Package: release.debian.org Severity: normal Tags: security X-Debbugs-Cc: [email protected], [email protected], Debian Security Team <[email protected]> Control: affects -1 + src:modsecurity User: [email protected] Usertags: pu
[ Reason ] Fixes for CVE-2026-42268 and CVE-2026-30923 [ Impact ] Possible segmentation faults resulting in DoS. [ Tests ] Fixed and tested by upstream. [ Risks ] Low risk, simple patch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Use safer iteration loops.
diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog --- modsecurity-3.0.9/debian/changelog 2023-09-25 14:43:11.000000000 +0200 +++ modsecurity-3.0.9/debian/changelog 2026-04-30 17:13:44.000000000 +0200 @@ -1,3 +1,10 @@ +modsecurity (3.0.9-1+deb12u2) bookworm; urgency=medium + + [ Ervin Hegedus ] + * Add fixes for CVE-2026-30923 and 2026-42268 + + -- Hegedüs Ervin <[email protected]> Thu, 30 Apr 2026 17:13:44 +0200 + modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium * Applied upstream patch to fix DoS. diff -Nru modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch --- modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-3.0.9/debian/patches/fix-CVE-2026-30923.patch 2026-04-30 17:13:44.000000000 +0200 @@ -0,0 +1,39 @@ +From: Ervin Hegedus <[email protected]> +Date: Thu, 30 Apr 2026 16:58:17 +0200 +Subject: fix-CVE-2026-30923 + +--- + src/actions/transformations/hex_decode.cc | 2 +- + .../secrules-language-tests/transformations/hexDecode.json | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/actions/transformations/hex_decode.cc b/src/actions/transformations/hex_decode.cc +index e626bc5..e5df0e8 100644 +--- a/src/actions/transformations/hex_decode.cc ++++ b/src/actions/transformations/hex_decode.cc +@@ -64,7 +64,7 @@ int HexDecode::inplace(unsigned char *data, int len) { + return 0; + } + +- for (i = 0; i <= len - 2; i += 2) { ++ for (std::string::size_type i = 0; i + 1 < len; i += 2) { + *d++ = utils::string::x2c(&data[i]); + count++; + } +diff --git a/test/test-cases/secrules-language-tests/transformations/hexDecode.json b/test/test-cases/secrules-language-tests/transformations/hexDecode.json +index 664fbd8..907a092 100644 +--- a/test/test-cases/secrules-language-tests/transformations/hexDecode.json ++++ b/test/test-cases/secrules-language-tests/transformations/hexDecode.json +@@ -40,5 +40,12 @@ + "input" : "01234567890a0", + "output" : "\\x01#Eg\\x89\\x0a", + "ret" : 1 ++ }, ++ { ++ "type" : "tfn", ++ "name" : "hexDecode", ++ "input" : "a", ++ "output" : "", ++ "ret" : 1 + } + ] diff -Nru modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch --- modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-3.0.9/debian/patches/fix-CVE-2026-42268.patch 2026-04-30 17:13:44.000000000 +0200 @@ -0,0 +1,111 @@ +From: Ervin Hegedus <[email protected]> +Date: Thu, 30 Apr 2026 17:03:11 +0200 +Subject: fix-CVE-2026-42268 + +--- + src/operators/verify_cpf.cc | 2 +- + src/operators/verify_ssn.cc | 2 +- + src/operators/verify_svnr.cc | 2 +- + .../secrules-language-tests/operators/verifycpf.json | 10 +++++++--- + .../secrules-language-tests/operators/verifyssn.json | 9 +++++++-- + .../secrules-language-tests/operators/verifysvnr.json | 10 +++++++--- + 6 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/src/operators/verify_cpf.cc b/src/operators/verify_cpf.cc +index 778584d..09d19a4 100644 +--- a/src/operators/verify_cpf.cc ++++ b/src/operators/verify_cpf.cc +@@ -118,7 +118,7 @@ bool VerifyCPF::evaluate(Transaction *t, RuleWithActions *rule, + return false; + } + +- for (i = 0; i < input.size() - 1 && is_cpf == false; i++) { ++ for (size_t i = 0; i + 1 < input.size() && !is_cpf; i++) { + matches = m_re->searchAll(input.substr(i, input.size())); + for (const auto & m : matches) { + is_cpf = verify(m.str().c_str(), m.str().size()); +diff --git a/src/operators/verify_ssn.cc b/src/operators/verify_ssn.cc +index 59a36dd..b634182 100644 +--- a/src/operators/verify_ssn.cc ++++ b/src/operators/verify_ssn.cc +@@ -120,7 +120,7 @@ bool VerifySSN::evaluate(Transaction *t, RuleWithActions *rule, + return false; + } + +- for (i = 0; i < input.size() - 1 && is_ssn == false; i++) { ++ for (size_t i = 0; i + 1 < input.size() && !is_ssn; i++) { + matches = m_re->searchAll(input.substr(i, input.size())); + for (const auto & j : matches) { + is_ssn = verify(j.str().c_str(), j.str().size()); +diff --git a/src/operators/verify_svnr.cc b/src/operators/verify_svnr.cc +index 248e6b4..fc7152a 100644 +--- a/src/operators/verify_svnr.cc ++++ b/src/operators/verify_svnr.cc +@@ -87,7 +87,7 @@ bool VerifySVNR::evaluate(Transaction *t, RuleWithActions *rule, + return is_svnr; + } + +- for (i = 0; i < input.size() - 1 && is_svnr == false; i++) { ++ for (size_t i = 0; i + 1 < input.size() && !is_svnr; i++) { + matches = m_re->searchAll(input.substr(i, input.size())); + + for (const auto & j : matches) { +diff --git a/test/test-cases/secrules-language-tests/operators/verifycpf.json b/test/test-cases/secrules-language-tests/operators/verifycpf.json +index fe362a5..642be5f 100644 +--- a/test/test-cases/secrules-language-tests/operators/verifycpf.json ++++ b/test/test-cases/secrules-language-tests/operators/verifycpf.json +@@ -12,8 +12,12 @@ + "ret" : 0, + "type" : "op", + "name" : "verifycpf" ++ }, ++ { ++ "param" : "([0-9]{3}\\.){2}[0-9]{3}-[0-9]{2}", ++ "input" : "", ++ "ret" : 0, ++ "type" : "op", ++ "name" : "verifycpf" + } +- +- +- + ] +diff --git a/test/test-cases/secrules-language-tests/operators/verifyssn.json b/test/test-cases/secrules-language-tests/operators/verifyssn.json +index 9ded1af..2c5b001 100644 +--- a/test/test-cases/secrules-language-tests/operators/verifyssn.json ++++ b/test/test-cases/secrules-language-tests/operators/verifyssn.json +@@ -26,7 +26,12 @@ + "ret" : 0, + "type" : "op", + "name" : "verifyssn" ++ }, ++ { ++ "param" : "\\d{3}-?\\d{2}-?\\d{4}", ++ "input" : "", ++ "ret" : 0, ++ "type" : "op", ++ "name" : "verifyssn" + } +- +- + ] +diff --git a/test/test-cases/secrules-language-tests/operators/verifysvnr.json b/test/test-cases/secrules-language-tests/operators/verifysvnr.json +index 426dd86..52f6cdf 100644 +--- a/test/test-cases/secrules-language-tests/operators/verifysvnr.json ++++ b/test/test-cases/secrules-language-tests/operators/verifysvnr.json +@@ -19,8 +19,12 @@ + "ret" : 0, + "type" : "op", + "name" : "verifysvnr" ++ }, ++ { ++ "param" : "([0-9]{4} ?[0-9]{6})", ++ "input" : "", ++ "ret" : 0, ++ "type" : "op", ++ "name" : "verifysvnr" + } +- +- +- + ] diff -Nru modsecurity-3.0.9/debian/patches/series modsecurity-3.0.9/debian/patches/series --- modsecurity-3.0.9/debian/patches/series 2023-09-25 14:43:11.000000000 +0200 +++ modsecurity-3.0.9/debian/patches/series 2026-04-30 17:13:44.000000000 +0200 @@ -1,3 +1,5 @@ disable-network-dependent-tests.patch ftbfs_1034760.patch cve-2023-38285.diff +fix-CVE-2026-30923.patch +fix-CVE-2026-42268.patch
