Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:libnginx-mod-http-lua User: [email protected] Usertags: pu
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. CVE-2024-33452. [ Reason ] When processing HTTP/1.1 requests, lua-nginx-module incorrectly parses HEAD requests with a body and treats the body as the new separate request. ~~~ HEAD / HTTP/1.1 Host: localhost Content-Length: 52 GET /smuggle HTTP/1.1 Host: localhost ~~~ [ Impact ] Normally for other proxies, the following request is treated as a single request because the GET /smuggle request is inside of the HEAD request’s body. But when parsed by lua-nginx-module this request is treated as 2 separate requests. This leads to discrepancies between proxies if chained together. [ Tests ] I tested manually with telnet using the request above. And one part of the patch is an (automated) test that covers the given problem. [ Risks ] Patch is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I added the patch released by upstream team without any changes. [ Other info ] The description/reson/impact section is carbon copy from: https://www.benasin.space/2025/03/18/OpenResty-lua-nginx-module-v0-10-26-HTTP-Request-Smuggling-in-HEAD-requests/ diff -Nru libnginx-mod-http-lua-0.10.23/debian/changelog libnginx-mod-http-lua-0.10.23/debian/changelog --- libnginx-mod-http-lua-0.10.23/debian/changelog 2023-02-24 06:28:38.000000000 +0000 +++ libnginx-mod-http-lua-0.10.23/debian/changelog 2025-08-31 07:35:09.000000000 +0000 @@ -1,3 +1,10 @@ +libnginx-mod-http-lua (1:0.10.23-1+deb12u1) bookworm; urgency=medium + + * d/p/CVE-2024-33452.patch add, fix HTTP HEAD request smuggling issue + (CVE-2024-33452). + + -- Jan Mojžíš <[email protected]> Sun, 31 Aug 2025 09:35:09 +0200 + libnginx-mod-http-lua (1:0.10.23-1) unstable; urgency=medium * New upstream version 0.10.23 diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch --- libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch 1970-01-01 00:00:00.000000000 +0000 +++ libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch 2025-08-31 07:35:09.000000000 +0000 @@ -0,0 +1,120 @@ +Origin: https://github.com/openresty/lua-nginx-module/commit/e5248aa8203d3e0075822a577c1cdd19f5f1f831 + +From e5248aa8203d3e0075822a577c1cdd19f5f1f831 Mon Sep 17 00:00:00 2001 +From: lijunlong <[email protected]> +Date: Sat, 9 Mar 2024 12:30:14 +0800 +Subject: [PATCH] bugfix: fixed HTTP HEAD request smuggling issue. + +--- + src/ngx_http_lua_util.c | 6 ++++ + t/020-subrequest.t | 80 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 86 insertions(+) + +diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c +index 8fd26561..727ca3da 100644 +--- a/src/ngx_http_lua_util.c ++++ b/src/ngx_http_lua_util.c +@@ -599,6 +599,12 @@ ngx_http_lua_send_chain_link(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx, + if (r->header_only) { + ctx->eof = 1; + ++ if (!r->request_body && r == r->main) { ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ } ++ + if (ctx->buffering) { + return ngx_http_lua_send_http10_headers(r, ctx); + } +diff --git a/t/020-subrequest.t b/t/020-subrequest.t +index c731f1e6..59b9f61a 100644 +--- a/t/020-subrequest.t ++++ b/t/020-subrequest.t +@@ -3527,3 +3527,83 @@ HTTP/1.1 400 Bad Request + [error] + --- skip_nginx + 3: < 1.21.1 ++ ++ ++ ++=== TEST 83: avoid request smuggling of HEAD req ++--- config ++ location /capture { ++ server_tokens off; ++ more_clear_headers Date; ++ ++ content_by_lua_block { ++ ngx.say("Hello") ++ } ++ } ++ ++ location /t { ++ content_by_lua_block { ++ local req = [[ ++HEAD /capture HTTP/1.1 ++Host: test.com ++Content-Length: 63 ++ ++GET /capture HTTP/1.1 ++Host: test.com ++X: GET /bar HTTP/1.0 ++ ++]] ++ ++ local sock = ngx.socket.tcp() ++ sock:settimeout(1000) ++ ++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT) ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send req: ", err) ++ return ++ end ++ ++ ngx.say("req bytes: ", bytes) ++ ++ local n_resp = 0 ++ ++ local reader = sock:receiveuntil("\r\n") ++ while true do ++ local line, err = reader() ++ if line then ++ ngx.say(line) ++ if line == "0" then ++ n_resp = n_resp + 1 ++ end ++ ++ if n_resp >= 2 then ++ break ++ end ++ ++ else ++ ngx.say("err: ", err) ++ break ++ end ++ end ++ ++ sock:close() ++ } ++ } ++--- request ++GET /t ++--- response_body ++req bytes: 117 ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Connection: keep-alive ++ ++err: timeout ++--- error_log ++lua tcp socket read timed out +-- +2.47.2 + diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/series libnginx-mod-http-lua-0.10.23/debian/patches/series --- libnginx-mod-http-lua-0.10.23/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libnginx-mod-http-lua-0.10.23/debian/patches/series 2025-08-31 07:35:09.000000000 +0000 @@ -0,0 +1 @@ +CVE-2024-33452.patch
