Bug#1112097: trixie-pu: package modsecurity-apache/2.9.11-1+deb13u1
Package: release.debian.org
Severity: normal
Tags: security
X-Debbugs-Cc: modsecurity-apache@packages.debian.org, team@security.debian.org, Debian Security Team <team@security.debian.org>
Control: affects -1 + src:modsecurity-apache
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Fix for CVE-2025-54571. Re: #1110480
[ Impact ]
Potential for XSS and arbitrary script source code disclosure
[ Tests ]
Fixed upstream.
[ Risks ]
Low risk, simple patch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Changes in return codes and simplify error handling.
Remove unsused patch.
diff -Nru modsecurity-apache-2.9.11/debian/changelog modsecurity-apache-2.9.11/debian/changelog
--- modsecurity-apache-2.9.11/debian/changelog 2025-07-02 11:23:42.000000000 +0200
+++ modsecurity-apache-2.9.11/debian/changelog 2025-08-07 13:40:00.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity-apache (2.9.11-1+deb13u1) trixie; urgency=medium
+
+ * Add patch against new CVE; Fixes CVE-2025-54571 (Closes: #1110480)
+ * Remove d/patches/aclocal.patch, not necessary
+
+ -- Ervin Hegedüs <airween@gmail.com> Thu, 07 Aug 2025 13:40:00 +0200
+
modsecurity-apache (2.9.11-1) unstable; urgency=medium
[ Ervin Hegedüs ]
diff -Nru modsecurity-apache-2.9.11/debian/patches/aclocal.patch modsecurity-apache-2.9.11/debian/patches/aclocal.patch
--- modsecurity-apache-2.9.11/debian/patches/aclocal.patch 2025-06-05 10:43:35.000000000 +0200
+++ modsecurity-apache-2.9.11/debian/patches/aclocal.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,18 +0,0 @@
-Description: Fix aclocal-1.16 dependency
-Author: Ervin Hegedüs <airween@gmail.com>
-Last-Update: 2025-05-22
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -183,8 +183,8 @@
- $(top_srcdir)/tests/regression/misc/60-pmfromfile-external.t.in \
- $(top_srcdir)/tests/regression/server_root/conf/httpd.conf.in \
- README.md build/ar-lib build/compile build/config.guess \
-- build/config.sub build/depcomp build/install-sh \
-- build/ltmain.sh build/missing
-+ build/config.sub build/install-sh build/ltmain.sh \
-+ build/missing
- DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
- distdir = $(PACKAGE)-$(VERSION)
- top_distdir = $(distdir)
diff -Nru modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff
--- modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 2025-08-07 13:40:00.000000000 +0200
@@ -0,0 +1,211 @@
+Description: Fix CVE-2025-54571
+Author: Ervin Hegedüs <airween@gmail.com>
+Last-Update: 2025-08-07
+--- a/apache2/apache2_io.c
++++ b/apache2/apache2_io.c
+@@ -192,27 +192,29 @@
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: This request does not have a body.");
+ }
+- return 0;
++ return APR_SUCCESS;
+ }
+
+ if (msr->txcfg->reqbody_access != 1) {
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Request body access not enabled.");
+ }
+- return 0;
++ return APR_SUCCESS;
+ }
+
+ if (msr->txcfg->debuglog_level >= 4) {
+ msr_log(msr, 4, "Input filter: Reading request body.");
+ }
+ if (modsecurity_request_body_start(msr, error_msg) < 0) {
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ finished_reading = 0;
+ msr->if_seen_eos = 0;
+ bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc);
+- if (bb_in == NULL) return -1;
++ if (bb_in == NULL) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
+ do {
+ apr_status_t rc;
+
+@@ -222,25 +224,17 @@
+ * too large and APR_EGENERAL when the client disconnects.
+ */
+ switch(rc) {
+- case APR_INCOMPLETE :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -7;
+- case APR_EOF :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -6;
+- case APR_TIMEUP :
+- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -4;
+ case AP_FILTER_ERROR :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
+- return -3;
++ break;
+ case APR_EGENERAL :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away.");
+- return -2;
++ break;
+ default :
+ *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
+- return -1;
++ break;
+ }
++ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST);
+ }
+
+ /* Loop through the buckets in the brigade in order
+@@ -256,7 +250,7 @@
+ rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ);
+ if (rc != APR_SUCCESS) {
+ *error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc));
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (msr->txcfg->debuglog_level >= 9) {
+@@ -269,7 +263,7 @@
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ } else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
+
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+@@ -290,7 +284,7 @@
+ *error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_limit);
+
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ }
+
+@@ -300,7 +294,7 @@
+ modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
+ #else
+ if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ #endif
+ }
+@@ -319,7 +313,7 @@
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ } else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+@@ -329,12 +323,12 @@
+ } else {
+ *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
+ "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
+- return -5;
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ }
+
+ if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT))
+- return -1;
++ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ }
+@@ -357,7 +351,13 @@
+
+ msr->if_status = IF_STATUS_WANTS_TO_RUN;
+
+- return rcbe;
++ if (rcbe == -5) {
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
++ }
++ if (rcbe < 0) {
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
++ return APR_SUCCESS;
+ }
+
+
+--- a/apache2/mod_security2.c
++++ b/apache2/mod_security2.c
+@@ -1032,56 +1032,15 @@
+ }
+
+ rc = read_request_body(msr, &my_error_msg);
+- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) {
+- switch(rc) {
+- case -1 :
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s", my_error_msg);
+- }
+- return HTTP_INTERNAL_SERVER_ERROR;
+- break;
+- case -4 : /* Timeout. */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_REQUEST_TIME_OUT;
+- break;
+- case -5 : /* Request body limit reached. */
+- msr->inbound_error = 1;
+- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
+- r->connection->keepalive = AP_CONN_CLOSE;
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE);
+- }
+- return HTTP_REQUEST_ENTITY_TOO_LARGE;
+- } else {
+- if (my_error_msg != NULL) {
+- msr_log(msr, 1, "%s", my_error_msg);
+- }
+- }
+- break;
+- case -6 : /* EOF when reading request body. */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_BAD_REQUEST;
+- break;
+- case -7 : /* Partial recieved */
+- if (my_error_msg != NULL) {
+- msr_log(msr, 4, "%s", my_error_msg);
+- }
+- r->connection->keepalive = AP_CONN_CLOSE;
+- return HTTP_BAD_REQUEST;
+- break;
+- default :
+- /* allow through */
+- break;
++ if (rc != OK) {
++ if (my_error_msg != NULL) {
++ msr_log(msr, 1, "%s", my_error_msg);
+ }
+-
+- msr->msc_reqbody_error = 1;
+- msr->msc_reqbody_error_msg = my_error_msg;
++ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) {
++ msr->inbound_error = 1;
++ }
++ r->connection->keepalive = AP_CONN_CLOSE;
++ return rc;
+ }
+
+ /* Update the request headers. They might have changed after
diff -Nru modsecurity-apache-2.9.11/debian/patches/series modsecurity-apache-2.9.11/debian/patches/series
--- modsecurity-apache-2.9.11/debian/patches/series 2025-06-05 10:43:35.000000000 +0200
+++ modsecurity-apache-2.9.11/debian/patches/series 2025-08-07 13:40:00.000000000 +0200
@@ -1,3 +1,3 @@
-aclocal.patch
debian_log_dir.patch
improve_defaults.patch
+cve-2025-54571.diff
Reply to: