[security] CVE-2023-27522

[bastien-roucaries]

Hi,

You are affected by CVE-2023-27522

Patch backported from apache2 here:

Applied by freexian https://www.freexian.com/lts/extended/updates/ela-851-1-uwsgi/

From: Eric Covener <covener@apache.org>
Date: Sun, 7 May 2023 21:49:40 +0000
Subject: CVE-2023-27522: HTTP Response Smuggling mod_proxy_uwsgi

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.
This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.
Special characters in the origin response header can truncate/split the response forwarded to the client.

mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation

Reviewed By: ylavic, covener, gbechis, rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908094 13f79535-47bb-0310-9956-ffa450edef68
origin: https://github.com/apache/httpd/commit/d753ea76b5972a85349b68c31b59d04c60014f2d.patch
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-27522
bug-cve: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522
---
 apache2/mod_proxy_uwsgi.c | 48 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/apache2/mod_proxy_uwsgi.c b/apache2/mod_proxy_uwsgi.c
index 0dbc3b1..a00495f 100644
--- a/apache2/mod_proxy_uwsgi.c
+++ b/apache2/mod_proxy_uwsgi.c
@@ -326,18 +326,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec *backend, proxy_server_
 	apr_bucket_brigade *pass_bb = apr_brigade_create(r->pool, c->bucket_alloc);
 
 	len = ap_getline(buffer, sizeof(buffer), rp, 1);
-
 	if (len <= 0) {
-		// oops
+		/* invalid or empty */
 		return HTTP_INTERNAL_SERVER_ERROR;
 	}
-
 	backend->worker->s->read += len;
-
-	if (len >= sizeof(buffer)-1) {
-		// oops
+	if ((apr_size_t)len >= sizeof(buffer)) {
+	        /* too long */
 		return HTTP_INTERNAL_SERVER_ERROR;
 	}
+
 	/* Position of http status code */
 	int status_start;
 	if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
@@ -345,8 +343,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec *backend, proxy_server_
 	} else if (apr_date_checkmask(buffer, "HTTP/# ###*")) {
 		status_start = 7;
 	} else {
-		// oops
-		return HTTP_INTERNAL_SERVER_ERROR;
+	        /* not HTTP */
+	        return HTTP_BAD_GATEWAY;
 	}
 	int status_end = status_start + 3;
 
@@ -365,17 +363,41 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec *backend, proxy_server_
 	}
 	r->status_line = apr_pstrdup(r->pool, &buffer[status_start]);
 
-	// start parsing headers;
+	/* parse headers */
 	while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) {
+	        if ((apr_size_t)len >= sizeof(buffer)) {
+		  /* too long */
+		  len = -1;
+		  break;
+		}
 		value = strchr(buffer, ':');
-		// invalid header skip
-		if (!value) continue;
-		*value = '\0';
-		++value;
+		if (!value) {
+		  /* invalid header */
+		  len = -1;
+		  break;
+		}
+		*value++ = '\0';
+		if (*ap_scan_http_token(buffer)) {
+		  /* invalid name */
+		  len = -1;
+		  break;
+		}
 		while (apr_isspace(*value)) ++value; 
 		for (end = &value[strlen(value)-1]; end > value && apr_isspace(*end); --end) *end = '\0';
+		if (*ap_scan_http_field_content(value)) {
+		  /* invalid value */
+		  len = -1;
+		  break;
+		}
 		apr_table_add(r->headers_out, buffer, value);
 	}
+	if (len < 0) {
+	  /* Reset headers, but not to NULL because things below the chain expect
+	   * this to be non NULL e.g. the ap_content_length_filter.
+	   */
+	  r->headers_out = apr_table_make(r->pool, 1);
+	  return HTTP_BAD_GATEWAY;
+	}
 
 	if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
 		ap_set_content_type(r, apr_pstrdup(r->pool, buf));

[xrmx]

Thanks for the patch, any chance you can open a pull request?

[hanzy88]

Thanks for the patch, any chance you can open a pull request?

Hi, is there a plan to fix this bug？ When will it be solved?