 17 00:00:00 2001 +From: jimjag +Date: Mon May 9 2022 17:54:42 UTC +Subject: [PATCH] mod_heartmonitor:fix error HeartbeatMaxServers default value + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/b64b0488b12dc81df972bff4747d9b9c68fbad3f + +--- + modules/cluster/mod_heartmonitor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c +index 2e8d12d..bfda7f8 100644 +--- a/modules/cluster/mod_heartmonitor.c ++++ b/modules/cluster/mod_heartmonitor.c +@@ -39,7 +39,7 @@ + + static const ap_slotmem_provider_t *storage = NULL; + static ap_slotmem_instance_t *slotmem = NULL; +-static int maxworkers = 0; ++static int maxworkers = 10; + + module AP_MODULE_DECLARE_DATA heartmonitor_module; + +-- +2.23.0 + diff --git a/backport-fix-lua-request-with-cast-first.patch b/backport-fix-lua-request-with-cast-first.patch new file mode 100644 index 0000000..69b8c46 --- /dev/null +++ b/backport-fix-lua-request-with-cast-first.patch @@ -0,0 +1,28 @@ +From 1a09953b2439f94714feb03358b793ccbae8a2ca Mon Sep 17 00:00:00 2001 +From: covener +Date: Wed Jun 1 12:31:19 2022 UTC +Subject: [PATCH] lua_request:fix lua request with cast first + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/1a09953b2439f94714feb03358b793ccbae8a2ca + +--- + modules/lua/lua_request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index a7e501b..1ba6a2f 100644 +--- a/modules/lua/lua_request.c ++++ b/modules/lua/lua_request.c +@@ -251,7 +251,7 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size, + if (maxsize != 0 && length > maxsize) { + return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */ + } +- *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1)); ++ *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length) + 1); + while ((rpos < length) + && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos, + length - rpos)) > 0) { +-- +2.23.0 + diff --git a/backport-fix-setting-and-comparison-of-IPs-fields.patch b/backport-fix-setting-and-comparison-of-IPs-fields.patch new file mode 100644 index 0000000..f63808e --- /dev/null +++ b/backport-fix-setting-and-comparison-of-IPs-fields.patch @@ -0,0 +1,47 @@ +From 1fa621fafde4cc73bdc887b94c0a8b7dade2162b Mon Sep 17 00:00:00 2001 +From: icing +Date: Tue May 17 13:32:43 2022 UTC +Subject: [PATCH] mod_heartmonitor:fix setting and comparsion of IPs fields + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/1fa621fafde4cc73bdc887b94c0a8b7dade2162b + +--- + modules/cluster/mod_heartmonitor.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules/cluster/mod_heartmonitor.c b/modules/cluster/mod_heartmonitor.c +index bfda7f8..30db11a 100644 +--- a/modules/cluster/mod_heartmonitor.c ++++ b/modules/cluster/mod_heartmonitor.c +@@ -171,7 +171,7 @@ static apr_status_t hm_update(void* mem, void *data, apr_pool_t *p) + hm_slot_server_t *old = (hm_slot_server_t *) mem; + hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data; + hm_server_t *new = s->s; +- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) { ++ if (strcmp(old->ip, new->ip)==0) { + s->found = 1; + old->busy = new->busy; + old->ready = new->ready; +@@ -185,7 +185,7 @@ static apr_status_t hm_readid(void* mem, void *data, apr_pool_t *p) + hm_slot_server_t *old = (hm_slot_server_t *) mem; + hm_slot_server_ctx_t *s = (hm_slot_server_ctx_t *) data; + hm_server_t *new = s->s; +- if (strncmp(old->ip, new->ip, MAXIPSIZE)==0) { ++ if (strcmp(old->ip, new->ip)==0) { + s->found = 1; + s->item_id = old->id; + } +@@ -202,7 +202,8 @@ static apr_status_t hm_slotmem_update_stat(hm_server_t *s, apr_pool_t *pool) + if (!ctx.found) { + unsigned int i; + hm_slot_server_t hmserver; +- memcpy(hmserver.ip, s->ip, MAXIPSIZE); ++ memset(&hmserver, 0, sizeof(hmserver)); ++ apr_cpystrn(hmserver.ip, s->ip, sizeof(hmserver.ip)); + hmserver.busy = s->busy; + hmserver.ready = s->ready; + hmserver.seen = s->seen; +-- +2.23.0 + diff --git a/backport-make-ap_escape_quotes-work-correctly.patch b/backport-make-ap_escape_quotes-work-correctly.patch new file mode 100644 index 0000000..03eb2d5 --- /dev/null +++ b/backport-make-ap_escape_quotes-work-correctly.patch @@ -0,0 +1,73 @@ +From 229dc3a47e0858a0b6772fa878a60f09ee5293 Mon Sep 17 00:00:00 2001 +From: ylavic +Date: Tue May 24 08:55:16 2022 +Subject: [PATCH] core:make ap_escape_quotes work correctly + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/229dc3ac47e0858a0b67227fa878a60f09ee5293 + +--- + server/util.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/server/util.c b/server/util.c +index 09ac0c5..1e006a3 100644 +--- a/server/util.c ++++ b/server/util.c +@@ -2535,7 +2535,7 @@ AP_DECLARE(void) ap_content_type_tolower(char *str) + */ + AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) + { +- int newlen = 0; ++ apr_size_t size, extra = 0; + const char *inchr = instring; + char *outchr, *outstring; + +@@ -2544,9 +2544,8 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) + * string up by an extra byte each time we find an unescaped ". + */ + while (*inchr != '\0') { +- newlen++; + if (*inchr == '"') { +- newlen++; ++ extra++; + } + /* + * If we find a slosh, and it's not the last byte in the string, +@@ -2554,11 +2553,31 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring) + */ + if ((*inchr == '\\') && (inchr[1] != '\0')) { + inchr++; +- newlen++; + } + inchr++; + } +- outstring = apr_palloc(p, newlen + 1); ++ if (!extra) { ++ return apr_pstrdup(p, instring); ++ } ++ ++ /* How large will the string become, once we escaped all the quotes? ++ * The tricky cases are ++ * - an `instring` that is already longer than `ptrdiff_t` ++ * can hold (which is an undefined case in C, as C defines ptrdiff_t as ++ * a signed difference between pointers into the same array and one index ++ * beyond). ++ * - an `instring` that, including the `extra` chars we want to add, becomes ++ * even larger than apr_size_t can handle. ++ * Since thsi function was nto designed to ever return NULL for failure, we ++ * can only trigger a hard assertion failure. It seems more a programming ++ * mistake (or failure to verify the input causing this) that leads to this ++ * situation. ++ */ ++ ap_assert(inchr - instring > 0); ++ size = ((apr_size_t)(inchr - instring)) + 1; ++ ap_assert(size + extra > size); ++ ++ outstring = apr_palloc(p, size + extra); + inchr = instring; + outchr = outstring; + /* +-- +2.23.0 + diff --git a/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch b/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch new file mode 100644 index 0000000..32ccca0 --- /dev/null +++ b/backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch @@ -0,0 +1,39 @@ +From 960d719aa31c35a8aac99b1fa413df7a91085bbd Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 8 Feb 2022 12:28:37 UTC +Subject: [PATCH] mod_md do not interfere with requests to well known acme challenge +resources if challenge type 'http-01' is not configure for a domain. +Fixex . + +git-svn-id:https://svn.apache.org/repos/afs/httpd/httpd/branches/2.4.x@1897865 + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/960d719aa31c35a8aac99b1fa413df7a91085bbd + +--- + modules/md/mod_md.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c +index 8b379eb..c929168 100644 +--- a/modules/md/mod_md.c ++++ b/modules/md/mod_md.c +@@ -1347,6 +1347,15 @@ static int md_http_challenge_pr(request_rec *r) + md = md_get_by_domain(sc->mc->mds, r->hostname); + name = r->parsed_uri.path + sizeof(ACME_CHALLENGE_PREFIX)-1; + reg = sc && sc->mc? sc->mc->reg : NULL; ++ ++ if (md && md->ca_challenges ++ && md_array_str_index(md->ca_challenges, MD_AUTHZ_CHA_HTTP_01, 0, 1) < 0) { ++ /* The MD this chanllenge is for dose nto allow http-01 challanges, ++ * we have to decline. See #279 for a setup example where this ++ * is necessary. ++ */ ++ return DECLINED; ++ } + + if (strlen(name) && !ap_strchr_c(name, '/') && reg) { + md_store_t *store = md_reg_store_get(reg); +-- +2.23.0 + diff --git a/httpd.spec b/httpd.spec index f4862fb..45d723f 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 10 +Release: 11 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -86,6 +86,14 @@ Patch32: backport-CVE-2022-26377.patch Patch33: backport-CVE-2022-30522.patch Patch34: backport-CVE-2022-30556.patch Patch35: backport-CVE-2022-28330.patch +Patch36: backport-fix-error-HeartbeatMaxServers-default-value.patch +Patch37: backport-fix-setting-and-comparison-of-IPs-fields.patch +Patch38: backport-Harden-mod_session-and-avoid-overflow-of-large-session.patch +Patch39: backport-make-ap_escape_quotes-work-correctly.patch +Patch40: backport-fix-lua-request-with-cast-first.patch +Patch41: backport-Handle-children-killed-pathologically.patch +Patch42: backport-Merge-r1589986-r1589995-r1633528-from-trunk.patch +Patch43: backport-mod_md-do-not-interfere-with-requests-to-well-known-acme-challenge.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -518,6 +526,18 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Dec 14 2022 chengyechun - 2.4.51-11 +- Type:bugfix +- ID: +- SUG:restart +- DESC:change default value of HeartbeatMaxServers + fix setting and comparison of IPs fileds + avoid voerflow in case of indecently large session + make ap_escape_quotes() work correctly + fix lua_request with cast first + Handle children killed pathologically + mod_md do not interfere with requests if challenge type http-01 + * Mon Dec 12 2022 chengyechun - 2.4.51-10 - Type:bugfix - ID: