From e3c85bde118491ee649fdc03333471a6fe6dc10e Mon Sep 17 00:00:00 2001 From: fishwheel <1871973578@qq.com> Date: Thu, 20 Jul 2023 09:34:46 +0800 Subject: [PATCH 1/3] Repair CVE-2023-27522 --- debian/changelog | 6 ++++++ modules/proxy/mod_proxy_uwsgi.c | 38 +++++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 98b0839..56d7e3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apache2 (2.4.54-ok5) yangtze; urgency=medium + + * Repair CVE-2023-27522 + + -- fishwheel <2019302080004@whu.edu.cn> Thu, 20 Jul 2023 09:34:05 +0800 + apache2 (2.4.54-ok4) yangtze; urgency=medium * budingwang CVE-2022-37436 安全更新 diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c index e02450e..8c08060 100644 --- a/modules/proxy/mod_proxy_uwsgi.c +++ b/modules/proxy/mod_proxy_uwsgi.c @@ -315,7 +315,7 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, backend->worker->s->read += len; - if (len >= sizeof(buffer) - 1) { + if ((apr_size_t)len >= sizeof(buffer)) { /* oops */ return HTTP_INTERNAL_SERVER_ERROR; } @@ -327,8 +327,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, status_start = 7; } else { - /* oops */ - return HTTP_INTERNAL_SERVER_ERROR; + /* not HTTP */ + return HTTP_BAD_GATEWAY; } status_end = status_start + 3; @@ -350,19 +350,43 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, /* start parsing headers */ while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { + if ((apr_size_t)len >= sizeof(buffer)) { + /* too long */ + len = -1; + break; + } value = strchr(buffer, ':'); /* invalid header skip */ - if (!value) - continue; - *value = '\0'; - ++value; + if (!value) { + /* invalid header */ + len = -1; + break; + } + *value++ = '\0'; + if (*ap_scan_http_token(buffer)) { + /* invalid name */ + len = -1; + break; + } while (apr_isspace(*value)) ++value; for (end = &value[strlen(value) - 1]; end > value && apr_isspace(*end); --end) *end = '\0'; + if (*ap_scan_http_field_content(value)) { + /* invalid value */ + len = -1; + break; + } apr_table_add(r->headers_out, buffer, value); } + if (len < 0) { + /* Reset headers, but not to NULL because things below the chain expect + * this to be non NULL e.g. the ap_content_length_filter. + */ + r->headers_out = apr_table_make(r->pool, 1); + return HTTP_BAD_GATEWAY; + } if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(r->pool, buf)); -- Gitee From 68e4fd0d33ae1bd369db9be05ccddae1dacbbbe6 Mon Sep 17 00:00:00 2001 From: fishwheel <2019302080004@whu.edu.cn> Date: Mon, 24 Jul 2023 08:59:30 +0000 Subject: [PATCH 2/3] update debian/changelog. Signed-off-by: fishwheel <2019302080004@whu.edu.cn> --- debian/changelog | 6 ------ 1 file changed, 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index 56d7e3b..98b0839 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,3 @@ -apache2 (2.4.54-ok5) yangtze; urgency=medium - - * Repair CVE-2023-27522 - - -- fishwheel <2019302080004@whu.edu.cn> Thu, 20 Jul 2023 09:34:05 +0800 - apache2 (2.4.54-ok4) yangtze; urgency=medium * budingwang CVE-2022-37436 安全更新 -- Gitee From 3a700268e79e33383f4b8b0b5a8fa9f9355e082c Mon Sep 17 00:00:00 2001 From: a-alpha Date: Thu, 27 Jul 2023 09:51:19 +0000 Subject: [PATCH 3/3] =?UTF-8?q?update=20modules/proxy/mod=5Fproxy=5Fuwsgi.?= =?UTF-8?q?c.=20=E5=85=B3=E9=94=AE=E4=BB=A3=E7=A0=81=E6=B2=A1=E6=9C=89?= =?UTF-8?q?=E9=97=AE=E9=A2=98=EF=BC=8C=E6=88=91=E6=A0=B9=E6=8D=AE=E4=B8=8A?= =?UTF-8?q?=E6=B8=B8=E4=BB=A3=E7=A0=81=E4=BF=AE=E6=94=B9=E5=90=8C=E6=AD=A5?= =?UTF-8?q?=E4=BA=86=E4=B8=80=E4=BA=9B=E6=B3=A8=E9=87=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: a-alpha --- modules/proxy/mod_proxy_uwsgi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c index 8c08060..9cef4b3 100644 --- a/modules/proxy/mod_proxy_uwsgi.c +++ b/modules/proxy/mod_proxy_uwsgi.c @@ -309,14 +309,14 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, len = ap_getline(buffer, sizeof(buffer), rp, 1); if (len <= 0) { - /* oops */ + /* invalid or empty */ return HTTP_INTERNAL_SERVER_ERROR; } backend->worker->s->read += len; if ((apr_size_t)len >= sizeof(buffer)) { - /* oops */ + /* too long */ return HTTP_INTERNAL_SERVER_ERROR; } /* Position of http status code */ @@ -348,7 +348,7 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, } r->status_line = apr_pstrdup(r->pool, &buffer[status_start]); - /* start parsing headers */ + /* parse headers */ while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { if ((apr_size_t)len >= sizeof(buffer)) { /* too long */ -- Gitee