fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438

backport-001-CVE-2021-40438.patch

@@ -0,0 +1,55 @@
+From 496c863776c68bd08cdbeb7d8fa5935ba63b76c2 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Fri, 3 Sep 2021 16:52:38 +0000
+Subject: [PATCH] Merge r1892814, r1892853 from trunk:
+
+mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
+
+The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to
+strstr(,"unix:") since it's at the start of the string.
+
+
+mod_proxy: Follow up to r1892814.
+
+Save some few cycles in ap_proxy_de_socketfy() too.
+
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, rpluem
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892874 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/mod_proxy.c            | 2 +-
+ modules/proxy/proxy_util.c           | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+ create mode 100644 changes-entries/fix_uds_filename.txt
+
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 60634d344c7..354bb8f660f 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1975,7 +1975,7 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
+      * the UDS path... ignore it
+      */
+     if (!ap_cstr_casecmpn(url, "unix:", 5) &&
+-        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
++        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
+         /* move past the 'unix:...|' UDS path info */
+         const char *ret, *c;
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 3c4ea72aba7..812c32f3584 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2281,8 +2281,8 @@ static void fix_uds_filename(request_rec *r, char **url)
+     if (!r || !r->filename) return;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
+-            (ptr = ap_strchr(ptr2, '|'))) {
++            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
++            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
+         apr_uri_t urisock;
+         apr_status_t rv;
+         *ptr = '\0';

backport-002-CVE-2021-40438.patch

@@ -0,0 +1,115 @@
+From d4901cb32133bc0e59ad193a29d1665597080d67 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Wed, 8 Sep 2021 07:00:09 +0000
+Subject: [PATCH] Merge r1892986, r1892987 from trunk:
+
+mod_proxy: Follow up to r1892814.
+
+* modules/proxy/proxy_util.c(fix_uds_filename):
+  Sanity checks on the configured UDS path, fail with 500 if invalid since
+  continuing through proxy processing wouldn't work as expected.
+
+
+
+mod_proxy: Follow up to r1892986: APLOGNO()
+
+Stefan get out of this body! :)
+
+
+Submitted by: ylavic
+Reviewed by: rpluem, ylavic, covener
+
+Github: closes #265
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893101 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/proxy_util.c | 55 +++++++++++++++++++++++---------------
+ 1 files changed, 34 insertions(+), 21 deletions(-)
+
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2088,33 +2088,42 @@ static int ap_proxy_retry_worker(const c
+  * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
+  * as required.  
+  */
+-static void fix_uds_filename(request_rec *r, char **url) 
++static int fix_uds_filename(request_rec *r, char **url) 
+ {
+-    char *ptr, *ptr2;
+-    if (!r || !r->filename) return;
++    char *uds_url = r->filename + 6, *origin_url;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
+-            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
++            !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
++            (origin_url = ap_strchr(uds_url + 5, '|'))) {
++        char *uds_path = NULL;
++        apr_size_t url_len;
+         apr_uri_t urisock;
+         apr_status_t rv;
+-        *ptr = '\0';
+-        rv = apr_uri_parse(r->pool, ptr2, &urisock);
+-        if (rv == APR_SUCCESS) {
+-            char *rurl = ptr+1;
+-            char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path);
+-            apr_table_setn(r->notes, "uds_path", sockpath);
+-            *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */
+-            /* r->filename starts w/ "proxy:", so add after that */
+-            memmove(r->filename+6, rurl, strlen(rurl)+1);
+-            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+-                    "*: rewrite of url due to UDS(%s): %s (%s)",
+-                    sockpath, *url, r->filename);
++
++        *origin_url = '\0';
++        rv = apr_uri_parse(r->pool, uds_url, &urisock);
++        *origin_url++ = '|';
++
++        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
++            uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
+         }
+-        else {
+-            *ptr = '|';
++        if (!uds_path) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
++                    "Invalid proxy UDS filename (%s)", r->filename);
++            return 0;
+         }
++        apr_table_setn(r->notes, "uds_path", uds_path);
++
++        /* Remove the UDS path from *url and r->filename */
++        url_len = strlen(origin_url);
++        *url = apr_pstrmemdup(r->pool, origin_url, url_len);
++        memcpy(uds_url, *url, url_len + 1);
++
++        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
++                "*: rewrite of url due to UDS(%s): %s (%s)",
++                uds_path, *url, r->filename);
+     }
++    return 1;
+ }
+ 
+ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+@@ -2132,7 +2141,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
+                           "%s: found worker %s for %s",
+                           (*worker)->s->scheme, (*worker)->s->name, *url);
+             *balancer = NULL;
+-            fix_uds_filename(r, url);
++            if (!fix_uds_filename(r, url)) {
++                return HTTP_INTERNAL_SERVER_ERROR;
++            }
+             access_status = OK;
+         }
+         else if (r->proxyreq == PROXYREQ_PROXY) {
+@@ -2163,7 +2174,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
+                  * regarding the Connection header in the request.
+                  */
+                 apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
+-                fix_uds_filename(r, url);
++                if (!fix_uds_filename(r, url)) {
++                    return HTTP_INTERNAL_SERVER_ERROR;
++                }
+             }
+         }
+     }

backport-CVE-2021-34798.patch

@@ -0,0 +1,33 @@
+From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Tue, 7 Sep 2021 16:05:31 +0000
+Subject: [PATCH] Merge r1878092 from trunk:
+
+Fix a NULL pointer dereference
+
+* server/scoreboard.c (ap_increment_counts): In certain cases like certain
+  invalid requests r->method might be NULL here. r->method_number defaults
+  to M_GET and hence is M_GET in these cases.
+
+Submitted by: rpluem
+Reviewed by: covener, ylavic, jfclere
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/scoreboard.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/server/scoreboard.c b/server/scoreboard.c
+index b40b45df590..12dd56abead 100644
+--- a/server/scoreboard.c
++++ b/server/scoreboard.c
+@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
+     if (pfn_ap_logio_get_last_bytes != NULL) {
+         bytes = pfn_ap_logio_get_last_bytes(r->connection);
+     }
+-    else if (r->method_number == M_GET && r->method[0] == 'H') {
++    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
+         bytes = 0;
+     }
+     else {

backport-CVE-2021-36160.patch

@@ -0,0 +1,62 @@
+From b364cad72b48dd40fbc2850e525b845406520f0b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Thu, 2 Sep 2021 09:53:43 +0000
+Subject: [PATCH] mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
+
+When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
+worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
+directly from the given URL.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/uwsgi_path_info.txt |  1 +
+ modules/proxy/mod_proxy_uwsgi.c     | 22 +++++-----------------
+ 1 files changed, 5 insertions(+), 17 deletions(-)
+ create mode 100644 changes-entries/uwsgi_path_info.txt
+
+diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
+index 7723d7b5c4f..971eaa59dc0 100644
+--- a/modules/proxy/mod_proxy_uwsgi.c
++++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -456,11 +456,8 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
+                          const char *proxyname, apr_port_t proxyport)
+ {
+     int status;
+-    int delta = 0;
+-    int decode_status;
+     proxy_conn_rec *backend = NULL;
+     apr_pool_t *p = r->pool;
+-    size_t w_len;
+     char server_portstr[32];
+     char *u_path_info;
+     apr_uri_t *uri;
+@@ -472,23 +469,14 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
+ 
+     uri = apr_palloc(r->pool, sizeof(*uri));
+ 
+-    /* ADD PATH_INFO */
+-#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
+-    w_len = strlen(worker->s->name);
+-#else
+-    w_len = strlen(worker->name);
+-#endif
+-    u_path_info = r->filename + 6 + w_len;
+-    if (u_path_info[0] != '/') {
+-        delta = 1;
+-    }
+-    decode_status = ap_unescape_url(url + w_len - delta);
+-    if (decode_status) {
++    /* ADD PATH_INFO (unescaped) */
++    u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
++    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
+-                      "unable to decode uri: %s", url + w_len - delta);
++                      "unable to decode uwsgi uri: %s", url);
+         return HTTP_INTERNAL_SERVER_ERROR;
+     }
+-    apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta);
++    apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
+ 
+ 
+     /* Create space for state information */

httpd.spec

@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.48
-Release:          1
+Release:          2
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -69,6 +69,10 @@ Patch16:          httpd-2.4.43-gettid.patch
 Patch17:          httpd-2.4.43-r1861793+.patch
 Patch18:          httpd-2.4.43-r1828172+.patch 
 Patch19:          httpd-2.4.46-htcacheclean-dont-break.patch 
+Patch20:          backport-CVE-2021-34798.patch
+Patch21:          backport-CVE-2021-36160.patch
+Patch22:          backport-001-CVE-2021-40438.patch
+Patch23:          backport-002-CVE-2021-40438.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -501,6 +505,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue Sep 28 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-2
+- Type:cves
+- ID:CVE-2021-34798 CVE-2021-36160 CVE-2021-40438
+- SUG:restart
+- DESC:fix CVE-2021-34798 CVE-2021-36160 CVE-2021-40438
+
 * Tue Jul 13 2021 gaihuiying<gaihuiying1@huawei.com> - 2.4.48-1
 - Type:requirement
 - ID:NA