Bug#949728: buster-pu: package modsecurity/3.0.3-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
A security issue (CVE-2019-19886) was found in Modsecurity 3.0.3. [1]
A fixed package is already in unstable. This upload only applies
upstream patch to fix that. Please consider 3.0.3-1+deb10u1 for the next
buster update.
Waiting for your OK to the upload.
Thanks,
Alberto
[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru modsecurity-3.0.3/debian/changelog modsecurity-3.0.3/debian/changelog
--- modsecurity-3.0.3/debian/changelog 2018-12-12 08:17:40.000000000 +0100
+++ modsecurity-3.0.3/debian/changelog 2020-01-21 22:52:59.000000000 +0100
@@ -1,3 +1,9 @@
+modsecurity (3.0.3-1+deb10u1) buster; urgency=medium
+
+ * Fixes CVE-2019-19886 (Closes: #949682)
+
+ -- Ervin Hegedus <airween@gmail.com> Tue, 21 Jan 2020 21:52:59 +0000
+
modsecurity (3.0.3-1) unstable; urgency=medium
[ Ervin Hegedüs ]
diff -Nru modsecurity-3.0.3/debian/patches/cookieparse_fix.patch modsecurity-3.0.3/debian/patches/cookieparse_fix.patch
--- modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 2020-01-21 22:52:59.000000000 +0100
@@ -0,0 +1,92 @@
+Description: Fix cookie header parsing bug
+ There was a bug in the transaction.cc, if the Cookie header contains a field (cookie)
+ without '=', the engine doesn't evaulate it as cookie. If the cookie started with
+ '=', then the engine crashed.
+Author: Ervin Hegedus <airween@gmail.com>
+
+---
+Origin: upstream, https://github.com/SpiderLabs/Misc/blob/master/ModSecurity_cookie_parsing_fix_303.patch
+Bug: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/
+Last-Update: 2020-01-21
+
+
+
+--- modsecurity-3.0.3.orig/src/transaction.cc
++++ modsecurity-3.0.3/src/transaction.cc
+@@ -556,20 +556,63 @@ int Transaction::addRequestHeader(const
+
+ if (keyl == "cookie") {
+ size_t localOffset = m_variableOffset;
++ size_t pos;
+ std::vector<std::string> cookies = utils::string::ssplit(value, ';');
++
++ if (!cookies.empty()) {
++ // Get rid of any optional whitespace after the cookie-string
++ // (i.e. after the end of the final cookie-pair)
++ std::string& final_cookie_pair = cookies.back();
++ while (!final_cookie_pair.empty() && isspace(final_cookie_pair.back())) {
++ final_cookie_pair.pop_back();
++ }
++ }
++
+ for (const std::string &c : cookies) {
+- std::vector<std::string> s = utils::string::split(c,
+- '=');
+- if (s.size() > 1) {
+- if (s[0].at(0) == ' ') {
+- s[0].erase(0, 1);
+- }
+- m_variableRequestCookiesNames.set(s[0],
+- s[0], localOffset);
+-
+- localOffset = localOffset + s[0].size() + 1;
+- m_variableRequestCookies.set(s[0], s[1], localOffset);
+- localOffset = localOffset + s[1].size() + 2;
++ // skip empty substring, eg "Cookie: ;;foo=bar"
++ if (c.empty() == true) {
++ localOffset++; // add length of ';'
++ continue;
++ }
++
++ // find the first '='
++ pos = c.find_first_of("=", 0);
++ std::string ckey = "";
++ std::string cval = "";
++
++ // if the cookie doesn't contains '=', its just a key
++ if (pos == std::string::npos) {
++ ckey = c;
++ }
++ // else split to two substrings by first =
++ else {
++ ckey = c.substr(0, pos);
++ // value will contains the next '=' chars if exists
++ // eg. foo=bar=baz -> key: foo, value: bar=baz
++ cval = c.substr(pos+1);
++ }
++
++ // ltrim the key - following the modsec v2 way
++ while (ckey.empty() == false && isspace(ckey.at(0))) {
++ ckey.erase(0, 1);
++ localOffset++;
++ }
++
++ // if the key is empty (eg: "Cookie: =bar;") skip it
++ if (ckey.empty() == true) {
++ localOffset = localOffset + c.length() + 1;
++ continue;
++ }
++ else {
++ // handle cookie only if the key is not empty
++ // set cookie name
++ m_variableRequestCookiesNames.set(ckey,
++ ckey, localOffset);
++ localOffset = localOffset + ckey.size() + 1;
++ // set cookie value
++ m_variableRequestCookies.set(ckey, cval,
++ localOffset);
++ localOffset = localOffset + cval.size() + 1;
+ }
+ }
+ }
+
diff -Nru modsecurity-3.0.3/debian/patches/series modsecurity-3.0.3/debian/patches/series
--- modsecurity-3.0.3/debian/patches/series 2018-12-12 08:13:38.000000000 +0100
+++ modsecurity-3.0.3/debian/patches/series 2020-01-21 22:52:59.000000000 +0100
@@ -1,3 +1,4 @@
disable-network-dependent-tests.patch
setenv_term_avoid.patch
bigendian_fix.patch
+cookieparse_fix.patch
Reply to: