fix CVE-2020-13950 CVE-2020-35452

2021-06-21 11:40:26 +08:00 · 2021-06-21 11:40:26 +08:00 · 45919d5b37
commit 45919d5b37
parent 0eba6ba58f
3 changed files with 83 additions and 1 deletions
--- a/CVE-2020-13950.patch
+++ b/CVE-2020-13950.patch
@ -0,0 +1,36 @@
+From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 11 May 2015 15:48:58 +0000
+Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
+ may be NULL during prefetch, don't try to dereference it! Still
+ origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/mod_proxy_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 044bfcd..4a5b851 100644
+--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
+@@ -577,7 +577,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+     apr_off_t bytes;
+     int force10, rv;
+     apr_read_type_e block;
+-    conn_rec *origin = p_conn->connection;
+ 
+     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+         if (req->expecting_100) {
+@@ -637,7 +636,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+                       "chunked body with Content-Length (C-L ignored)",
+                       c->client_ip, c->remote_host ? c->remote_host: "");
+         req->old_cl_val = NULL;
+-        origin->keepalive = AP_CONN_CLOSE;
+         p_conn->close = 1;
+     }
+ 
+-- 
+2.23.0
+
--- a/CVE-2020-35452.patch
+++ b/CVE-2020-35452.patch
@ -0,0 +1,38 @@
+From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 18 Jan 2021 17:39:12 +0000
+Subject: [PATCH] Merge r1885659 from trunk:
+
+mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+                 the format can't match anyway.
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, jailletc36
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/aaa/mod_auth_digest.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
+index 1b5a204278f..d126387cc7f 100644
+--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
+@@ -1426,9 +1426,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
+     time_rec nonce_time;
+     char tmp, hash[NONCE_HASH_LEN+1];
+ 
+-    if (strlen(resp->nonce) != NONCE_LEN) {
+    /* Since the time part of the nonce is a base64 encoding of an
+     * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
+     */
+    if (strlen(resp->nonce) != NONCE_LEN
+            || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+-                      "invalid nonce %s received - length is not %d",
+                      "invalid nonce '%s' received - length is not %d "
+                      "or time encoding is incorrect",
+                       resp->nonce, NONCE_LEN);
+         note_digest_auth_failure(r, conf, resp, 1);
+         return HTTP_UNAUTHORIZED;
--- a/httpd.spec
+++ b/httpd.spec
@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.46
-Release:          2
+Release:          3
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -71,6 +71,8 @@ Patch17:          httpd-2.4.43-r1861793+.patch
 Patch18:          httpd-2.4.43-r1828172+.patch 
 Patch19:          httpd-2.4.46-htcacheclean-dont-break.patch 
 Patch20:          CVE-2021-26691.patch 
+Patch21:          CVE-2020-13950.patch 
+Patch22:          CVE-2020-35452.patch 

 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@ -503,6 +505,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Mon Jun 21 2021 yanglu <yanglu72@huawei.com> - 2.4.46-3
+- Type:cves
+- ID:CVE-2020-13950 CVE-2020-35452
+- SUG:NA
+- DESC:fix CVE-2020-13950 CVE-2020-35452
+
 * Wed Jun 16 2021 yanglu <yanglu72@huawei.com> - 2.4.46-2
 - Type:cves
 - ID:CVE-2021-26691