* [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882
@ 2023-07-13 16:11 Frank Vanbever via buildroot
2023-08-26 20:06 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Frank Vanbever via buildroot @ 2023-07-13 16:11 UTC (permalink / raw)
To: buildroot; +Cc: Frank Vanbever
Fixes the following issue:
- CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
a denial of service (worker crash and unresponsiveness) because some inputs
cause a segfault in the Transaction class for some configurations.
https://security-tracker.debian.org/tracker/CVE-2023-28882
Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
---
...-variable-inits-in-Transaction-class.patch | 48 +++++++++++++++++++
package/libmodsecurity/libmodsecurity.mk | 3 ++
2 files changed, 51 insertions(+)
create mode 100644 package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch
diff --git a/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch
new file mode 100644
index 0000000000..5415d74f36
--- /dev/null
+++ b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch
@@ -0,0 +1,48 @@
+From 686612ceca3ec5bf8a64aa4a3dbf24e95f9017a3 Mon Sep 17 00:00:00 2001
+From: Martin Vierula <martin.vierula@trustwave.com>
+Date: Fri, 31 Mar 2023 08:27:35 -0700
+Subject: [PATCH] Add some member varialbe inits in Transaction class
+
+Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
+Upstream: https://github.com/SpiderLabs/ModSecurity/pull/2886
+---
+ src/transaction.cc | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/transaction.cc b/src/transaction.cc
+index bc28abe0..051568ce 100644
+--- a/src/transaction.cc
++++ b/src/transaction.cc
+@@ -101,11 +101,11 @@ namespace modsecurity {
+ */
+ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
+ : m_creationTimeStamp(utils::cpu_seconds()),
+- /* m_clientIpAddress(nullptr), */
++ m_clientIpAddress(std::make_shared<std::string>("")),
+ m_httpVersion(""),
+- /* m_serverIpAddress(""), */
++ m_serverIpAddress(std::make_shared<std::string>("")),
+ m_uri(""),
+- /* m_uri_no_query_string_decoded(""), */
++ m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
+ m_ARGScombinedSizeDouble(0),
+ m_clientPort(0),
+ m_highestSeverityAction(255),
+@@ -175,11 +175,11 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
+
+ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData)
+ : m_creationTimeStamp(utils::cpu_seconds()),
+- /* m_clientIpAddress(""), */
++ m_clientIpAddress(std::make_shared<std::string>("")),
+ m_httpVersion(""),
+- /* m_serverIpAddress(""), */
++ m_serverIpAddress(std::make_shared<std::string>("")),
+ m_uri(""),
+- /* m_uri_no_query_string_decoded(""), */
++ m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
+ m_ARGScombinedSizeDouble(0),
+ m_clientPort(0),
+ m_highestSeverityAction(255),
+--
+2.39.2
+
diff --git a/package/libmodsecurity/libmodsecurity.mk b/package/libmodsecurity/libmodsecurity.mk
index e83fda895f..3680840f76 100644
--- a/package/libmodsecurity/libmodsecurity.mk
+++ b/package/libmodsecurity/libmodsecurity.mk
@@ -15,6 +15,9 @@ LIBMODSECURITY_CPE_ID_PRODUCT = modsecurity
# We're patching build/libmaxmind.m4 and build/pcre.m4
LIBMODSECURITY_AUTORECONF = YES
+# 0005-Add-some-member-variable-inits-in-Transaction-class.patch
+LIBMODSECURITY_IGNORE_CVES += CVE-2023-28882
+
LIBMODSECURITY_DEPENDENCIES = pcre2
LIBMODSECURITY_CONF_OPTS = \
--without-pcre \
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-30 8:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-13 16:11 [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882 Frank Vanbever via buildroot
2023-08-26 20:06 ` Peter Korsgaard
2023-08-30 7:29 ` Frank Vanbever via buildroot
2023-08-30 8:13 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox