Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit :
> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote:
>> Le 10/06/2021 à 12:16, Yadd a écrit :
>>> Le 10/06/2021 à 11:51, Yadd a écrit :
Hi,
Hopefully there is an available-and-simple fix for #989562
(CVE-2021-31618) !
Cheers,
Yadd
>>>
>>> Here is the debdiff
>>
>> Updated with all CVE fixes. Thanks to security-tracker and its
>> maintainers ;-)
>>
>> Cheers,
>> Yadd
>
>> diff --git a/debian/changelog b/debian/changelog
>> index b6096f7d..41cb8b28 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,12 @@
>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
>> +
>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
>> +(Closes: #989562, CVE-2021-31618)
>> + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
>> +CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
>
> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567
> https://www.openwall.com/lists/oss-security/2021/06/10/2
>
> The CVE ID is from 2019, but it got public yesterday with the other fixes.
>
> Cheers,
> Moritz
Hi,
this adds a non trivial patch (attached debdiff shows the difference
with 2.4.46-6 which is already proposed in unblock issue (#989683). I
had to modify significantly upstream patch. As proposed earlier, I think
it should be more safe to upload Apache 2.4.48 in Bullseye instead of
this increasingly deviant hybrid (already 7 CVEs patches!).
@release-team: please consider this new debdiff as a pre-aproval for
2.4.46-7
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index fa775057..25650ac5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-7) UNRELEASED; urgency=medium
+
+ * Fix mod_proxy_wstunnel to avoid HTTP validation bypass
+(Closes: CVE-2019-17567)
+
+ -- Yadd Thu, 10 Jun 2021 17:19:55 +0200
+
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
diff --git a/debian/patches/CVE-2019-17567.patch
b/debian/patches/CVE-2019-17567.patch
new file mode 100644
index ..0d9e3d51
--- /dev/null
+++ b/debian/patches/CVE-2019-17567.patch
@@ -0,0 +1,1854 @@
+Description: mod_proxy_wstunnel tunneling of non Upgraded connections
+ mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded
+ by the origin server was tunneling the whole connection regardless, thus
+ allowing for subsequent requests on the same connection to pass through
+ with no HTTP validation, authentication or authorization possibly
+ configured.
+Author: Apache authors
+Origin: upstream,
http://people.apache.org/~ylavic/patches/2.4.x-mod_proxy_http-upgrade-4on5-v2.patch
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-17567
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy.c
b/modules/proxy/mod_proxy.c
+@@ -314,7 +314,8 @@
+ }
+ }
+ else if (!strcasecmp(key, "upgrade")) {
+-if (PROXY_STRNCPY(worker->s->upgrade, val) != APR_SUCCESS) {
++if (PROXY_STRNCPY(worker->s->upgrade,
++ strcasecmp(val, "ANY") ? val : "*") != APR_SUCCESS)
{
+ return apr_psprintf(p, "upgrade protocol length must be < %d
characters",
+ (int)sizeof(worker->s->upgrade));
+ }
+--- a/modules/proxy/mod_proxy.h
b/modules/proxy/mod_proxy.h
+@@ -725,6 +725,19 @@
+proxy_worker *worker);
+
+ /**
++ * Return whether a worker upgrade configuration matches Upgrade header
++ * @param p memory pool used for displaying worker name
++ * @param worker the worker
++ * @param upgrade the Upgrade header to match
++ * @param dfltdefault protocol (NULL for none)
++ * @return1 (true) or 0 (false)
++ */
++PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
++ const proxy_worker *worker,
++ const char *upgrade,
++ const char *dflt);
++
++/**
+ * Get the worker from proxy configuration
+ * @param pmemory pool used for finding worker
+ * @param balancer the balancer that the worker belongs to
+@@ -1181,6 +1194,40 @@
+ conn_rec *origin, apr_bucket_brigade
*bb,
+ int flush);
+
++struct proxy_tunnel_conn; /* opaque */
++typedef struct {
++request_rec *r;
++const char *scheme;
++apr_pollset_t *pollset;
++apr_array_header_t *pfds;
++apr_interval_time_t timeout;
++struct proxy_tunnel_conn *client,
++ *origin;
++apr_size_t read_buf_size;
++int replied;
++} proxy_tunnel_rec;
++
++/**
++ * Create a tunnel, to be activated by