Bug#1052710: bookworm-pu: package modsecurity/3.0.9-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: modsecurity@packages.debian.org, carnil@debian.org, airween@gmail.com
Control: affects -1 + src:modsecurity
[ Reason ]
Fix for CVE-2023-38285, not DSA for it.
[ Impact ]
Possible DoS.
[ Tests ]
Manually tested by package maintainers.
[ Risks ]
Low risk, small patch from upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Changes in transformations functions.
https://github.com/SpiderLabs/ModSecurity/pull/2934/files
diff -Nru modsecurity-3.0.9/debian/changelog modsecurity-3.0.9/debian/changelog
--- modsecurity-3.0.9/debian/changelog 2023-04-25 11:49:24.000000000 +0200
+++ modsecurity-3.0.9/debian/changelog 2023-09-25 14:43:11.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity (3.0.9-1+deb12u1) bookworm; urgency=medium
+
+ * Applied upstream patch to fix DoS.
+ CVE-2023-38285 (Closes: #1042475)
+
+ -- Ervin Hegedüs <airween@gmail.com> Mon, 25 Sep 2023 14:43:11 +0200
+
modsecurity (3.0.9-1) unstable; urgency=medium
* New upstream version.
diff -Nru modsecurity-3.0.9/debian/patches/cve-2023-38285.diff modsecurity-3.0.9/debian/patches/cve-2023-38285.diff
--- modsecurity-3.0.9/debian/patches/cve-2023-38285.diff 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-3.0.9/debian/patches/cve-2023-38285.diff 2023-09-25 14:43:11.000000000 +0200
@@ -0,0 +1,258 @@
+Description: Added fixes against CVE-2023-38285
+ These modifications fix CVE-2023-38295.
+Author: Ervin Hegedüs <airween@gmail.com>
+Origin: upstream
+Bug: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10
+Last-Update: 2023-09-25
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: modsecurity/src/actions/transformations/remove_comments_char.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_comments_char.cc
++++ modsecurity/src/actions/transformations/remove_comments_char.cc
+@@ -1,6 +1,6 @@
+ /*
+ * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+
+ #include "src/actions/transformations/remove_comments_char.h"
+
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -37,39 +32,40 @@ RemoveCommentsChar::RemoveCommentsChar(const std::string &action)
+
+ std::string RemoveCommentsChar::evaluate(const std::string &val,
+ Transaction *transaction) {
+- int64_t i;
+- std::string value(val);
++ size_t i = 0;
++ std::string transformed_value;
++ transformed_value.reserve(val.size());
+
+- i = 0;
+- while (i < value.size()) {
+- if (value.at(i) == '/'
+- && (i+1 < value.size()) && value.at(i+1) == '*') {
+- value.erase(i, 2);
+- } else if (value.at(i) == '*'
+- && (i+1 < value.size()) && value.at(i+1) == '/') {
+- value.erase(i, 2);
+- } else if (value.at(i) == '<'
+- && (i+1 < value.size())
+- && value.at(i+1) == '!'
+- && (i+2 < value.size())
+- && value.at(i+2) == '-'
+- && (i+3 < value.size())
+- && value.at(i+3) == '-') {
+- value.erase(i, 4);
+- } else if (value.at(i) == '-'
+- && (i+1 < value.size()) && value.at(i+1) == '-'
+- && (i+2 < value.size()) && value.at(i+2) == '>') {
+- value.erase(i, 3);
+- } else if (value.at(i) == '-'
+- && (i+1 < value.size()) && value.at(i+1) == '-') {
+- value.erase(i, 2);
+- } else if (value.at(i) == '#') {
+- value.erase(i, 1);
++ while (i < val.size()) {
++ if (val.at(i) == '/'
++ && (i+1 < val.size()) && val.at(i+1) == '*') {
++ i += 2;
++ } else if (val.at(i) == '*'
++ && (i+1 < val.size()) && val.at(i+1) == '/') {
++ i += 2;
++ } else if (val.at(i) == '<'
++ && (i+1 < val.size())
++ && val.at(i+1) == '!'
++ && (i+2 < val.size())
++ && val.at(i+2) == '-'
++ && (i+3 < val.size())
++ && val.at(i+3) == '-') {
++ i += 4;
++ } else if (val.at(i) == '-'
++ && (i+1 < val.size()) && val.at(i+1) == '-'
++ && (i+2 < val.size()) && val.at(i+2) == '>') {
++ i += 3;
++ } else if (val.at(i) == '-'
++ && (i+1 < val.size()) && val.at(i+1) == '-') {
++ i += 2;
++ } else if (val.at(i) == '#') {
++ i += 1;
+ } else {
++ transformed_value += val.at(i);
+ i++;
+ }
+ }
+- return value;
++ return transformed_value;
+ }
+
+ } // namespace transformations
+
+Index: modsecurity/src/actions/transformations/remove_nulls.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_nulls.cc
++++ modsecurity/src/actions/transformations/remove_nulls.cc
+@@ -1,6 +1,6 @@
+ /*
+ * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+@@ -17,12 +17,7 @@
+
+ #include <string.h>
+
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -35,19 +30,20 @@ namespace transformations {
+
+ std::string RemoveNulls::evaluate(const std::string &val,
+ Transaction *transaction) {
+- int64_t i;
+- std::string value(val);
+-
+- i = 0;
+- while (i < value.size()) {
+- if (value.at(i) == '\0') {
+- value.erase(i, 1);
++ size_t i = 0;
++ std::string transformed_value;
++ transformed_value.reserve(val.size());
++
++ while (i < val.size()) {
++ if (val.at(i) == '\0') {
++ // do nothing; continue on to next char in original val
+ } else {
+- i++;
++ transformed_value += val.at(i);
+ }
++ i++;
+ }
+
+- return value;
++ return transformed_value;
+ }
+
+
+Index: modsecurity/src/actions/transformations/remove_whitespace.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/remove_whitespace.cc
++++ modsecurity/src/actions/transformations/remove_whitespace.cc
+@@ -1,6 +1,6 @@
+ /*
+ * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+
+ #include "src/actions/transformations/remove_whitespace.h"
+
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -37,28 +32,27 @@ RemoveWhitespace::RemoveWhitespace(const
+
+ std::string RemoveWhitespace::evaluate(const std::string &val,
+ Transaction *transaction) {
+- std::string value(val);
++ std::string transformed_value;
++ transformed_value.reserve(val.size());
+
+- int64_t i = 0;
++ size_t i = 0;
+ const char nonBreakingSpaces = 0xa0;
+ const char nonBreakingSpaces2 = 0xc2;
+
+ // loop through all the chars
+- while (i < value.size()) {
++ while (i < val.size()) {
+ // remove whitespaces and non breaking spaces (NBSP)
+- if (std::isspace(static_cast<unsigned char>(value[i]))
+- || (value[i] == nonBreakingSpaces)
+- || value[i] == nonBreakingSpaces2) {
+- value.erase(i, 1);
++ if (std::isspace(static_cast<unsigned char>(val[i]))
++ || (val[i] == nonBreakingSpaces)
++ || val[i] == nonBreakingSpaces2) {
++ // don't copy; continue on to next char in original val
+ } else {
+- /* if the space is not a whitespace char, increment counter
+- counter should not be incremented if a character is erased because
+- the index erased will be replaced by the following character */
+- i++;
++ transformed_value += val.at(i);
+ }
++ i++;
+ }
+
+- return value;
++ return transformed_value;
+ }
+
+ } // namespace transformations
+Index: modsecurity/src/actions/transformations/replace_nulls.cc
+===================================================================
+--- modsecurity.orig/src/actions/transformations/replace_nulls.cc
++++ modsecurity/src/actions/transformations/replace_nulls.cc
+@@ -1,6 +1,6 @@
+ /*
+ * ModSecurity, http://www.modsecurity.org/
+- * Copyright (c) 2015 - 2021 Trustwave Holdings, Inc. (http://www.trustwave.com/)
++ * Copyright (c) 2015 - 2023 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+@@ -15,12 +15,7 @@
+
+ #include "src/actions/transformations/replace_nulls.h"
+
+-#include <iostream>
+ #include <string>
+-#include <algorithm>
+-#include <functional>
+-#include <cctype>
+-#include <locale>
+
+ #include "modsecurity/transaction.h"
+ #include "src/actions/transformations/transformation.h"
+@@ -43,8 +38,7 @@ std::string ReplaceNulls::evaluate(const
+ i = 0;
+ while (i < value.size()) {
+ if (value.at(i) == '\0') {
+- value.erase(i, 1);
+- value.insert(i, " ", 1);
++ value[i] = ' ';
+ } else {
+ i++;
+ }
diff -Nru modsecurity-3.0.9/debian/patches/series modsecurity-3.0.9/debian/patches/series
--- modsecurity-3.0.9/debian/patches/series 2023-04-25 11:49:24.000000000 +0200
+++ modsecurity-3.0.9/debian/patches/series 2023-09-25 14:43:11.000000000 +0200
@@ -1,2 +1,3 @@
disable-network-dependent-tests.patch
ftbfs_1034760.patch
+cve-2023-38285.diff
Reply to: