Bug#1112093: bookworm-pu: package modsecurity-apache/2.9.7-1+deb12u2
Package: release.debian.org
Severity: normal
Tags: security
X-Debbugs-Cc: modsecurity-apache@packages.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:modsecurity-apache
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix for CVE-2025-54571. Re: #1110480
[ Impact ]
Potential for XSS and arbitrary script source code disclosure
[ Tests ]
Fixed upstream.
[ Risks ]
Low risk, simple patch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Changes in return codes and simplify error handling.
diff -Nru modsecurity-apache-2.9.7/debian/changelog modsecurity-apache-2.9.7/debian/changelog
--- modsecurity-apache-2.9.7/debian/changelog 2025-06-03 14:03:05.000000000 +0200
+++ modsecurity-apache-2.9.7/debian/changelog 2025-08-09 20:30:19.000000000 +0200
@@ -1,3 +1,9 @@
+modsecurity-apache (2.9.7-1+deb12u2) bookworm; urgency=medium
+
+ * Fix CVE-2025-54571: Added d/patches/cve-2025-54571.patch
+
+ -- Ervin Hegedüs <airween@gmail.com> Sat, 09 Aug 2025 20:30:19 +0200
+
modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium
* Fix CVE-2025-47947: Added d/patches/cve-2025-47947.patch
diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-54571.patch modsecurity-apache-2.9.7/debian/patches/cve-2025-54571.patch
--- modsecurity-apache-2.9.7/debian/patches/cve-2025-54571.patch 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/patches/cve-2025-54571.patch 2025-08-09 20:30:19.000000000 +0200
@@ -0,0 +1,211 @@
+Description: Fix CVE-2025-54571
+Author: Ervin Hegedüs <airween@gmail.com>
+Last-Update: 2025-08-09
+--- a/apache2/apache2_io.c
++++ b/apache2/apache2_io.c
+@@ -191,27 +191,29 @@
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: This request does not have a body.");
+ }
+- return 0;
++ return APR_SUCCESS;
+ }
+
+ if (msr->txcfg->reqbody_access != 1) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Request body access not enabled.");
+ }
+- return 0;
++ return APR_SUCCESS;
+ }
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Reading request body.");
+ }
+ if (modsecurity_request_body_start(msr, error_msg) < 0) {
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ finished_reading = 0;
+ msr->if_seen_eos = 0;
+ bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc);
+- if (bb_in == NULL) return -1;
++ if (bb_in == NULL) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
+ do {
+ apr_status_t rc;
+
+@@ -221,25 +223,17 @@
+ * too large and APR_EGENERAL when the client disconnects.
+ */
+ switch(rc) {
+- case APR_INCOMPLETE :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -7;
+- case APR_EOF :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -6;
+- case APR_TIMEUP :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -4;
+ case AP_FILTER_ERROR :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
+- return -3;
++ break;
+ case APR_EGENERAL :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away.");
+- return -2;
++ break;
+ default :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -1;
++ break;
+ }
++ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST);
+ }
+
+ /* Loop through the buckets in the brigade in order
+@@ -255,7 +249,7 @@
+ rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ);
+ if (rc != APR_SUCCESS) {
+ *error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc));
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (msr->txcfg->debuglog_level >= 9) {
+@@ -268,7 +262,7 @@
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ } else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
+
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+@@ -289,7 +283,7 @@
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_limit);
+
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ }
+
+@@ -299,7 +293,7 @@
+ modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
+ #else
+ if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ #endif
+ }
+@@ -318,7 +312,7 @@
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ } else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+@@ -328,12 +322,12 @@
+ } else {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ }
+
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT))
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ }
+@@ -356,7 +350,13 @@
+
+ msr->if_status = IF_STATUS_WANTS_TO_RUN;
+
+- return rcbe;
++ if (rcbe == -5) {
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
++ }
++ if (rcbe < 0) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
++ return APR_SUCCESS;
+ }
+
+
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -1024,56 +1024,17 @@
+ }
+
+ rc = read_request_body(msr, &my_error_msg);
+- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
+- switch(rc) {
+- case -1 :
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s", my_error_msg);
+- }
+- return HTTP_INTERNAL_SERVER_ERROR;
+- break;
+- case -4 : /* Timeout. */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_REQUEST_TIME_OUT;
+- break;
+- case -5 : /* Request body limit reached. */
+- msr->inbound_error = 1;
+- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+- r->connection->keepalive = AP_CONN_CLOSE;
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE);
+- }
+- return HTTP_REQUEST_ENTITY_TOO_LARGE;
+- } else {
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s", my_error_msg);
+- }
+- }
+- break;
+- case -6 : /* EOF when reading request body. */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_BAD_REQUEST;
+- break;
+- case -7 : /* Partial recieved */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_BAD_REQUEST;
+- break;
+- default :
+- /* allow through */
+- break;
++ if (rc != OK) {
++ if (my_error_msg != NULL) {
++ msr_log(msr, 1, "%s", my_error_msg);
+ }
+-
+ msr->msc_reqbody_error = 1;
+ msr->msc_reqbody_error_msg = my_error_msg;
++ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) {
++ msr->inbound_error = 1;
++ }
++ r->connection->keepalive = AP_CONN_CLOSE;
++ return rc;
+ }
+
+ /* Update the request headers. They might have changed after
diff -Nru modsecurity-apache-2.9.7/debian/patches/series modsecurity-apache-2.9.7/debian/patches/series
--- modsecurity-apache-2.9.7/debian/patches/series 2025-06-03 14:03:05.000000000 +0200
+++ modsecurity-apache-2.9.7/debian/patches/series 2025-08-09 20:30:19.000000000 +0200
@@ -2,3 +2,4 @@
improve_defaults.patch
cve-2025-47947.patch
cve-2025-48866.patch
+cve-2025-54571.patch
Reply to: