From 7c0dc3ccb32ee21000826c2c5038c4a6f0b5e444 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Tue, 7 May 2024 06:32:01 +0200
Subject: Adding debian version 2.4.38-3+deb10u10.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/tests/CVE-2023-25690 | 110 ++++++++++++++++++++++++++++++++++
 debian/tests/control        |   8 +++
 debian/tests/uwsgi          | 142 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 260 insertions(+)
 create mode 100644 debian/tests/CVE-2023-25690
 create mode 100644 debian/tests/uwsgi

(limited to 'debian/tests')

diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690
new file mode 100644
index 0000000..2aa916f
--- /dev/null
+++ b/debian/tests/CVE-2023-25690
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+# test CVE-2023-25690
+set -eux
+
+RC=0
+fail () {
+	echo "FAIL: $@" >&2
+	RC=1
+}
+
+
+function exit_handler()
+{
+    # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied
+    chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true
+    systemctl status apache2.service || true
+    systemctl stop apache2 || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true
+}
+trap exit_handler EXIT
+
+
+a2enmod proxy
+a2enmod proxy_http
+a2enmod rewrite
+
+rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
+rm /var/log/apache2/*
+mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2
+
+tee /etc/apache2/ports.conf <<'EOF'
+Listen 80
+Listen 8080
+EOF
+
+
+tee /etc/apache2/sites-available/000-default.conf <<'EOF'
+<VirtualHost *:8080>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.8080.log
+	CustomLog ${APACHE_LOG_DIR}/access.8080.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+</VirtualHost>
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+	LogLevel alert rewrite:trace6
+	LogLevel error proxy:trace6
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	RewriteEngine on
+	RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P]
+	ProxyPassReverse "/here/"  "http://localhost:8080/"
+</VirtualHost>
+EOF
+
+systemctl restart apache2
+
+CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1"
+wget -S -q --output-document - "$CHOKEURL" || true
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true)
+(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] '
+
+cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1
+
+exit 0
+
diff --git a/debian/tests/control b/debian/tests/control
index cb45689..e2d3875 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -27,3 +27,11 @@ Tests: chroot
 Features: no-build-needed
 Restrictions: needs-root allow-stderr breaks-testbed
 Depends: apache2, wget, dpkg-dev
+
+Tests: uwsgi
+Restrictions: allow-stderr, needs-root
+Depends: apache2, libapache2-mod-proxy-uwsgi, uwsgi, wget, uwsgi-plugin-python, rsync, netcat-openbsd | netcat-traditional
+
+Tests: CVE-2023-25690
+Restrictions: allow-stderr, needs-root
+Depends: apache2, rsync, curl, wget
diff --git a/debian/tests/uwsgi b/debian/tests/uwsgi
new file mode 100644
index 0000000..fd51b82
--- /dev/null
+++ b/debian/tests/uwsgi
@@ -0,0 +1,142 @@
+#!/bin/bash
+set -eux
+
+RC=0
+fail () {
+	echo "FAIL: $@" >&2
+	RC=1
+}
+
+
+function exit_handler()
+{
+    systemctl stop apache2 || true
+    if test -f /run/uwsgi/uwsgi.pid; then
+	kill -TERM $(cat /run/uwsgi/uwsgi.pid)
+    fi
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.log || true
+    cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.error.log || true
+}
+trap exit_handler EXIT
+
+
+a2enmod proxy
+a2enmod proxy_uwsgi
+
+rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS"
+rm /var/log/apache2/*
+mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2
+
+tee /etc/apache2/sites-available/000-default.conf <<'EOF'
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+	ProxyPass "/uwsgi" "unix:/run/uwsgi/test.socket|uwsgi://localhost"
+</VirtualHost>
+EOF
+
+systemctl restart apache2
+
+test -d /etc/uwsgi/ || mkdir /etc/uwsgi
+
+
+
+tee /etc/systemd/system/uwsgi-app@.socket <<EOF
+[Unit]
+Description=Socket for uWSGI app %i
+
+[Socket]
+ListenStream=/run/uwsgi/%i.socket
+SocketUser=www-%i
+SocketGroup=www-data
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target
+EOF
+
+tee /etc/systemd/system/uwsgi-app@.service <<EOF
+[Unit]
+Description=%i uWSGI app
+After=syslog.target
+
+[Service]
+ExecStart=/usr/bin/uwsgi \
+        --ini /etc/uwsgi/apps-available/%i.ini \
+        --socket /run/uwsgi/%i.socket
+User=www-%i
+Group=www-data
+Restart=on-failure
+KillSignal=SIGQUIT
+Type=notify
+StandardError=file:/var/log/apache2/uwsgi.error.log
+StandardOutput=file:/var/log/apache2/uwsgi.log
+NotifyAccess=all
+EOF
+
+systemctl daemon-reload
+
+useradd uwsgi_test
+useradd www-test
+
+tee /etc/uwsgi/apps-available/test.ini <<EOF
+[uwsgi]
+chdir=/tmp
+master=True
+cheap=True
+die-on-idle=True
+manage-script-name=True
+plugin=python
+wsgi-file=/tmp/uwsgi.py
+EOF
+
+
+tee /tmp/uwsgi.py <<'EOF'
+import wsgiref.headers as h
+def application(env, start_response):
+    buggy_header=('buggy','buggy#\r\nbuggy2:buggy2')
+    start_response('200 OK', [('Content-Type','text/html'),buggy_header])
+    ret = b"Hello World Headers {}".format(env)
+    return [ret]
+EOF
+chown www-test.www-test /tmp/uwsgi.py
+chmod +x /tmp/uwsgi.py
+
+systemctl enable uwsgi-app@test.socket
+systemctl enable uwsgi-app@test.service
+systemctl start uwsgi-app@test.socket
+systemctl restart apache2
+
+
+wget -S -q --output-document - http://localhost/uwsgi
+wget -q --output-document - http://localhost/uwsgi | grep "^Hello World"
+
+exit $RC
+-
-- 
cgit v1.2.3