Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit :
> Source: apache2
> Version: 2.4.47-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
>
> The following vulnerability was published for apache2.
>
> CVE-2021-31618[0]:
> | httpd: NULL pointer dereference on specially crafted HTTP/2 request
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
> [1]
> https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4
> [2] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Hi all,
I can't import the whole patch for Bullseye since it is written for
2.4.47. I think the best solution is to import the whole http2 module in
Bullseye. This gives the attached patch
Cheers,
Yadd
Description: import the whole HTTP/2 module from 2.4.47 to fix CVE-2021-31618
Author: Xavier Guimard
Origin: upstream
Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
Bug-Debian: https://bugs.debian.org/989562
Forwarded: not-needed
Reviewed-By: Yadd
Last-Update: 2021-06-08
--- a/modules/http2/h2.h
+++ b/modules/http2/h2.h
@@ -141,8 +141,19 @@
unsigned int chunked : 1; /* iff request body needs to be forwarded as chunked */
unsigned int serialize : 1; /* iff this request is written in HTTP/1.1 serialization */
apr_off_t raw_bytes;/* RAW network bytes that generated this
request - if known. */
+int http_status;/* Store a possible HTTP status code that gets
+ * defined before creating the dummy HTTP/1.1
+ * request e.g. due to an error already
+ * detected.
+ */
};
+/*
+ * A possible HTTP status code is not defined yet. See the http_status field
+ * in struct h2_request above for further explanation.
+ */
+#define H2_HTTP_STATUS_UNSET (0)
+
typedef struct h2_headers h2_headers;
struct h2_headers {
--- a/modules/http2/h2_bucket_beam.c
+++ b/modules/http2/h2_bucket_beam.c
@@ -945,7 +945,8 @@
apr_status_t h2_beam_receive(h2_bucket_beam *beam,
apr_bucket_brigade *bb,
apr_read_type_e block,
- apr_off_t readbytes)
+ apr_off_t readbytes,
+ int *pclosed)
{
h2_beam_lock bl;
apr_bucket *bsender, *brecv, *ng;
@@ -953,7 +954,7 @@
apr_status_t status = APR_SUCCESS;
apr_off_t remain;
int transferred_buckets = 0;
-
+
/* Called from the receiver thread to take buckets from the beam */
if (enter_yellow(beam, ) == APR_SUCCESS) {
if (readbytes <= 0) {
@@ -1039,6 +1040,7 @@
H2_BLIST_INSERT_TAIL(>hold_list, bsender);
remain -= bsender->length;
+beam->received_bytes += bsender->length;
++transferred;
++transferred_buckets;
continue;
@@ -1126,7 +1128,8 @@
}
goto transfer;
}
-leave:
+leave:
+if (pclosed) *pclosed = beam->closed? 1 : 0;
leave_yellow(beam, );
}
return status;
--- a/modules/http2/h2_bucket_beam.h
+++ b/modules/http2/h2_bucket_beam.h
@@ -258,11 +258,15 @@
* if no data is available.
*
* Call from the receiver side only.
+ * @param pclosed on return != 0 iff the beam has been closed by the sender. It
+ * may still hold untransfered data. Maybe NULL if the caller is
+ * not interested in this.
*/
apr_status_t h2_beam_receive(h2_bucket_beam *beam,
apr_bucket_brigade *green_buckets,
apr_read_type_e block,
- apr_off_t readbytes);
+ apr_off_t readbytes,
+ int *pclosed);
/**
* Determine if beam is empty.
--- a/modules/http2/h2_config.c
+++ b/modules/http2/h2_config.c
@@ -78,6 +78,7 @@
int early_hints; /* support status code 103 */
int padding_bits;
int padding_always;
+int output_buffered;
} h2_config;
typedef struct h2_dir_config {
@@ -115,6 +116,7 @@
0, /* early hints, http status 103 */
0, /* padding bits */
1, /* padding always */
+1, /* strean output buffered */
};
static h2_dir_config defdconf = {
@@ -159,6 +161,7 @@
conf->early_hints = DEF_VAL;
conf->padding_bits