Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891777 (CVE-2022-48279, CVE-2023-24021) - dev-libs/modsecurity: multiple vulnerabilities
Summary: dev-libs/modsecurity: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-48279, CVE-2023-24021
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/SpiderLabs/ModSecu...
Whiteboard: B3 [??]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-01-22 23:15 UTC by John Helmert III
Modified: 2023-02-18 23:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:15:12 UTC
CVE-2023-24021 (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7):

In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass.

This particular fix is in 2.9.7, but it 3.x affected? According to
URL, "It's a bit unfortunate it comes out of the blue, since we could
have written a better advisory than the one now listed at
NIST. https://nvd.nist.gov/vuln/detail/CVE-2023-24021 Namely because
the problem is bigger than it seems.

What I do not like about the situation is that the Changelog makes it
look rather innocent, when it can be abused for a buffer
overflow. This gives attackers taking a deeper look an advantage over
users who read the changelog and think it's no big deal."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-22 23:41:40 UTC
CVE-2022-48279:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

This is fixed in 2.9.6 and 3.0.8.
Comment 2 Larry the Git Cow gentoo-dev 2023-02-05 09:12:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff270e81a87d860d557a52ee763ad810f93e586a

commit ff270e81a87d860d557a52ee763ad810f93e586a
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2023-01-25 15:27:47 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-02-05 09:12:51 +0000

    www-apache/mod_security: add 2.9.7
    
    Bug: https://bugs.gentoo.org/891777
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/29267
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apache/mod_security/Manifest                  |   1 +
 www-apache/mod_security/metadata.xml              |   4 +
 www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++
 3 files changed, 133 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-18 23:42:03 UTC
Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these?

There's also www-apache/modsecurity-crs, is that affected too?