Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: modsecur...@packages.debian.org, car...@debian.org, airw...@gmail.com Control: affects -1 + src:modsecurity
[ Reason ] Fix for CVE-2023-38285, not DSA for it. [ Impact ] Possible DoS. [ Tests ] Manually tested by package maintainers. [ Risks ] Low risk, small patch from upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Changes in transformations functions. https://github.com/SpiderLabs/ModSecurity/pull/2934/files
diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog --- modsecurity-3.0.9/debian/changelog 2023-04-25 11:49:24.000000000 +0200 +++ modsecurity-3.0.9/debian/changelog 2023-09-25 14:43:11.000000000 +0200 @@ -1,3 +1,10 @@ +modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium + + * Applied upstream patch to fix DoS. + CVE-2023-38285 (Closes: #1042475) + + -- Ervin Hegedüs <airw...@gmail.com> Mon, 25 Sep 2023 14:43:11 +0200 + modsecurity (3.0.9-1) unstable; urgency=medium * New upstream version. diff -Nru modsecurity-3.0.9/debian/patches/cve-2023-38285.diff modsecurity-3.0.9/debian/patches/cve-2023-38285.diff --- modsecurity-3.0.9/debian/patches/cve-2023-38285.diff 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-3.0.9/debian/patches/cve-2023-38285.diff 2023-09-25 14:43:11.000000000 +0200 @@ -0,0 +1,258 @@ +Description: Added fixes against CVE-2023-38285 + These modifications fix CVE-2023-38295. +Author: Ervin Hegedüs <airw...@gmail.com> +Origin: upstream +Bug: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10 +Last-Update: 2023-09-25 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: modsecurity/src/actions/transformations/remove_comments_char.cc +=================================================================== +--- modsecurity.orig/src/actions/transformations/remove_comments_char.cc ++++ modsecurity/src/actions/transformations/remove_comments_char.cc +@@ -1,6 +1,6 @@ + /* + * ModSecurity, http://www.modsecurity.org/ +- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) ++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -15,12 +15,7 @@ + + #include "src/actions/transformations/remove_comments_char.h" + +-#include <iostream> + #include <string> +-#include <algorithm> +-#include <functional> +-#include <cctype> +-#include <locale> + + #include "modsecurity/transaction.h" + #include "src/actions/transformations/transformation.h" +@@ -37,39 +32,40 @@ RemoveCommentsChar::RemoveCommentsChar(const std::string &action) + + std::string RemoveCommentsChar::evaluate(const std::string &val, + Transaction *transaction) { +- int64_t i; +- std::string value(val); ++ size_t i = 0; ++ std::string transformed_value; ++ transformed_value.reserve(val.size()); + +- i = 0; +- while (i < value.size()) { +- if (value.at(i) == '/' +- && (i+1 < value.size()) && value.at(i+1) == '*') { +- value.erase(i, 2); +- } else if (value.at(i) == '*' +- && (i+1 < value.size()) && value.at(i+1) == '/') { +- value.erase(i, 2); +- } else if (value.at(i) == '<' +- && (i+1 < value.size()) +- && value.at(i+1) == '!' +- && (i+2 < value.size()) +- && value.at(i+2) == '-' +- && (i+3 < value.size()) +- && value.at(i+3) == '-') { +- value.erase(i, 4); +- } else if (value.at(i) == '-' +- && (i+1 < value.size()) && value.at(i+1) == '-' +- && (i+2 < value.size()) && value.at(i+2) == '>') { +- value.erase(i, 3); +- } else if (value.at(i) == '-' +- && (i+1 < value.size()) && value.at(i+1) == '-') { +- value.erase(i, 2); +- } else if (value.at(i) == '#') { +- value.erase(i, 1); ++ while (i < val.size()) { ++ if (val.at(i) == '/' ++ && (i+1 < val.size()) && val.at(i+1) == '*') { ++ i += 2; ++ } else if (val.at(i) == '*' ++ && (i+1 < val.size()) && val.at(i+1) == '/') { ++ i += 2; ++ } else if (val.at(i) == '<' ++ && (i+1 < val.size()) ++ && val.at(i+1) == '!' ++ && (i+2 < val.size()) ++ && val.at(i+2) == '-' ++ && (i+3 < val.size()) ++ && val.at(i+3) == '-') { ++ i += 4; ++ } else if (val.at(i) == '-' ++ && (i+1 < val.size()) && val.at(i+1) == '-' ++ && (i+2 < val.size()) && val.at(i+2) == '>') { ++ i += 3; ++ } else if (val.at(i) == '-' ++ && (i+1 < val.size()) && val.at(i+1) == '-') { ++ i += 2; ++ } else if (val.at(i) == '#') { ++ i += 1; + } else { ++ transformed_value += val.at(i); + i++; + } + } +- return value; ++ return transformed_value; + } + + } // namespace transformations + +Index: modsecurity/src/actions/transformations/remove_nulls.cc +=================================================================== +--- modsecurity.orig/src/actions/transformations/remove_nulls.cc ++++ modsecurity/src/actions/transformations/remove_nulls.cc +@@ -1,6 +1,6 @@ + /* + * ModSecurity, http://www.modsecurity.org/ +- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) ++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -17,12 +17,7 @@ + + #include <string.h> + +-#include <iostream> + #include <string> +-#include <algorithm> +-#include <functional> +-#include <cctype> +-#include <locale> + + #include "modsecurity/transaction.h" + #include "src/actions/transformations/transformation.h" +@@ -35,19 +30,20 @@ namespace transformations { + + std::string RemoveNulls::evaluate(const std::string &val, + Transaction *transaction) { +- int64_t i; +- std::string value(val); +- +- i = 0; +- while (i < value.size()) { +- if (value.at(i) == '\0') { +- value.erase(i, 1); ++ size_t i = 0; ++ std::string transformed_value; ++ transformed_value.reserve(val.size()); ++ ++ while (i < val.size()) { ++ if (val.at(i) == '\0') { ++ // do nothing; continue on to next char in original val + } else { +- i++; ++ transformed_value += val.at(i); + } ++ i++; + } + +- return value; ++ return transformed_value; + } + + +Index: modsecurity/src/actions/transformations/remove_whitespace.cc +=================================================================== +--- modsecurity.orig/src/actions/transformations/remove_whitespace.cc ++++ modsecurity/src/actions/transformations/remove_whitespace.cc +@@ -1,6 +1,6 @@ + /* + * ModSecurity, http://www.modsecurity.org/ +- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) ++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -15,12 +15,7 @@ + + #include "src/actions/transformations/remove_whitespace.h" + +-#include <iostream> + #include <string> +-#include <algorithm> +-#include <functional> +-#include <cctype> +-#include <locale> + + #include "modsecurity/transaction.h" + #include "src/actions/transformations/transformation.h" +@@ -37,28 +32,27 @@ RemoveWhitespace::RemoveWhitespace(const + + std::string RemoveWhitespace::evaluate(const std::string &val, + Transaction *transaction) { +- std::string value(val); ++ std::string transformed_value; ++ transformed_value.reserve(val.size()); + +- int64_t i = 0; ++ size_t i = 0; + const char nonBreakingSpaces = 0xa0; + const char nonBreakingSpaces2 = 0xc2; + + // loop through all the chars +- while (i < value.size()) { ++ while (i < val.size()) { + // remove whitespaces and non breaking spaces (NBSP) +- if (std::isspace(static_cast<unsigned char>(value[i])) +- || (value[i] == nonBreakingSpaces) +- || value[i] == nonBreakingSpaces2) { +- value.erase(i, 1); ++ if (std::isspace(static_cast<unsigned char>(val[i])) ++ || (val[i] == nonBreakingSpaces) ++ || val[i] == nonBreakingSpaces2) { ++ // don't copy; continue on to next char in original val + } else { +- /* if the space is not a whitespace char, increment counter +- counter should not be incremented if a character is erased because +- the index erased will be replaced by the following character */ +- i++; ++ transformed_value += val.at(i); + } ++ i++; + } + +- return value; ++ return transformed_value; + } + + } // namespace transformations +Index: modsecurity/src/actions/transformations/replace_nulls.cc +=================================================================== +--- modsecurity.orig/src/actions/transformations/replace_nulls.cc ++++ modsecurity/src/actions/transformations/replace_nulls.cc +@@ -1,6 +1,6 @@ + /* + * ModSecurity, http://www.modsecurity.org/ +- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/) ++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -15,12 +15,7 @@ + + #include "src/actions/transformations/replace_nulls.h" + +-#include <iostream> + #include <string> +-#include <algorithm> +-#include <functional> +-#include <cctype> +-#include <locale> + + #include "modsecurity/transaction.h" + #include "src/actions/transformations/transformation.h" +@@ -43,8 +38,7 @@ std::string ReplaceNulls::evaluate(const + i = 0; + while (i < value.size()) { + if (value.at(i) == '\0') { +- value.erase(i, 1); +- value.insert(i, " ", 1); ++ value[i] = ' '; + } else { + i++; + } diff -Nru modsecurity-3.0.9/debian/patches/series modsecurity-3.0.9/debian/patches/series --- modsecurity-3.0.9/debian/patches/series 2023-04-25 11:49:24.000000000 +0200 +++ modsecurity-3.0.9/debian/patches/series 2023-09-25 14:43:11.000000000 +0200 @@ -1,2 +1,3 @@ disable-network-dependent-tests.patch ftbfs_1034760.patch +cve-2023-38285.diff
