From 5674c3eeb87b1b9887ad2ec11739ff910def7246 Mon Sep 17 00:00:00 2001
From: Athmane Madjoudj <athmane@fedoraproject.org>
Date: Sat, 17 Nov 2012 10:30:06 +0100
Subject: [PATCH] - Add some missing directives RHBZ #569360 - Backport the fix
 multipart/invalid part ruleset bypass issue (CVE-2012-4528) (RHBZ #867424,
 #867773, #867774)

---
 mod_security-fix-cve-2012-4528.patch | 82 ++++++++++++++++++++++++++++
 mod_security.conf                    |  4 +-
 mod_security.spec                    | 18 +++---
 3 files changed, 96 insertions(+), 8 deletions(-)
 create mode 100644 mod_security-fix-cve-2012-4528.patch

diff --git a/mod_security-fix-cve-2012-4528.patch b/mod_security-fix-cve-2012-4528.patch
new file mode 100644
index 0000000..7eb787a
--- /dev/null
+++ b/mod_security-fix-cve-2012-4528.patch
@@ -0,0 +1,82 @@
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c modsecurity-apache_2.6.8/apache2/msc_multipart.c
+--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.c	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_multipart.c	2012-11-17 09:42:41.362779780 +0100
+@@ -653,6 +653,7 @@
+             }
+         }
+         else {
++            msr->mpd->flag_invalid_part = 1;
+             msr_log(msr, 3, "Multipart: Skipping invalid part %pp (part name missing): "
+                 "(offset %u, length %u)", msr->mpd->mpp,
+                 msr->mpd->mpp->offset, msr->mpd->mpp->length);
+@@ -961,6 +962,11 @@
+             msr_log(msr, 4, "Multipart: Warning: invalid quoting used.");
+         }
+ 
++        if (msr->mpd->flag_invalid_part) {
++            msr_log(msr, 4, "Multipart: Warning: invalid part parsing.");
++        }
++
++
+         if (msr->mpd->flag_invalid_header_folding) {
+             msr_log(msr, 4, "Multipart: Warning: invalid header folding used.");
+         }        
+diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h modsecurity-apache_2.6.8/apache2/msc_multipart.h
+--- modsecurity-apache_2.6.8.orig/apache2/msc_multipart.h	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/msc_multipart.h	2012-11-17 09:44:04.235930720 +0100
+@@ -117,6 +117,7 @@
+     int                      flag_boundary_whitespace;
+     int                      flag_missing_semicolon;
+     int                      flag_invalid_quoting;
++    int                      flag_invalid_part;
+     int                      flag_invalid_header_folding;
+     int                      flag_file_limit_exceeded;
+ };
+diff -ru modsecurity-apache_2.6.8.orig/apache2/re_variables.c modsecurity-apache_2.6.8/apache2/re_variables.c
+--- modsecurity-apache_2.6.8.orig/apache2/re_variables.c	2012-11-17 09:30:50.499143902 +0100
++++ modsecurity-apache_2.6.8/apache2/re_variables.c	2012-11-17 09:48:11.176457660 +0100
+@@ -1377,6 +1377,18 @@
+     }
+ }
+ 
++/* MULTIPART_INVALID_PART */
++
++static int var_multipart_invalid_part_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
++    apr_table_t *vartab, apr_pool_t *mptmp)
++{
++    if ((msr->mpd != NULL)&&(msr->mpd->flag_invalid_part != 0)) {
++        return var_simple_generate(var, vartab, mptmp, "1");
++    } else {
++        return var_simple_generate(var, vartab, mptmp, "0");
++    }
++}
++
+ /* MULTIPART_INVALID_QUOTING */
+ 
+ static int var_multipart_invalid_quoting_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+@@ -1429,6 +1441,7 @@
+             ||(msr->mpd->flag_lf_line != 0)
+             ||(msr->mpd->flag_missing_semicolon != 0)
+             ||(msr->mpd->flag_invalid_quoting != 0)
++            ||(msr->mpd->flag_invalid_part != 0)
+             ||(msr->mpd->flag_invalid_header_folding != 0)
+             ||(msr->mpd->flag_file_limit_exceeded != 0)
+         ) {
+@@ -2835,6 +2848,17 @@
+         VAR_DONT_CACHE, /* flag */
+         PHASE_REQUEST_BODY
+     );
++
++    /* MULTIPART_INVALID_PART */
++    msre_engine_variable_register(engine,
++        "MULTIPART_INVALID_PART",
++        VAR_SIMPLE,
++        0, 0,
++        NULL,
++        var_multipart_invalid_part_generate,
++        VAR_DONT_CACHE, /* flag */
++        PHASE_REQUEST_BODY
++    );
+ 
+     /* MULTIPART_INVALID_QUOTING */
+     msre_engine_variable_register(engine,
diff --git a/mod_security.conf b/mod_security.conf
index 7468a05..fb436f4 100644
--- a/mod_security.conf
+++ b/mod_security.conf
@@ -39,7 +39,8 @@ LoadModule unique_id_module modules/mod_unique_id.so
 	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
 
 	# Set Data Directory
-	SecDataDir /var/log/httpd/
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
 
 	# Maximum request body size we will
 	# accept for buffering
@@ -75,6 +76,7 @@ LoadModule unique_id_module modules/mod_unique_id.so
 	LF %{MULTIPART_LF_LINE}, \
 	SM %{MULTIPART_SEMICOLON_MISSING}, \
 	IQ %{MULTIPART_INVALID_QUOTING}, \
+    IQ %{MULTIPART_INVALID_PART}, \
 	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
 	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
 	
diff --git a/mod_security.spec b/mod_security.spec
index c8869f6..5755759 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -8,21 +8,22 @@
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
 Version: 2.6.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
 Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
+Patch0: mod_security-fix-cve-2012-4528.patch
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
 ModSecurity is an open source intrusion detection and prevention engine
 for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 
-%if 0%{?fedora}
 %package -n     mlogc
 Summary:        ModSecurity Audit Log Collector
 Group:          System Environment/Daemons
@@ -30,10 +31,10 @@ Requires:       mod_security
 
 %description -n mlogc
 This package contains the ModSecurity Audit Log Collector.
-%endif
 
 %prep
 %setup -q -n modsecurity-apache_%{version}
+%patch0 -p1
 
 %build
 %configure --enable-pcre-match-limit=1000000 \
@@ -67,15 +68,14 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
 # 2.2-style
 install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
+install -m 700 -d %{buildroot}%{_localstatedir}/lib/%{name}
 
-%if 0%{?fedora}
 # mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc/data
 install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
-%endif
 
 %clean
 rm -rf %{buildroot}
@@ -90,8 +90,8 @@ rm -rf %{buildroot}
 %endif
 %dir %{_sysconfdir}/httpd/modsecurity.d
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
+%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 
-%if 0%{?fedora}
 %files -n mlogc
 %defattr (-,root,root)
 %doc mlogc/INSTALL
@@ -100,9 +100,13 @@ rm -rf %{buildroot}
 %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
 %attr(0755,root,root) %{_bindir}/mlogc
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load
-%endif
 
 %changelog
+* Sat Nov 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-2
+- Add some missing directives RHBZ #569360
+- Backport the fix multipart/invalid part ruleset bypass issue (CVE-2012-4528)
+  (RHBZ #867424, #867773, #867774)
+
 * Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
 - Update to 2.6.8