--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package libnginx-mod-http-lua/1:0.10.23-1+deb12u1 (fix CVE-2024-33452)
- From: Jan Mojzis <janmojzis@debian.org>
- Date: Sun, 31 Aug 2025 09:46:50 +0200
- Message-id: <175662640919.37182.2832409671040947151.reportbug@dev.h.mojzis.com>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libnginx-mod-http-lua@packages.debian.org
Control: affects -1 + src:libnginx-mod-http-lua
User: release.debian.org@packages.debian.org
Usertags: pu
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote
attacker to conduct HTTP request smuggling via a crafted HEAD request.
CVE-2024-33452.
[ Reason ]
When processing HTTP/1.1 requests, lua-nginx-module incorrectly parses HEAD
requests with a body and treats the body as the new separate request.
~~~
HEAD / HTTP/1.1
Host: localhost
Content-Length: 52
GET /smuggle HTTP/1.1
Host: localhost
~~~
[ Impact ]
Normally for other proxies, the following request is treated as a single
request because the GET /smuggle request is inside of the HEAD request’s body.
But when parsed by lua-nginx-module this request is treated as 2 separate requests.
This leads to discrepancies between proxies if chained together.
[ Tests ]
I tested manually with telnet using the request above.
And one part of the patch is an (automated) test that covers the given problem.
[ Risks ]
Patch is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
I added the patch released by upstream team without any changes.
[ Other info ]
The description/reson/impact section is carbon copy from:
https://www.benasin.space/2025/03/18/OpenResty-lua-nginx-module-v0-10-26-HTTP-Request-Smuggling-in-HEAD-requests/
diff -Nru libnginx-mod-http-lua-0.10.23/debian/changelog libnginx-mod-http-lua-0.10.23/debian/changelog
--- libnginx-mod-http-lua-0.10.23/debian/changelog 2023-02-24 06:28:38.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/changelog 2025-08-31 07:35:09.000000000 +0000
@@ -1,3 +1,10 @@
+libnginx-mod-http-lua (1:0.10.23-1+deb12u1) bookworm; urgency=medium
+
+ * d/p/CVE-2024-33452.patch add, fix HTTP HEAD request smuggling issue
+ (CVE-2024-33452).
+
+ -- Jan Mojžíš <janmojzis@debian.org> Sun, 31 Aug 2025 09:35:09 +0200
+
libnginx-mod-http-lua (1:0.10.23-1) unstable; urgency=medium
* New upstream version 0.10.23
diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch
--- libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch 1970-01-01 00:00:00.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch 2025-08-31 07:35:09.000000000 +0000
@@ -0,0 +1,120 @@
+Origin: https://github.com/openresty/lua-nginx-module/commit/e5248aa8203d3e0075822a577c1cdd19f5f1f831
+
+From e5248aa8203d3e0075822a577c1cdd19f5f1f831 Mon Sep 17 00:00:00 2001
+From: lijunlong <lijunlong@openresty.com>
+Date: Sat, 9 Mar 2024 12:30:14 +0800
+Subject: [PATCH] bugfix: fixed HTTP HEAD request smuggling issue.
+
+---
+ src/ngx_http_lua_util.c | 6 ++++
+ t/020-subrequest.t | 80 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+)
+
+diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c
+index 8fd26561..727ca3da 100644
+--- a/src/ngx_http_lua_util.c
++++ b/src/ngx_http_lua_util.c
+@@ -599,6 +599,12 @@ ngx_http_lua_send_chain_link(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
+ if (r->header_only) {
+ ctx->eof = 1;
+
++ if (!r->request_body && r == r->main) {
++ if (ngx_http_discard_request_body(r) != NGX_OK) {
++ return NGX_ERROR;
++ }
++ }
++
+ if (ctx->buffering) {
+ return ngx_http_lua_send_http10_headers(r, ctx);
+ }
+diff --git a/t/020-subrequest.t b/t/020-subrequest.t
+index c731f1e6..59b9f61a 100644
+--- a/t/020-subrequest.t
++++ b/t/020-subrequest.t
+@@ -3527,3 +3527,83 @@ HTTP/1.1 400 Bad Request
+ [error]
+ --- skip_nginx
+ 3: < 1.21.1
++
++
++
++=== TEST 83: avoid request smuggling of HEAD req
++--- config
++ location /capture {
++ server_tokens off;
++ more_clear_headers Date;
++
++ content_by_lua_block {
++ ngx.say("Hello")
++ }
++ }
++
++ location /t {
++ content_by_lua_block {
++ local req = [[
++HEAD /capture HTTP/1.1
++Host: test.com
++Content-Length: 63
++
++GET /capture HTTP/1.1
++Host: test.com
++X: GET /bar HTTP/1.0
++
++]]
++
++ local sock = ngx.socket.tcp()
++ sock:settimeout(1000)
++
++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++ if not ok then
++ ngx.say("failed to connect: ", err)
++ return
++ end
++
++ local bytes, err = sock:send(req)
++ if not bytes then
++ ngx.say("failed to send req: ", err)
++ return
++ end
++
++ ngx.say("req bytes: ", bytes)
++
++ local n_resp = 0
++
++ local reader = sock:receiveuntil("\r\n")
++ while true do
++ local line, err = reader()
++ if line then
++ ngx.say(line)
++ if line == "0" then
++ n_resp = n_resp + 1
++ end
++
++ if n_resp >= 2 then
++ break
++ end
++
++ else
++ ngx.say("err: ", err)
++ break
++ end
++ end
++
++ sock:close()
++ }
++ }
++--- request
++GET /t
++--- response_body
++req bytes: 117
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Connection: keep-alive
++
++err: timeout
++--- error_log
++lua tcp socket read timed out
+--
+2.47.2
+
diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/series libnginx-mod-http-lua-0.10.23/debian/patches/series
--- libnginx-mod-http-lua-0.10.23/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/patches/series 2025-08-31 07:35:09.000000000 +0000
@@ -0,0 +1 @@
+CVE-2024-33452.patch
--- End Message ---