Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
Hi, This [1] security bug was found in modsecurity-crs. After contacting the security team, they said a DSA was not necessary and that I should proceed through p-u. So here's the debdiff. Hope it's all OK. I'll wait for your instructions before uploading. Cheers, Alberto [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943773 -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru modsecurity-crs-3.1.0/debian/changelog modsecurity-crs-3.1.0/debian/changelog --- modsecurity-crs-3.1.0/debian/changelog 2019-11-03 14:34:05.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/changelog 2018-11-27 09:12:54.000000000 +0100 @@ -1,10 +1,3 @@ -modsecurity-crs (3.1.0-1+deb10u1) buster; urgency=medium - - * Add upstream patch to fix php script upload rules. - CVE-2019-13464 (Closes: #943773) - - -- Alberto Gonzalez Iniesta <[email protected]> Sun, 03 Nov 2019 14:34:05 +0100 - modsecurity-crs (3.1.0-1) unstable; urgency=medium * New upstream release. diff -Nru modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch --- modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 2019-11-03 14:30:47.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/patches/CVE-2019-13464.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,102 +0,0 @@ -From 6090d6b0a90417f1a60aa68a01eb777cef2e1184 Mon Sep 17 00:00:00 2001 -From: "Federico G. Schwindt" <[email protected]> -Date: Sat, 4 May 2019 11:03:52 +0100 -Subject: [PATCH] Also handle dot variant of X_Filename - -PHP will transform dots to underscore in variable names since dot is -invalid. ---- - rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 +- - .../933110.yaml | 60 +++++++++++++++++++ - 2 files changed, 62 insertions(+), 2 deletions(-) - -Index: modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -=================================================================== ---- modsecurity-crs.orig/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.410293645 +0100 -+++ modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf 2019-11-03 14:30:34.406293506 +0100 -@@ -86,7 +86,7 @@ - # X_Filename, or X-File-Name to transmit the file name to the server; - # scan these request headers as well as multipart/form-data file names. - # --SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ -+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \ - "id:933110,\ - phase:2,\ - block,\ -@@ -601,7 +601,7 @@ - # - # This rule is a stricter sibling of rule 933110. - # --SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ -+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \ - "id:933111,\ - phase:2,\ - block,\ -Index: modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml -=================================================================== ---- modsecurity-crs.orig/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.410293645 +0100 -+++ modsecurity-crs/util/regression-tests/tests/REQUEST-933-APPLICATION-ATTACK-PHP/933110.yaml 2019-11-03 14:30:34.406293506 +0100 -@@ -288,3 +288,63 @@ - uri: / - output: - no_log_contains: id "933110" -+ - -+ test_title: 933110-20 -+ desc: PHP script uploads -+ stages: -+ - stage: -+ input: -+ dest_addr: 127.0.0.1 -+ headers: -+ Host: localhost -+ User-Agent: ModSecurity CRS 3 Tests -+ X.Filename: a.php -+ port: 80 -+ uri: /upload2 -+ output: -+ log_contains: id "933110" -+ - -+ test_title: 933110-21 -+ desc: PHP script uploads -+ stages: -+ - stage: -+ input: -+ dest_addr: 127.0.0.1 -+ headers: -+ Host: localhost -+ User-Agent: ModSecurity CRS 3 Tests -+ X.Filename: fda.php5... -+ port: 80 -+ uri: /upload6 -+ output: -+ log_contains: id "933110" -+ - -+ test_title: 933110-22 -+ desc: PHP script uploads -+ stages: -+ - stage: -+ input: -+ dest_addr: 127.0.0.1 -+ headers: -+ Host: localhost -+ User-Agent: ModSecurity CRS 3 Tests -+ X.Filename: fthisfewfda.php. -+ port: 80 -+ uri: /upload7 -+ output: -+ log_contains: id "933110" -+ - -+ test_title: 933110-23 -+ desc: PHP script uploads -+ stages: -+ - stage: -+ input: -+ dest_addr: 127.0.0.1 -+ headers: -+ Host: localhost -+ User-Agent: ModSecurity CRS 3 Tests -+ X.Filename: fthi/sfewfda.phtml987... -+ port: 80 -+ uri: / -+ output: -+ no_log_contains: id "933110" diff -Nru modsecurity-crs-3.1.0/debian/patches/series modsecurity-crs-3.1.0/debian/patches/series --- modsecurity-crs-3.1.0/debian/patches/series 2019-11-03 14:30:28.000000000 +0100 +++ modsecurity-crs-3.1.0/debian/patches/series 2016-11-14 19:38:28.000000000 +0100 @@ -1,2 +1 @@ fix_paths -CVE-2019-13464.patch
