Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, A security issue (CVE-2019-19886) was found in Modsecurity 3.0.3. [1] A fixed package is already in unstable. This upload only applies upstream patch to fix that. Please consider 3.0.3-1+deb10u1 for the next buster update. Waiting for your OK to the upload. Thanks, Alberto [1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru modsecurity-3.0.3/debian/changelog modsecurity-3.0.3/debian/changelog --- modsecurity-3.0.3/debian/changelog 2018-12-12 08:17:40.000000000 +0100 +++ modsecurity-3.0.3/debian/changelog 2020-01-21 22:52:59.000000000 +0100 @@ -1,3 +1,9 @@ +modsecurity (3.0.3-1+deb10u1) buster; urgency=medium + + * Fixes CVE-2019-19886 (Closes: #949682) + + -- Ervin Hegedus <airw...@gmail.com> Tue, 21 Jan 2020 21:52:59 +0000 + modsecurity (3.0.3-1) unstable; urgency=medium [ Ervin Hegedüs ] diff -Nru modsecurity-3.0.3/debian/patches/cookieparse_fix.patch modsecurity-3.0.3/debian/patches/cookieparse_fix.patch --- modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ modsecurity-3.0.3/debian/patches/cookieparse_fix.patch 2020-01-21 22:52:59.000000000 +0100 @@ -0,0 +1,92 @@ +Description: Fix cookie header parsing bug + There was a bug in the transaction.cc, if the Cookie header contains a field (cookie) + without '=', the engine doesn't evaulate it as cookie. If the cookie started with + '=', then the engine crashed. +Author: Ervin Hegedus <airw...@gmail.com> + +--- +Origin: upstream, https://github.com/SpiderLabs/Misc/blob/master/ModSecurity_cookie_parsing_fix_303.patch +Bug: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/ +Last-Update: 2020-01-21 + + + +--- modsecurity-3.0.3.orig/src/transaction.cc ++++ modsecurity-3.0.3/src/transaction.cc +@@ -556,20 +556,63 @@ int Transaction::addRequestHeader(const + + if (keyl == "cookie") { + size_t localOffset = m_variableOffset; ++ size_t pos; + std::vector<std::string> cookies = utils::string::ssplit(value, ';'); ++ ++ if (!cookies.empty()) { ++ // Get rid of any optional whitespace after the cookie-string ++ // (i.e. after the end of the final cookie-pair) ++ std::string& final_cookie_pair = cookies.back(); ++ while (!final_cookie_pair.empty() && isspace(final_cookie_pair.back())) { ++ final_cookie_pair.pop_back(); ++ } ++ } ++ + for (const std::string &c : cookies) { +- std::vector<std::string> s = utils::string::split(c, +- '='); +- if (s.size() > 1) { +- if (s[0].at(0) == ' ') { +- s[0].erase(0, 1); +- } +- m_variableRequestCookiesNames.set(s[0], +- s[0], localOffset); +- +- localOffset = localOffset + s[0].size() + 1; +- m_variableRequestCookies.set(s[0], s[1], localOffset); +- localOffset = localOffset + s[1].size() + 2; ++ // skip empty substring, eg "Cookie: ;;foo=bar" ++ if (c.empty() == true) { ++ localOffset++; // add length of ';' ++ continue; ++ } ++ ++ // find the first '=' ++ pos = c.find_first_of("=", 0); ++ std::string ckey = ""; ++ std::string cval = ""; ++ ++ // if the cookie doesn't contains '=', its just a key ++ if (pos == std::string::npos) { ++ ckey = c; ++ } ++ // else split to two substrings by first = ++ else { ++ ckey = c.substr(0, pos); ++ // value will contains the next '=' chars if exists ++ // eg. foo=bar=baz -> key: foo, value: bar=baz ++ cval = c.substr(pos+1); ++ } ++ ++ // ltrim the key - following the modsec v2 way ++ while (ckey.empty() == false && isspace(ckey.at(0))) { ++ ckey.erase(0, 1); ++ localOffset++; ++ } ++ ++ // if the key is empty (eg: "Cookie: =bar;") skip it ++ if (ckey.empty() == true) { ++ localOffset = localOffset + c.length() + 1; ++ continue; ++ } ++ else { ++ // handle cookie only if the key is not empty ++ // set cookie name ++ m_variableRequestCookiesNames.set(ckey, ++ ckey, localOffset); ++ localOffset = localOffset + ckey.size() + 1; ++ // set cookie value ++ m_variableRequestCookies.set(ckey, cval, ++ localOffset); ++ localOffset = localOffset + cval.size() + 1; + } + } + } + diff -Nru modsecurity-3.0.3/debian/patches/series modsecurity-3.0.3/debian/patches/series --- modsecurity-3.0.3/debian/patches/series 2018-12-12 08:13:38.000000000 +0100 +++ modsecurity-3.0.3/debian/patches/series 2020-01-21 22:52:59.000000000 +0100 @@ -1,3 +1,4 @@ disable-network-dependent-tests.patch setenv_term_avoid.patch bigendian_fix.patch +cookieparse_fix.patch
