summaryrefslogtreecommitdiffstats
path: root/debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-25 04:41:28 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-25 04:41:28 +0000
commit2eeb62e38ae17a3523ad3cd81c3de9f20f9e7742 (patch)
treefe91033d4712f6d836006b998525656b9dd193b8 /debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch
parentMerging upstream version 2.4.59. (diff)
downloadapache2-debian.tar.xz
apache2-debian.zip
Adding debian version 2.4.59-1~deb10u1.debian/2.4.59-1_deb10u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch')
-rw-r--r--debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch120
1 files changed, 0 insertions, 120 deletions
diff --git a/debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch b/debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch
deleted file mode 100644
index f39fa72..0000000
--- a/debian/patches/0052-CVE-2023-27522-HTTP-Response-Smuggling-mod_proxy_uws.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From: Eric Covener <covener@apache.org>
-Date: Sun, 5 Mar 2023 20:22:52 +0000
-Subject: CVE-2023-27522: HTTP Response Smuggling mod_proxy_uwsgi
-
-HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.
-This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
-Special characters in the origin response header can truncate/split the response forwarded to the client.
-
-mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation
-
-Reviewed By: ylavic, covener, gbechis, rpluem
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
-origin: https://github.com/apache/httpd/commit/d753ea76b5972a85349b68c31b59d04c60014f2d.patch
-bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
-bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-27522
-bug-cve: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522
----
- .../proxy_uwsgi_response_validation.txt | 2 +
- modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++-------
- 2 files changed, 37 insertions(+), 14 deletions(-)
- create mode 100644 changes-entries/proxy_uwsgi_response_validation.txt
-
-diff --git a/changes-entries/proxy_uwsgi_response_validation.txt b/changes-entries/proxy_uwsgi_response_validation.txt
-new file mode 100644
-index 0000000..2cdb6c6
---- /dev/null
-+++ b/changes-entries/proxy_uwsgi_response_validation.txt
-@@ -0,0 +1,2 @@
-+ *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
-+ [Yann Ylavic]
-diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
-index ebe16e8..9ba10b9 100644
---- a/modules/proxy/mod_proxy_uwsgi.c
-+++ b/modules/proxy/mod_proxy_uwsgi.c
-@@ -303,18 +303,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
- pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
-
- len = ap_getline(buffer, sizeof(buffer), rp, 1);
--
- if (len <= 0) {
-- /* oops */
-+ /* invalid or empty */
- return HTTP_INTERNAL_SERVER_ERROR;
- }
--
- backend->worker->s->read += len;
--
-- if (len >= sizeof(buffer) - 1) {
-- /* oops */
-+ if ((apr_size_t)len >= sizeof(buffer)) {
-+ /* too long */
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-+
- /* Position of http status code */
- if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
- status_start = 9;
-@@ -323,8 +321,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
- status_start = 7;
- }
- else {
-- /* oops */
-- return HTTP_INTERNAL_SERVER_ERROR;
-+ /* not HTTP */
-+ return HTTP_BAD_GATEWAY;
- }
- status_end = status_start + 3;
-
-@@ -344,21 +342,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend,
- }
- r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
-
-- /* start parsing headers */
-+ /* parse headers */
- while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
-+ if ((apr_size_t)len >= sizeof(buffer)) {
-+ /* too long */
-+ len = -1;
-+ break;
-+ }
- value = strchr(buffer, ':');
-- /* invalid header skip */
-- if (!value)
-- continue;
-- *value = '\0';
-- ++value;
-+ if (!value) {
-+ /* invalid header */
-+ len = -1;
-+ break;
-+ }
-+ *value++ = '\0';
-+ if (*ap_scan_http_token(buffer)) {
-+ /* invalid name */
-+ len = -1;
-+ break;
-+ }
- while (apr_isspace(*value))
- ++value;
- for (end = &value[strlen(value) - 1];
- end > value && apr_isspace(*end); --end)
- *end = '\0';
-+ if (*ap_scan_http_field_content(value)) {
-+ /* invalid value */
-+ len = -1;
-+ break;
-+ }
- apr_table_add(r->headers_out, buffer, value);
- }
-+ if (len < 0) {
-+ /* Reset headers, but not to NULL because things below the chain expect
-+ * this to be non NULL e.g. the ap_content_length_filter.
-+ */
-+ r->headers_out = apr_table_make(r->pool, 1);
-+ return HTTP_BAD_GATEWAY;
-+ }
-
- if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
- ap_set_content_type(r, apr_pstrdup(r->pool, buf));