[Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

[Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

[Frank Vanbever via buildroot]

Fixes the following issue:
- CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
  a denial of service (worker crash and unresponsiveness) because some inputs
  cause a segfault in the Transaction class for some configurations.

  https://security-tracker.debian.org/tracker/CVE-2023-28882

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
---
 ...-variable-inits-in-Transaction-class.patch | 48 +++++++++++++++++++
 package/libmodsecurity/libmodsecurity.mk      |  3 ++
 2 files changed, 51 insertions(+)
 create mode 100644 package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch

diff --git a/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch
new file mode 100644
index 0000000000..5415d74f36
--- /dev/null
+++ b/package/libmodsecurity/0005-Add-some-member-variable-inits-in-Transaction-class.patch
@@ -0,0 +1,48 @@
+From 686612ceca3ec5bf8a64aa4a3dbf24e95f9017a3 Mon Sep 17 00:00:00 2001
+From: Martin Vierula <martin.vierula@trustwave.com>
+Date: Fri, 31 Mar 2023 08:27:35 -0700
+Subject: [PATCH] Add some member varialbe inits in Transaction class
+
+Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
+Upstream: https://github.com/SpiderLabs/ModSecurity/pull/2886
+---
+ src/transaction.cc | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/transaction.cc b/src/transaction.cc
+index bc28abe0..051568ce 100644
+--- a/src/transaction.cc
++++ b/src/transaction.cc
+@@ -101,11 +101,11 @@ namespace modsecurity {
+  */
+ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
+     : m_creationTimeStamp(utils::cpu_seconds()),
+-    /* m_clientIpAddress(nullptr), */
++     m_clientIpAddress(std::make_shared<std::string>("")),
+     m_httpVersion(""),
+-    /* m_serverIpAddress(""), */
++    m_serverIpAddress(std::make_shared<std::string>("")),
+     m_uri(""),
+-    /* m_uri_no_query_string_decoded(""), */
++    m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
+     m_ARGScombinedSizeDouble(0),
+     m_clientPort(0),
+     m_highestSeverityAction(255),
+@@ -175,11 +175,11 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
+ 
+ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCbData)
+     : m_creationTimeStamp(utils::cpu_seconds()),
+-    /* m_clientIpAddress(""), */
++    m_clientIpAddress(std::make_shared<std::string>("")),
+     m_httpVersion(""),
+-    /* m_serverIpAddress(""), */
++    m_serverIpAddress(std::make_shared<std::string>("")),
+     m_uri(""),
+-    /* m_uri_no_query_string_decoded(""), */
++    m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
+     m_ARGScombinedSizeDouble(0),
+     m_clientPort(0),
+     m_highestSeverityAction(255),
+-- 
+2.39.2
+
diff --git a/package/libmodsecurity/libmodsecurity.mk b/package/libmodsecurity/libmodsecurity.mk
index e83fda895f..3680840f76 100644
--- a/package/libmodsecurity/libmodsecurity.mk
+++ b/package/libmodsecurity/libmodsecurity.mk
@@ -15,6 +15,9 @@ LIBMODSECURITY_CPE_ID_PRODUCT = modsecurity
 # We're patching build/libmaxmind.m4 and build/pcre.m4
 LIBMODSECURITY_AUTORECONF = YES
 
+# 0005-Add-some-member-variable-inits-in-Transaction-class.patch
+LIBMODSECURITY_IGNORE_CVES += CVE-2023-28882
+
 LIBMODSECURITY_DEPENDENCIES = pcre2
 LIBMODSECURITY_CONF_OPTS = \
 	--without-pcre \
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

[Peter Korsgaard]

>>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> writes:

 > Fixes the following issue:
 > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
 >   a denial of service (worker crash and unresponsiveness) because some inputs
 >   cause a segfault in the Transaction class for some configurations.

 >   https://security-tracker.debian.org/tracker/CVE-2023-28882

 > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>

Sorry for the slow response.

We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so
big that it makes sense to add this patch rather than just bumping to
3.0.9 - Especially given that 3.0.10 contained another security fix?

Looking at the 3.0.9 release notes, it seems to be almost entirely
fixes:

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

[Frank Vanbever via buildroot]

Hi Peter,

I believe your assessment is right, at this point it would be best to backport 
the bump to 3.0.10 on master to the stable branches and get rid of multiple 
CVEs at the same time. Do I resubmit that patch or do you take it directly 
from master?

Best regards,
Frank

On zaterdag 26 augustus 2023 22:06:23 CEST Peter Korsgaard wrote:
> >>>>> "Frank" == Frank Vanbever via buildroot <buildroot@buildroot.org> 
writes:
>  > Fixes the following issue:
>  > - CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9
>  > allows > 
>  >   a denial of service (worker crash and unresponsiveness) because some
>  >   inputs
>  >   cause a segfault in the Transaction class for some configurations.
>  >   
>  >   https://security-tracker.debian.org/tracker/CVE-2023-28882
>  > 
>  > Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
> 
> Sorry for the slow response.
> 
> We are using 3.0.8 on 2023.02.x. Is the delta between 3.0.8 and 3.0.9 so
> big that it makes sense to add this patch rather than just bumping to
> 3.0.9 - Especially given that 3.0.10 contained another security fix?
> 
> Looking at the 3.0.9 release notes, it seems to be almost entirely
> fixes:
> 
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9




_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2023.02.x] package/libmodsecurity: backport security fix for CVE-2023-28882

[Peter Korsgaard]

>>>>> "Frank" == Frank Vanbever <frank.vanbever@mind.be> writes:

 > Hi Peter,
 > I believe your assessment is right, at this point it would be best to backport 
 > the bump to 3.0.10 on master to the stable branches and get rid of multiple 
 > CVEs at the same time. Do I resubmit that patch or do you take it directly 
 > from master?

OK, good. I'll backport it when I finish synching 2023.02.x with master
(I'm currently running a few weeks behind because of the holidays).

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot