Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305

(cherry picked from commit 4fc2a49a6bfa63e6cf9966dbb019c143fd74e3bd)
2024-11-15 11:07:37 +08:00 · 2024-11-15 11:07:37 +08:00 · 36a2d68845
commit 36a2d68845
parent 6ce75dc39d
4 changed files with 248 additions and 2 deletions
--- a/CVE-2024-38479.patch
+++ b/CVE-2024-38479.patch
@ -0,0 +1,129 @@
+From b8861231702ac5df7d5de401e82440c1cf20b633 Mon Sep 17 00:00:00 2001
+From: Bryan Call <bcall@apache.org>
+Date: Tue, 12 Nov 2024 09:51:49 -0800
+Subject: [PATCH] Add matrix params to the cachekey in the cachekey plugin
+ (#11856)
+
+Origin: https://github.com/apache/trafficserver/commit/b8861231702ac5df7d5de401e82440c1cf20b633
+
+---
+ plugins/cachekey/cachekey.cc | 21 +++++++++++++++++++++
+ plugins/cachekey/cachekey.h  |  1 +
+ plugins/cachekey/configs.cc  | 14 ++++++++++++++
+ plugins/cachekey/configs.h   | 11 +++++++++++
+ plugins/cachekey/plugin.cc   |  4 ++++
+ 5 files changed, 51 insertions(+)
+
+diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
+index babc78cc999..38286e7eb28 100644
+--- a/plugins/cachekey/cachekey.cc
+++ b/plugins/cachekey/cachekey.cc
+@@ -673,6 +673,27 @@ CacheKey::appendQuery(const ConfigQuery &config)
+   }
+ }
+ 
+void
+CacheKey::appendMatrix(const ConfigMatrix &config)
+{
+  if (config.toBeRemoved()) {
+    return;
+  }
+
+  const char *matrix;
+  int length;
+
+  matrix = TSUrlHttpParamsGet(_buf, _url, &length);
+  if (matrix == nullptr || length == 0) {
+    return;
+  }
+
+  if (matrix && length) {
+    _key.append(";");
+    _key.append(matrix, length);
+  }
+}
+
+ /**
+  * @brief Append User-Agent header captures specified in the Pattern configuration object.
+  *
+diff --git a/plugins/cachekey/cachekey.h b/plugins/cachekey/cachekey.h
+index 0b47e85984d..dc208f93bb4 100644
+--- a/plugins/cachekey/cachekey.h
+++ b/plugins/cachekey/cachekey.h
+@@ -63,6 +63,7 @@ class CacheKey
+   void appendPath(Pattern &pathCapture, Pattern &pathCaptureUri);
+   void appendHeaders(const ConfigHeaders &config);
+   void appendQuery(const ConfigQuery &config);
+  void appendMatrix(const ConfigMatrix &config);
+   void appendCookies(const ConfigCookies &config);
+   void appendUaCaptures(Pattern &config);
+   bool appendUaClass(Classifier &classifier);
+diff --git a/plugins/cachekey/configs.cc b/plugins/cachekey/configs.cc
+index b2bc42d5e70..d6ef13aea68 100644
+--- a/plugins/cachekey/configs.cc
+++ b/plugins/cachekey/configs.cc
+@@ -208,6 +208,20 @@ ConfigQuery::name() const
+   return _NAME;
+ }
+ 
+bool
+ConfigMatrix::finalize()
+{
+  _remove = noIncludeExcludeRules();
+  return true;
+}
+
+const String ConfigMatrix::_NAME = "matrix parameter";
+inline const String &
+ConfigMatrix::name() const
+{
+  return _NAME;
+}
+
+ /**
+  * @briefs finalizes the headers related configuration.
+  *
+diff --git a/plugins/cachekey/configs.h b/plugins/cachekey/configs.h
+index e98b69afd48..f5d24bdbe3c 100644
+--- a/plugins/cachekey/configs.h
+++ b/plugins/cachekey/configs.h
+@@ -112,6 +112,16 @@ class ConfigQuery : public ConfigElements
+   static const String _NAME;
+ };
+ 
+class ConfigMatrix : public ConfigElements
+{
+public:
+  bool finalize() override;
+
+private:
+  const String &name() const override;
+  static const String _NAME;
+};
+
+ /**
+  * @brief Headers configuration class.
+  */
+@@ -210,6 +220,7 @@ class Configs
+   /* Make the following members public to avoid unnecessary accessors */
+   ConfigQuery _query;        /**< @brief query parameter related configuration */
+   ConfigHeaders _headers;    /**< @brief headers related configuration */
+  ConfigMatrix _matrix;      /**< @brief matrix parameter related configuration */
+   ConfigCookies _cookies;    /**< @brief cookies related configuration */
+   Pattern _uaCapture;        /**< @brief the capture groups and the replacement string used for the User-Agent header capture */
+   String _prefix;            /**< @brief cache key prefix string */
+diff --git a/plugins/cachekey/plugin.cc b/plugins/cachekey/plugin.cc
+index d92c079271a..b863b94a0d5 100644
+--- a/plugins/cachekey/plugin.cc
+++ b/plugins/cachekey/plugin.cc
+@@ -64,6 +64,10 @@ setCacheKey(TSHttpTxn txn, Configs *config, TSRemapRequestInfo *rri = nullptr)
+     if (!config->pathToBeRemoved()) {
+       cachekey.appendPath(config->_pathCapture, config->_pathCaptureUri);
+     }
+
+    /* Append the matrix parameters to the cache key. */
+    cachekey.appendMatrix(config->_matrix);
+
+     /* Append query parameters to the cache key. */
+     cachekey.appendQuery(config->_query);
+ 
--- a/CVE-2024-50305.patch
+++ b/CVE-2024-50305.patch
@ -0,0 +1,72 @@
+From 5e39658f7c0bc91613468c9513ba22ede1739d7e Mon Sep 17 00:00:00 2001
+From: "Alan M. Carroll" <amc@apache.org>
+Date: Tue, 2 Nov 2021 11:47:09 -0500
+Subject: [PATCH] Tweak MimeHdr::get_host_port_values to not run over the end
+ of the TextView. (#8468)
+
+Origin: https://github.com/apache/trafficserver/commit/5e39658f7c0bc91613468c9513ba22ede1739d7e
+
+Fix for #8461
+
+(cherry picked from commit 055ca11c2842a64bf7df8d547515670e1a04afc1)
+---
+ proxy/hdrs/MIME.cc                         | 11 +++--------
+ src/tscpp/util/unit_tests/test_TextView.cc | 11 +++--------
+ 2 files changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/proxy/hdrs/MIME.cc b/proxy/hdrs/MIME.cc
+index 45c16c386dd..0a55dd06b4d 100644
+--- a/proxy/hdrs/MIME.cc
+++ b/proxy/hdrs/MIME.cc
+@@ -2284,20 +2284,15 @@ MIMEHdr::get_host_port_values(const char **host_ptr, ///< Pointer to host.
+     if (b) {
+       if ('[' == *b) {
+         auto idx = b.find(']');
+-        if (idx <= b.size() && b[idx + 1] == ':') {
+        if (idx < b.size() - 1 && b[idx + 1] == ':') {
+           host = b.take_prefix_at(idx + 1);
+           port = b;
+         } else {
+           host = b;
+         }
+       } else {
+-        auto x = b.split_prefix_at(':');
+-        if (x) {
+-          host = x;
+-          port = b;
+-        } else {
+-          host = b;
+-        }
+        host = b.take_prefix_at(':');
+        port = b;
+       }
+ 
+       if (host) {
+diff --git a/src/tscpp/util/unit_tests/test_TextView.cc b/src/tscpp/util/unit_tests/test_TextView.cc
+index 8f71e0aa39d..7f365369082 100644
+--- a/src/tscpp/util/unit_tests/test_TextView.cc
+++ b/src/tscpp/util/unit_tests/test_TextView.cc
+@@ -275,20 +275,15 @@ TEST_CASE("TextView Affixes", "[libts][TextView]")
+   auto f_host = [](TextView b, TextView &host, TextView &port) -> void {
+     if ('[' == *b) {
+       auto idx = b.find(']');
+-      if (idx <= b.size() && b[idx + 1] == ':') {
+      if (idx < b.size() - 1 && b[idx + 1] == ':') {
+         host = b.take_prefix_at(idx + 1);
+         port = b;
+       } else {
+         host = b;
+       }
+     } else {
+-      auto x = b.split_prefix_at(':');
+-      if (x) {
+-        host = x;
+-        port = b;
+-      } else {
+-        host = b;
+-      }
+      host = b.take_prefix_at(':');
+      port = b;
+     }
+   };
+ 
--- a/CVE-2024-50306.patch
+++ b/CVE-2024-50306.patch
@ -0,0 +1,37 @@
+From 27f504883547502b1f5e4e389edd7f26e3ab246f Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Tue, 12 Nov 2024 11:13:59 -0700
+Subject: [PATCH] Fix unchecked return value of initgroups() (#11855)
+
+Origin: https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f
+
+* Fix unchecked return value of initgroups()
+
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+
+* clang-format
+
+---------
+
+Signed-off-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+Co-authored-by: Jeffrey Bencteux <jeffbencteux@gmail.com>
+(cherry picked from commit ae638096e259121d92d46a9f57026a5ff5bc328b)
+---
+ src/tscore/ink_cap.cc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
+index b4f0ecace5d..8a95d4b1329 100644
+--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
+@@ -160,7 +160,9 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
+ #endif
+ 
+   // Always repopulate the supplementary group list for the new user.
+-  initgroups(pwd->pw_name, pwd->pw_gid);
+  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+  }
+ 
+   switch (level) {
+   case IMPERSONATE_PERMANENT:
--- a/trafficserver.spec
+++ b/trafficserver.spec
@ -1,7 +1,8 @@
 %define _hardened_build 1
+%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Name:                trafficserver
 Version:             9.2.5
-Release:             1
+Release:             2
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@ -13,6 +14,9 @@ Patch0003:           config-layout-openEuler.patch
 Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
 Patch0005:           add-riscv-support.patch
 Patch0006:           add-loong64-support.patch
+Patch0007:           CVE-2024-38479.patch
+Patch0008:           CVE-2024-50305.patch
+Patch0009:           CVE-2024-50306.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake chrpath
@ -41,7 +45,7 @@ This package contains some Perl APIs for talking to the ATS management port.
 %build
 autoreconf
 ./configure \
-  --enable-layout=openEuler \
+  --enable-layout=%{vendor} \
  --libdir=%{_libdir}/trafficserver \
  --libexecdir=%{_libdir}/trafficserver/plugins \
  --enable-experimental-plugins \
@ -133,6 +137,10 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc

 %changelog
+* Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2
+- Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305
+- Replace openEuler with vendor
+
 * Mon Jul 29 2024 wangkai <13474090681@163.com> - 9.2.5-1
 - Update to 9.2.5 for fix CVE-2023-38522, CVE-2024-35161, CVE-2024-35296