!30 [sync] PR-27: fix CVE-2024-36387

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-CVE-2024-27316.patch

@@ -0,0 +1,57 @@
+From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 23 Feb 2024 15:13:56 +0100
+Subject: [PATCH] RESET stream after 100 failed incoming headers
+
+---
+ mod_http2/h2_session.c | 10 +++++++---
+ mod_http2/h2_stream.c  |  1 +
+ mod_http2/h2_stream.h  |  1 +
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
+index 1e560e47..6d379cc5 100644
+--- a/mod_http2/h2_session.c
++++ b/mod_http2/h2_session.c
+@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
+     
+     status = h2_stream_add_header(stream, (const char *)name, namelen,
+                                   (const char *)value, valuelen);
+-    if (status != APR_SUCCESS
+-        && (!stream->rtmp
+-            || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
++    if (status != APR_SUCCESS &&
++        (!stream->rtmp ||
++         stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
++         /* We accept a certain amount of failures in order to reply
++          * with an informative HTTP error response like 413. But of the
++          * client is too wrong, we fail the request an RESET the stream */
++         stream->request_headers_failed > 100)) {
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+     }
+     return 0;
+diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
+index f6c92024..ee87555f 100644
+--- a/mod_http2/h2_stream.c
++++ b/mod_http2/h2_stream.c
+@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
+     
+ cleanup:
+     if (error) {
++        ++stream->request_headers_failed;
+         set_error_response(stream, error);
+         return APR_EINVAL; 
+     }
+diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
+index d68d4260..405978a4 100644
+--- a/mod_http2/h2_stream.h
++++ b/mod_http2/h2_stream.h
+@@ -91,6 +91,7 @@ struct h2_stream {
+     struct h2_request *rtmp;    /* request being assembled */
+     apr_table_t *trailers_in;   /* optional, incoming trailers */
+     int request_headers_added;  /* number of request headers added */
++    int request_headers_failed; /* number of request headers failed to add */
+ 
+ #if AP_HAS_RESPONSE_BUCKETS
+     ap_bucket_response *response; /* the final, non-interim response or NULL */
+

backport-CVE-2024-36387.patch

@@ -0,0 +1,35 @@
+From 62aa64e5aea21dd969db97aded4443c98c0735ac Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 24 Jun 2024 17:51:42 +0000
+Subject: [PATCH] Merge r1918548 from trunk:
+
+mod_http2: early exit if bb is null
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
+---
+ mod_http2/h2_c2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/mod_http2/h2_c2.c b/mod_http2/h2_c2.c
+index a955200..c65a521 100644
+--- a/mod_http2/h2_c2.c
++++ b/mod_http2/h2_c2.c
+@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
+     h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
+     apr_status_t rv;
+ 
++   if (bb == NULL) {
++#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
++        f->c->data_in_output_filters = 0;
++#endif
++        return APR_SUCCESS;
++    }
++
+     ap_assert(conn_ctx);
+ #if AP_HAS_RESPONSE_BUCKETS
+     if (!conn_ctx->has_final_response) {
+-- 
+2.33.0
+

mod_http2.spec

@@ -1,14 +1,17 @@
 %{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}
 
 Name:           mod_http2
-Version:        2.0.3
-Release:        1
+Version:        2.0.25
+Release:        3
 Summary:        Support for the HTTP/2 transport layer
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_h2/
 Source0:        https://github.com/icing/mod_h2/releases/download/v%{version}/%{name}-%{version}.tar.gz
 
-BuildRequires:  gcc pkgconfig httpd-devel libnghttp2-devel openssl-devel autoconf libtool hostname
+Patch0:         backport-CVE-2024-27316.patch
+Patch1:         backport-CVE-2024-36387.patch
+
+BuildRequires:  make gcc pkgconfig httpd-devel >= 2.4.20 libnghttp2-devel >= 1.7.0 openssl-devel >= 1.0.2 autoconf libtool hostname
 Requires:       httpd-mmn = %{_httpd_mmn}
 
 %description
@@ -18,7 +21,7 @@ top of libnghttp2 for httpd 2.4 servers.
 %package_help
 
 %prep
-%autosetup -n %{name}-%{version} -p1
+%autosetup -p1
 
 %build
 autoreconf -i
@@ -48,6 +51,36 @@ make check
 %exclude /etc/httpd/share/doc/*
 
 %changelog
+* Mon Jul 08 2024 zhangxianting <zhangxianting@uniontech.com> - 2.0.25-3
+- Type:cves
+- CVE:CVE-2024-36387
+- SUG:NA
+- DESC:fix CVE-2024-36387
+
+* Sun Apr 07 2024 gaihuiying <eaglegai@163.com> - 2.0.25-2
+- Type:cves
+- CVE:CVE-2024-27316
+- SUG:NA
+- DESC:fix CVE-2024-27316
+
+* Tue Dec 26 2023 gaihuiying <eaglegai@163.com> - 2.0.25-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC: update mod_http2 to 2.0.25
+
+* Fri Jul 21 2023 gaihuiying <eaglegai@163.com> - 2.0.20-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC: update mod_http2 to 2.0.20
+
+* Mon Feb 20 2023 li-long315 <lilong@kylinos.cn> - 2.0.11-1
+- Type:Update
+- ID:NA
+- SUG:NA
+- DESC: update mod_http2 to 2.0.11
+
 * Thu Nov 10 2022 gaihuiying <eaglegai@163.com> - 2.0.3-1
 - Type:requirement
 - ID:NA