| Message ID | 20230713161139.182388-1-frank.vanbever@mind.be |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882 | expand |
>>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> writes: > Fixes the following issue: > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows > a denial of service (worker crash and unresponsiveness) because some inputs > cause a segfault in the Transaction class for some configurations. > https://security-tracker.debian.org/tracker/CVE-2023-28882 > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Sorry for the slow response. We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so big that it makes sense to add this patch rather than just bumping to 3.0.9 - Especially given that 3.0.10 contained another security fix? Looking at the 3.0.9 release notes, it seems to be almost entirely fixes: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9
Hi Peter, I believe your assessment is right, at this point it would be best to backport the bump to 3.0.10 on master to the stable branches and get rid of multiple CVEs at the same time. Do I resubmit that patch or do you take it directly from master? Best regards, Frank On zaterdag 26 augustus 2023 22:06:23 CEST Peter Korsgaard wrote: > >>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> writes: > > Fixes the following issue: > > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 > > allows > > > a denial of service (worker crash and unresponsiveness) because some > > inputs > > cause a segfault in the Transaction class for some configurations. > > > > https://security-tracker.debian.org/tracker/CVE-2023-28882 > > > > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> > > Sorry for the slow response. > > We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so > big that it makes sense to add this patch rather than just bumping to > 3.0.9 - Especially given that 3.0.10 contained another security fix? > > Looking at the 3.0.9 release notes, it seems to be almost entirely > fixes: > > https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9
>>>>> "Frank" == Frank Vanbever <frank.vanbever@mind.be> writes: > Hi Peter, > I believe your assessment is right, at this point it would be best to backport > the bump to 3.0.10 on master to the stable branches and get rid of multiple > CVEs at the same time. Do I resubmit that patch or do you take it directly > from master? OK, good. I'll backport it when I finish synching 2023.02.x with master (I'm currently running a few weeks behind because of the holidays).
diff --git a/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch new file mode 100644 index 0000000000..5415d74f36 --- /dev/null +++ b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch @@ -0,0 +1,48 @@ +From 686612ceca3ec5bf8a64aa4a3dbf24e95f9017a3 Mon Sep 17 00:00:00 2001 +From: Martin Vierula <martin.vierula@trustwave.com> +Date: Fri, 31 Mar 2023 08:27:35 -0700 +Subject: [PATCH] Add some member varialbe inits in Transaction class + +Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> +Upstream: https://github.com/SpiderLabs/ModSecurity/pull/2886 +--- + src/transaction.cc | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/transaction.cc b/src/transaction.cc +index bc28abe0..051568ce 100644 +--- a/src/transaction.cc ++++ b/src/transaction.cc +@@ -101,11 +101,11 @@ namespace modsecurity { + */ + Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData) + : m_creationTimeStamp(utils::cpu_seconds()), +- /* m_clientIpAddress(nullptr), */ ++ m_clientIpAddress(std::make_shared<std::string>("")), + m_httpVersion(""), +- /* m_serverIpAddress(""), */ ++ m_serverIpAddress(std::make_shared<std::string>("")), + m_uri(""), +- /* m_uri_no_query_string_decoded(""), */ ++ m_uri_no_query_string_decoded(std::make_shared<std::string>("")), + m_ARGScombinedSizeDouble(0), + m_clientPort(0), + m_highestSeverityAction(255), +@@ -175,11 +175,11 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData) + + Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData) + : m_creationTimeStamp(utils::cpu_seconds()), +- /* m_clientIpAddress(""), */ ++ m_clientIpAddress(std::make_shared<std::string>("")), + m_httpVersion(""), +- /* m_serverIpAddress(""), */ ++ m_serverIpAddress(std::make_shared<std::string>("")), + m_uri(""), +- /* m_uri_no_query_string_decoded(""), */ ++ m_uri_no_query_string_decoded(std::make_shared<std::string>("")), + m_ARGScombinedSizeDouble(0), + m_clientPort(0), + m_highestSeverityAction(255), +-- +2.39.2 + diff --git a/package/libmodsecurity/libmodsecurity.mk b/package/libmodsecurity/libmodsecurity.mk index e83fda895f..3680840f76 100644 --- a/package/libmodsecurity/libmodsecurity.mk +++ b/package/libmodsecurity/libmodsecurity.mk @@ -15,6 +15,9 @@ LIBMODSECURITY_CPE_ID_PRODUCT = modsecurity # We're patching build/libmaxmind.m4 and build/pcre.m4 LIBMODSECURITY_AUTORECONF = YES +# 0005-Add-some-member-variable-inits-in-Transaction-class.patch +LIBMODSECURITY_IGNORE_CVES += CVE-2023-28882 + LIBMODSECURITY_DEPENDENCIES = pcre2 LIBMODSECURITY_CONF_OPTS = \ --without-pcre \
Fixes the following issue: - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. https://security-tracker.debian.org/tracker/CVE-2023-28882 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> --- ...-variable-inits-in-Transaction-class.patch | 48 +++++++++++++++++++ package/libmodsecurity/libmodsecurity.mk | 3 ++ 2 files changed, 51 insertions(+) create mode 100644 package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch