Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: modsecur...@packages.debian.org, car...@debian.org, 
airw...@gmail.com
Control: affects -1 + src:modsecurity


[ Reason ]
Fix for CVE-2023-38285, not DSA for it.


[ Impact ]
Possible DoS.

[ Tests ]
Manually tested by package maintainers.

[ Risks ]
Low risk, small patch from upstream.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Changes in transformations functions.
https://github.com/SpiderLabs/ModSecurity/pull/2934/files
diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog
--- modsecurity-3.0.9/debian/changelog  2023-04-25 11:49:24.000000000 +0200
+++ modsecurity-3.0.9/debian/changelog  2023-09-25 14:43:11.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium
+
+  * Applied upstream patch to fix DoS.
+    CVE-2023-38285 (Closes: #1042475)
+
+ -- Ervin Hegedüs <airw...@gmail.com>  Mon, 25 Sep 2023 14:43:11 +0200
+
 modsecurity (3.0.9-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru modsecurity-3.0.9/debian/patches/cve-2023-38285.diff 
modsecurity-3.0.9/debian/patches/cve-2023-38285.diff
--- modsecurity-3.0.9/debian/patches/cve-2023-38285.diff        1970-01-01 
01:00:00.000000000 +0100
+++ modsecurity-3.0.9/debian/patches/cve-2023-38285.diff        2023-09-25 
14:43:11.000000000 +0200
@@ -0,0 +1,258 @@
+Description: Added fixes against CVE-2023-38285
+ These modifications fix CVE-2023-38295.
+Author: Ervin Hegedüs <airw...@gmail.com>
+Origin: upstream
+Bug: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10
+Last-Update: 2023-09-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: modsecurity/src/actions/transformations/remove_comments_char.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_comments_char.cc
++++ modsecurity/src/actions/transformations/remove_comments_char.cc
+@@ -1,6 +1,6 @@
+ /*
+  * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
+  *
+  * You may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+ 
+ #include "src/actions/transformations/remove_comments_char.h"
+ 
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+ 
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -37,39 +32,40 @@ RemoveCommentsChar::RemoveCommentsChar(const std::string 
&action)
+ 
+ std::string RemoveCommentsChar::evaluate(const std::string &val,
+     Transaction *transaction) {
+-    int64_t i;
+-    std::string value(val);
++    size_t i = 0;
++    std::string transformed_value;
++    transformed_value.reserve(val.size());
+ 
+-    i = 0;
+-    while (i < value.size()) {
+-        if (value.at(i) == '/'
+-            && (i+1 < value.size()) && value.at(i+1) == '*') {
+-            value.erase(i, 2);
+-        } else if (value.at(i) == '*'
+-            && (i+1 < value.size()) && value.at(i+1) == '/') {
+-            value.erase(i, 2);
+-        } else if (value.at(i) == '<'
+-            && (i+1 < value.size())
+-            && value.at(i+1) == '!'
+-            && (i+2 < value.size())
+-            && value.at(i+2) == '-'
+-            && (i+3 < value.size())
+-            && value.at(i+3) == '-') {
+-            value.erase(i, 4);
+-        } else if (value.at(i) == '-'
+-            && (i+1 < value.size()) && value.at(i+1) == '-'
+-            && (i+2 < value.size()) && value.at(i+2) == '>') {
+-            value.erase(i, 3);
+-        } else if (value.at(i) == '-'
+-            && (i+1 < value.size()) && value.at(i+1) == '-') {
+-            value.erase(i, 2);
+-        } else if (value.at(i) == '#') {
+-            value.erase(i, 1);
++    while (i < val.size()) {
++        if (val.at(i) == '/'
++            && (i+1 < val.size()) && val.at(i+1) == '*') {
++            i += 2;
++        } else if (val.at(i) == '*'
++            && (i+1 < val.size()) && val.at(i+1) == '/') {
++            i += 2;
++        } else if (val.at(i) == '<'
++            && (i+1 < val.size())
++            && val.at(i+1) == '!'
++            && (i+2 < val.size())
++            && val.at(i+2) == '-'
++            && (i+3 < val.size())
++            && val.at(i+3) == '-') {
++            i += 4;
++        } else if (val.at(i) == '-'
++            && (i+1 < val.size()) && val.at(i+1) == '-'
++            && (i+2 < val.size()) && val.at(i+2) == '>') {
++            i += 3;
++        } else if (val.at(i) == '-'
++            && (i+1 < val.size()) && val.at(i+1) == '-') {
++            i += 2;
++        } else if (val.at(i) == '#') {
++            i += 1;
+         } else {
++            transformed_value += val.at(i);
+             i++;
+         }
+     }
+-    return value;
++    return transformed_value;
+ }
+ 
+ }  // namespace transformations
+
+Index: modsecurity/src/actions/transformations/remove_nulls.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_nulls.cc
++++ modsecurity/src/actions/transformations/remove_nulls.cc
+@@ -1,6 +1,6 @@
+ /*
+  * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
+  *
+  * You may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+@@ -17,12 +17,7 @@
+ 
+ #include <string.h>
+ 
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+ 
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -35,19 +30,20 @@ namespace transformations {
+ 
+ std::string RemoveNulls::evaluate(const std::string &val,
+     Transaction *transaction) {
+-    int64_t i;
+-    std::string value(val);
+-
+-    i = 0;
+-    while (i < value.size()) {
+-        if (value.at(i) == '\0') {
+-            value.erase(i, 1);
++    size_t i = 0;
++    std::string transformed_value;
++    transformed_value.reserve(val.size());
++
++    while (i < val.size()) {
++        if (val.at(i) == '\0') {
++            // do nothing; continue on to next char in original val
+         } else {
+-            i++;
++            transformed_value += val.at(i);
+         }
++        i++;
+     }
+ 
+-    return value;
++    return transformed_value;
+ }
+ 
+ 
+Index: modsecurity/src/actions/transformations/remove_whitespace.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_whitespace.cc
++++ modsecurity/src/actions/transformations/remove_whitespace.cc
+@@ -1,6 +1,6 @@
+ /*
+  * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
+  *
+  * You may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+ 
+ #include "src/actions/transformations/remove_whitespace.h"
+ 
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+ 
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -37,28 +32,27 @@ RemoveWhitespace::RemoveWhitespace(const
+ 
+ std::string RemoveWhitespace::evaluate(const std::string &val,
+     Transaction *transaction) {
+-    std::string value(val);
++    std::string transformed_value;
++    transformed_value.reserve(val.size());
+ 
+-    int64_t i = 0;
++    size_t i = 0;
+     const char nonBreakingSpaces = 0xa0;
+     const char nonBreakingSpaces2 = 0xc2;
+ 
+     // loop through all the chars
+-    while (i < value.size()) {
++    while (i < val.size()) {
+         // remove whitespaces and non breaking spaces (NBSP)
+-        if (std::isspace(static_cast<unsigned char>(value[i]))
+-            || (value[i] == nonBreakingSpaces)
+-            || value[i] == nonBreakingSpaces2) {
+-            value.erase(i, 1);
++        if (std::isspace(static_cast<unsigned char>(val[i]))
++            || (val[i] == nonBreakingSpaces)
++            || val[i] == nonBreakingSpaces2) {
++            // don't copy; continue on to next char in original val
+         } else {
+-          /* if the space is not a whitespace char, increment counter
+-           counter should not be incremented if a character is erased because
+-           the index erased will be replaced by the following character */
+-          i++;
++            transformed_value += val.at(i);
+         }
++        i++;
+     }
+ 
+-    return value;
++    return transformed_value;
+ }
+ 
+ }  // namespace transformations
+Index: modsecurity/src/actions/transformations/replace_nulls.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/replace_nulls.cc
++++ modsecurity/src/actions/transformations/replace_nulls.cc
+@@ -1,6 +1,6 @@
+ /*
+  * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. 
(http://www.trustwave.com/)
+  *
+  * You may not use this file except in compliance with
+  * the License.  You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+ 
+ #include "src/actions/transformations/replace_nulls.h"
+ 
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+ 
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -43,8 +38,7 @@ std::string ReplaceNulls::evaluate(const
+     i = 0;
+     while (i < value.size()) {
+         if (value.at(i) == '\0') {
+-            value.erase(i, 1);
+-            value.insert(i, " ", 1);
++            value[i] = ' ';
+         } else {
+             i++;
+         }
diff -Nru modsecurity-3.0.9/debian/patches/series 
modsecurity-3.0.9/debian/patches/series
--- modsecurity-3.0.9/debian/patches/series     2023-04-25 11:49:24.000000000 
+0200
+++ modsecurity-3.0.9/debian/patches/series     2023-09-25 14:43:11.000000000 
+0200
@@ -1,2 +1,3 @@
 disable-network-dependent-tests.patch
 ftbfs_1034760.patch
+cve-2023-38285.diff

Reply via email to