pool/apache2-mod_security2
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main pool:devel
...
pull from: pool:slfo-1.2
Branches Tags
pool:slfo-1.2 pool:factory pool:slfo-main pool:devel

2 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Petr Gajdos
9292575705 add apache2-mod_security2-CVE-2025-54571.patch 2025-08-28 11:27:42 +02:00
Petr Gajdos
5f6ed1e7cc -CVE-2025-54571 2025-08-22 13:04:02 +02:00
3 changed files with 246 additions and 0 deletions
Expand all files Collapse all files

236
apache2-mod_security2-CVE-2025-54571.patch Normal file
View File

@@ -0,0 +1,236 @@
From dfbde557acc41d858dbe04d4b6eaec64478347ff Mon Sep 17 00:00:00 2001
From: Ervin Hegedus <airween@gmail.com>
Date: Wed, 30 Jul 2025 10:55:33 +0200
Subject: [PATCH] Fix invalid request handling
---
apache2/apache2_io.c | 48 +++++++++++++++++-----------------
apache2/mod_security2.c | 57 ++++++-----------------------------------
2 files changed, 32 insertions(+), 73 deletions(-)
Index: modsecurity-v2.9.11/apache2/apache2_io.c
===================================================================
--- modsecurity-v2.9.11.orig/apache2/apache2_io.c
+++ modsecurity-v2.9.11/apache2/apache2_io.c
@@ -192,27 +192,29 @@ apr_status_t read_request_body(modsec_re
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: This request does not have a body.");
}
- return 0;
+ return APR_SUCCESS;
}
if (msr->txcfg->reqbody_access != 1) {
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Request body access not enabled.");
}
- return 0;
+ return APR_SUCCESS;
}
if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Input filter: Reading request body.");
}
if (modsecurity_request_body_start(msr, error_msg) < 0) {
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
finished_reading = 0;
msr->if_seen_eos = 0;
bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc);
- if (bb_in == NULL) return -1;
+ if (bb_in == NULL) {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
do {
apr_status_t rc;
@@ -224,27 +226,19 @@ apr_status_t read_request_body(modsec_re
switch(rc) {
case AP_FILTER_ERROR :
*error_msg = apr_pstrdup(msr->mp, "Error reading request body: filter error");
- return -8;
+ break;
- case APR_INCOMPLETE :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -7;
- case APR_EOF :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -6;
- case APR_TIMEUP :
- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -4;
case APR_ENOSPC:
*error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)");
- return -3;
+ break;
case APR_EGENERAL :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away.");
- return -2;
+ break;
default :
*error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc));
- return -1;
+ break;
}
+ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST);
}
/* Loop through the buckets in the brigade in order
@@ -260,7 +254,7 @@ apr_status_t read_request_body(modsec_re
rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ);
if (rc != APR_SUCCESS) {
*error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc));
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
if (msr->txcfg->debuglog_level >= 9) {
@@ -273,7 +267,7 @@ apr_status_t read_request_body(modsec_re
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
} else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
@@ -294,7 +288,7 @@ apr_status_t read_request_body(modsec_re
*error_msg = apr_psprintf(msr->mp, "Request body is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
}
@@ -304,7 +298,7 @@ apr_status_t read_request_body(modsec_re
modsecurity_request_body_to_stream(msr, buf, buflen, error_msg);
#else
if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) {
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
#endif
}
@@ -323,7 +317,7 @@ apr_status_t read_request_body(modsec_re
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
} else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
@@ -333,12 +327,12 @@ apr_status_t read_request_body(modsec_re
} else {
*error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the "
"configured limit (%ld).", msr->txcfg->reqbody_no_files_limit);
- return -5;
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
}
if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT))
- return -1;
+ return HTTP_INTERNAL_SERVER_ERROR;
}
}
@@ -361,7 +355,13 @@ apr_status_t read_request_body(modsec_re
msr->if_status = IF_STATUS_WANTS_TO_RUN;
- return rcbe;
+ if (rcbe == -5) {
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+ if (rcbe < 0) {
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ return APR_SUCCESS;
}
Index: modsecurity-v2.9.11/apache2/mod_security2.c
===================================================================
--- modsecurity-v2.9.11.orig/apache2/mod_security2.c
+++ modsecurity-v2.9.11/apache2/mod_security2.c
@@ -1032,64 +1032,18 @@ static int hook_request_late(request_rec
}
rc = read_request_body(msr, &my_error_msg);
- if (rc < 0) {
- switch(rc) {
- case -1 :
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return HTTP_INTERNAL_SERVER_ERROR;
- break;
- case -2 : /* Bad request. */
- case -6 : /* EOF when reading request body. */
- case -7 : /* Partial recieved */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_BAD_REQUEST;
- break;
- case -3 : /* Apache's LimitRequestBody. */
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
- break;
- case -4 : /* Timeout. */
- if (my_error_msg != NULL) {
- msr_log(msr, 4, "%s", my_error_msg);
- }
- r->connection->keepalive = AP_CONN_CLOSE;
- return HTTP_REQUEST_TIME_OUT;
- break;
- case -5 : /* Request body limit reached. */
- msr->inbound_error = 1;
- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) {
- r->connection->keepalive = AP_CONN_CLOSE;
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE);
- }
- return HTTP_REQUEST_ENTITY_TOO_LARGE;
- } else {
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- }
- break;
- case -8 : /* Filter error. */
- if (my_error_msg != NULL) {
- msr_log(msr, 1, "%s", my_error_msg);
- }
- return AP_FILTER_ERROR;
- break;
- default :
- /* allow through */
- break;
- }
- msr->msc_reqbody_error = 1;
- msr->msc_reqbody_error_msg = my_error_msg;
- }
+ if (rc != OK) {
+ if (my_error_msg != NULL) {
+ msr_log(msr, 1, "%s", my_error_msg);
+ }
+
+ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) {
+ msr->inbound_error = 1;
+ }
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return rc;
+ }
/* Update the request headers. They might have changed after
* the body was read (trailers).

8
apache2-mod_security2.changes
View File

@@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Aug 22 09:51:44 UTC 2025 - pgajdos@suse.com
- security update
- added patches
CVE-2025-54571 [bsc#1247674], Insufficient Return Value Handling on ModSecurity leads to XSS and Source Code Disclosure
+ apache2-mod_security2-CVE-2025-54571.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 3 11:13:07 UTC 2025 - pgajdos@suse.com Thu Jul 3 11:13:07 UTC 2025 - pgajdos@suse.com

2
apache2-mod_security2.spec
View File

@@ -34,6 +34,8 @@ Patch1: modsecurity-fixes.patch
Patch2: apache2-mod_security2_tests_conf.patch Patch2: apache2-mod_security2_tests_conf.patch
# https://github.com/SpiderLabs/ModSecurity/issues/2514 # https://github.com/SpiderLabs/ModSecurity/issues/2514
Patch3: modsecurity-2.9.3-input_filtering_errors.patch Patch3: modsecurity-2.9.3-input_filtering_errors.patch
# CVE-2025-54571 [bsc#1247674], Insufficient Return Value Handling on ModSecurity leads to XSS and Source Code Disclosure
Patch4: apache2-mod_security2-CVE-2025-54571.patch
BuildRequires: apache-rpm-macros BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel BuildRequires: apache2-devel
BuildRequires: apache2-prefork BuildRequires: apache2-prefork