Package: release.debian.org Severity: normal Tags: security X-Debbugs-Cc: [email protected], [email protected], Debian Security Team <[email protected]> Control: affects -1 + src:modsecurity-apache User: [email protected] Usertags: pu
[ Reason ] Fix for CVE-2025-54571. Re: #1110480 [ Impact ] Potential for XSS and arbitrary script source code disclosure [ Tests ] Fixed upstream. [ Risks ] Low risk, simple patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Changes in return codes and simplify error handling. Remove unsused patch.
diff -Nru modsecurity-apache-2.9.11/debian/changelog modsecurity-apache-2.9.11/debian/changelog --- modsecurity-apache-2.9.11/debian/changelog 2025-07-02 11:23:42.000000000 +0200 +++ modsecurity-apache-2.9.11/debian/changelog 2025-08-07 13:40:00.000000000 +0200 @@ -1,3 +1,10 @@ +modsecurity-apache (2.9.11-1+deb13u1) trixie; urgency=medium + + * Add patch against new CVE; Fixes CVE-2025-54571 (Closes: #1110480) + * Remove d/patches/aclocal.patch, not necessary + + -- Ervin Hegedüs <[email protected]> Thu, 07 Aug 2025 13:40:00 +0200 + modsecurity-apache (2.9.11-1) unstable; urgency=medium [ Ervin Hegedüs ] diff -Nru modsecurity-apache-2.9.11/debian/patches/aclocal.patch modsecurity-apache-2.9.11/debian/patches/aclocal.patch --- modsecurity-apache-2.9.11/debian/patches/aclocal.patch 2025-06-05 10:43:35.000000000 +0200 +++ modsecurity-apache-2.9.11/debian/patches/aclocal.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,18 +0,0 @@ -Description: Fix aclocal-1.16 dependency -Author: Ervin Hegedüs <[email protected]> -Last-Update: 2025-05-22 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/Makefile.in -+++ b/Makefile.in -@@ -183,8 +183,8 @@ - $(top_srcdir)/tests/regression/misc/60-pmfromfile-external.t.in \ - $(top_srcdir)/tests/regression/server_root/conf/httpd.conf.in \ - README.md build/ar-lib build/compile build/config.guess \ -- build/config.sub build/depcomp build/install-sh \ -- build/ltmain.sh build/missing -+ build/config.sub build/install-sh build/ltmain.sh \ -+ build/missing - DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - distdir = $(PACKAGE)-$(VERSION) - top_distdir = $(distdir) diff -Nru modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff --- modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 2025-08-07 13:40:00.000000000 +0200 @@ -0,0 +1,211 @@ +Description: Fix CVE-2025-54571 +Author: Ervin Hegedüs <[email protected]> +Last-Update: 2025-08-07 +--- a/apache2/apache2_io.c ++++ b/apache2/apache2_io.c +@@ -192,27 +192,29 @@ + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: This request does not have a body."); + } +- return 0; ++ return APR_SUCCESS; + } + + if (msr->txcfg->reqbody_access != 1) { + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: Request body access not enabled."); + } +- return 0; ++ return APR_SUCCESS; + } + + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: Reading request body."); + } + if (modsecurity_request_body_start(msr, error_msg) < 0) { +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + finished_reading = 0; + msr->if_seen_eos = 0; + bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc); +- if (bb_in == NULL) return -1; ++ if (bb_in == NULL) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + do { + apr_status_t rc; + +@@ -222,25 +224,17 @@ + * too large and APR_EGENERAL when the client disconnects. + */ + switch(rc) { +- case APR_INCOMPLETE : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -7; +- case APR_EOF : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -6; +- case APR_TIMEUP : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -4; + case AP_FILTER_ERROR : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); +- return -3; ++ break; + case APR_EGENERAL : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away."); +- return -2; ++ break; + default : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -1; ++ break; + } ++ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST); + } + + /* Loop through the buckets in the brigade in order +@@ -256,7 +250,7 @@ + rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ); + if (rc != APR_SUCCESS) { + *error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc)); +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + if (msr->txcfg->debuglog_level >= 9) { +@@ -269,7 +263,7 @@ + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) { + + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " +@@ -290,7 +284,7 @@ + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_limit); + +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } + } + +@@ -300,7 +294,7 @@ + modsecurity_request_body_to_stream(msr, buf, buflen, error_msg); + #else + if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) { +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + #endif + } +@@ -319,7 +313,7 @@ + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +@@ -329,12 +323,12 @@ + } else { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } + } + + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + } +@@ -357,7 +351,13 @@ + + msr->if_status = IF_STATUS_WANTS_TO_RUN; + +- return rcbe; ++ if (rcbe == -5) { ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; ++ } ++ if (rcbe < 0) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ return APR_SUCCESS; + } + + +--- a/apache2/mod_security2.c ++++ b/apache2/mod_security2.c +@@ -1032,56 +1032,15 @@ + } + + rc = read_request_body(msr, &my_error_msg); +- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) { +- switch(rc) { +- case -1 : +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s", my_error_msg); +- } +- return HTTP_INTERNAL_SERVER_ERROR; +- break; +- case -4 : /* Timeout. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_REQUEST_TIME_OUT; +- break; +- case -5 : /* Request body limit reached. */ +- msr->inbound_error = 1; +- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { +- r->connection->keepalive = AP_CONN_CLOSE; +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE); +- } +- return HTTP_REQUEST_ENTITY_TOO_LARGE; +- } else { +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s", my_error_msg); +- } +- } +- break; +- case -6 : /* EOF when reading request body. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- case -7 : /* Partial recieved */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- default : +- /* allow through */ +- break; ++ if (rc != OK) { ++ if (my_error_msg != NULL) { ++ msr_log(msr, 1, "%s", my_error_msg); + } +- +- msr->msc_reqbody_error = 1; +- msr->msc_reqbody_error_msg = my_error_msg; ++ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) { ++ msr->inbound_error = 1; ++ } ++ r->connection->keepalive = AP_CONN_CLOSE; ++ return rc; + } + + /* Update the request headers. They might have changed after diff -Nru modsecurity-apache-2.9.11/debian/patches/series modsecurity-apache-2.9.11/debian/patches/series --- modsecurity-apache-2.9.11/debian/patches/series 2025-06-05 10:43:35.000000000 +0200 +++ modsecurity-apache-2.9.11/debian/patches/series 2025-08-07 13:40:00.000000000 +0200 @@ -1,3 +1,3 @@ -aclocal.patch debian_log_dir.patch improve_defaults.patch +cve-2025-54571.diff
