- Add some missing directives RHBZ #569360

- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424, #867773, #867774)
This commit is contained in:
Athmane Madjoudj 2012-11-17 10:30:06 +01:00
parent 9f867be7f4
commit 5674c3eeb8
3 changed files with 96 additions and 8 deletions

View File

@ -0,0 +1,82 @@
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c modsecurity-apache_2.6.8/apache2/msc_multipart.c
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.c 2012-11-17 09:42:41.362779780 +0100
@@ -653,6 +653,7 @@
}
}
else {
+ msr->mpd->flag_invalid_part = 1;
msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
"(offset %u, length %u)", msr->mpd->mpp,
msr->mpd->mpp->offset, msr->mpd->mpp->length);
@@ -961,6 +962,11 @@
msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
}
+ if (msr->mpd->flag_invalid_part) {
+ msr_log(msr, 4, "Multipart: Warning: invalid part parsing.");
+ }
+
+
if (msr->mpd->flag_invalid_header_folding) {
msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
}
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h modsecurity-apache_2.6.8/apache2/msc_multipart.h
--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_multipart.h 2012-11-17 09:44:04.235930720 +0100
@@ -117,6 +117,7 @@
int flag_boundary_whitespace;
int flag_missing_semicolon;
int flag_invalid_quoting;
+ int flag_invalid_part;
int flag_invalid_header_folding;
int flag_file_limit_exceeded;
};
diff -ru modsecurity-apache_2.6.8.orig/apache2/re_variables.c modsecurity-apache_2.6.8/apache2/re_variables.c
--- modsecurity-apache_2.6.8.orig/apache2/re_variables.c 2012-11-17 09:30:50.499143902 +0100
+++ modsecurity-apache_2.6.8/apache2/re_variables.c 2012-11-17 09:48:11.176457660 +0100
@@ -1377,6 +1377,18 @@
}
}
+/* MULTIPART_INVALID_PART */
+
+static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
+ return var_simple_generate(var, vartab, mptmp, "1");
+ } else {
+ return var_simple_generate(var, vartab, mptmp, "0");
+ }
+}
+
/* MULTIPART_INVALID_QUOTING */
static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -1429,6 +1441,7 @@
||(msr->mpd->flag_lf_line != 0)
||(msr->mpd->flag_missing_semicolon != 0)
||(msr->mpd->flag_invalid_quoting != 0)
+ ||(msr->mpd->flag_invalid_part != 0)
||(msr->mpd->flag_invalid_header_folding != 0)
||(msr->mpd->flag_file_limit_exceeded != 0)
) {
@@ -2835,6 +2848,17 @@
VAR_DONT_CACHE, /* flag */
PHASE_REQUEST_BODY
);
+
+ /* MULTIPART_INVALID_PART */
+ msre_engine_variable_register(engine,
+ "MULTIPART_INVALID_PART",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_multipart_invalid_part_generate,
+ VAR_DONT_CACHE, /* flag */
+ PHASE_REQUEST_BODY
+ );
/* MULTIPART_INVALID_QUOTING */
msre_engine_variable_register(engine,

View File

@ -39,7 +39,8 @@ LoadModule unique_id_module modules/mod_unique_id.so
#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
# Set Data Directory
SecDataDir /var/log/httpd/
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# Maximum request body size we will
# accept for buffering
@ -75,6 +76,7 @@ LoadModule unique_id_module modules/mod_unique_id.so
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IQ %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

View File

@ -8,21 +8,22 @@
Summary: Security module for the Apache HTTP Server
Name: mod_security
Version: 2.6.8
Release: 1%{?dist}
Release: 2%{?dist}
License: ASL 2.0
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf
Patch0: mod_security-fix-cve-2012-4528.patch
Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.
%if 0%{?fedora}
%package -n mlogc
Summary: ModSecurity Audit Log Collector
Group: System Environment/Daemons
@ -30,10 +31,10 @@ Requires: mod_security
%description -n mlogc
This package contains the ModSecurity Audit Log Collector.
%endif
%prep
%setup -q -n modsecurity-apache_%{version}
%patch0 -p1
%build
%configure --enable-pcre-match-limit=1000000 \
@ -67,15 +68,14 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
# 2.2-style
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
%endif
install -m 700 -d %{buildroot}%{_localstatedir}/lib/%{name}
%if 0%{?fedora}
# mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc/data
install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
%endif
%clean
rm -rf %{buildroot}
@ -90,8 +90,8 @@ rm -rf %{buildroot}
%endif
%dir %{_sysconfdir}/httpd/modsecurity.d
%dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
%if 0%{?fedora}
%files -n mlogc
%defattr (-,root,root)
%doc mlogc/INSTALL
@ -100,9 +100,13 @@ rm -rf %{buildroot}
%attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
%attr(0755,root,root) %{_bindir}/mlogc
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
%endif
%changelog
* Sat Nov 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-2
- Add some missing directives RHBZ #569360
- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
(RHBZ #867424, #867773, #867774)
* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
- Update to 2.6.8