packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-40438 fully and correctly

Browse Source 
fix CVE-2021-39275
This commit is contained in:
eaglegai 2021-09-29 19:13:30 +08:00
parent 759d0554eb
commit 66db243604
5 changed files with 137 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
backport-001-CVE-2021-39275.patch Normal file
View File

@ -0,0 +1,23 @@
From d8bce6f575abb29997bba358b31842bf757776c6 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Wed, 4 Aug 2021 11:48:38 +0000
Subject: [PATCH] fix ap_escape_quotes with pre-escaped quotes
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892012 13f79535-47bb-0310-9956-ffa450edef68
---
server/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/util.c b/server/util.c
index 72aa54d31d1..2d7708ae851 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2621,7 +2621,7 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
* in front of every " that doesn't already have one.
*/
while (*inchr != '\0') {
- if ((*inchr == '\\') && (inchr[1] != '\0')) {
+ while ((*inchr == '\\') && (inchr[1] != '\0')) {
*outchr++ = *inchr++;
*outchr++ = *inchr++;
}

32
backport-002-CVE-2021-39275.patch Normal file
View File

@ -0,0 +1,32 @@
From e0fec7d48dab1924c5a6b48819ce1cf420733f62 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Wed, 18 Aug 2021 14:35:41 +0000
Subject: [PATCH] * Follow the same logic that is used for calculating the
length
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892418 13f79535-47bb-0310-9956-ffa450edef68
---
server/util.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/server/util.c b/server/util.c
index e44e39afe3e..6bc5063bc39 100644
--- a/server/util.c
+++ b/server/util.c
@@ -2621,13 +2621,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
* in front of every " that doesn't already have one.
*/
while (*inchr != '\0') {
- while ((*inchr == '\\') && (inchr[1] != '\0')) {
- *outchr++ = *inchr++;
- *outchr++ = *inchr++;
- }
if (*inchr == '"') {
*outchr++ = '\\';
}
+ if ((*inchr == '\\') && (inchr[1] != '\0')) {
+ *outchr++ = *inchr++;
+ }
if (*inchr != '\0') {
*outchr++ = *inchr++;
}

30
backport-003-CVE-2021-40438.patch Normal file
View File

@ -0,0 +1,30 @@
From 6e768a811c59ca6a0769b72681aaef381823339f Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 23 Sep 2021 12:29:03 +0000
Subject: [PATCH] Merge of r1893516 from trunk:
*) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules. PR 57691 + 65590.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893556 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_rewrite.c | 7 +++++++
1 files changed, 7 insertions(+)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -617,6 +617,13 @@ static unsigned is_absolute_uri(char *ur
return 6;
}
break;
+
+ case 'u':
+ case 'U':
+ if (!ap_cstr_casecmpn(uri, "nix:", 4)) { /* unix: */
+ *sqs = 1;
+ return 5;
+ }
}
return 0;

40
backport-004-CVE-2021-40438.patch Normal file
View File

@ -0,0 +1,40 @@
From 81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Thu, 23 Sep 2021 12:31:53 +0000
Subject: [PATCH] backport of 1893519,1893532 from trunk:
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
had no hostname ("unix:/..."), also in mod_rewrite's is_absolulte_uri().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893559 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_rewrite.c | 2 +-
modules/proxy/proxy_util.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
create mode 100644 changes-entries/uds_empty_hostname.txt
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -622,7 +622,7 @@ static unsigned is_absolute_uri(char *ur
case 'U':
if (!ap_cstr_casecmpn(uri, "nix:", 4)) { /* unix: */
*sqs = 1;
- return 5;
+ return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
}
}
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2217,7 +2217,8 @@ static int fix_uds_filename(request_rec
rv = apr_uri_parse(r->pool, uds_url, &urisock);
*origin_url++ = '|';
- if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
+ if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
+ || !urisock.hostname[0])) {
uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
}
if (!uds_path) {

13
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd
Summary: Apache HTTP Server
Version: 2.4.48
Release: 2
Release: 3
License: ASL 2.0
URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -73,6 +73,10 @@ Patch20: backport-CVE-2021-34798.patch
Patch21: backport-CVE-2021-36160.patch
Patch22: backport-001-CVE-2021-40438.patch
Patch23: backport-002-CVE-2021-40438.patch
Patch24: backport-003-CVE-2021-40438.patch
Patch25: backport-004-CVE-2021-40438.patch
Patch26: backport-001-CVE-2021-39275.patch
Patch27: backport-002-CVE-2021-39275.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -505,6 +509,13 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Sep 29 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-3
- Type:cves
- ID:CVE-2021-40438 CVE-2021-39275
- SUG:restart
- DESC:fix CVE-2021-40438 fully and correctly
fix CVE-2021-39275
* Tue Sep 28 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-2
- Type:cves
- ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438