From owner-svn-ports-head@freebsd.org Wed Sep 30 17:11:23 2020 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 10C4442C540; Wed, 30 Sep 2020 17:11:23 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C1jTQ6lpsz4X11; Wed, 30 Sep 2020 17:11:22 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CBBF62310B; Wed, 30 Sep 2020 17:11:22 +0000 (UTC) (envelope-from lwhsu@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08UHBMd8054558; Wed, 30 Sep 2020 17:11:22 GMT (envelope-from lwhsu@FreeBSD.org) Received: (from lwhsu@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08UHBLmj054551; Wed, 30 Sep 2020 17:11:21 GMT (envelope-from lwhsu@FreeBSD.org) Message-Id: <202009301711.08UHBLmj054551@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lwhsu set sender to lwhsu@FreeBSD.org using -f From: Li-Wen Hsu Date: Wed, 30 Sep 2020 17:11:21 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r550723 - in head/security/modsecurity3: . files X-SVN-Group: ports-head X-SVN-Commit-Author: lwhsu X-SVN-Commit-Paths: in head/security/modsecurity3: . files X-SVN-Commit-Revision: 550723 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2020 17:11:23 -0000 Author: lwhsu Date: Wed Sep 30 17:11:21 2020 New Revision: 550723 URL: https://svnweb.freebsd.org/changeset/ports/550723 Log: security/modsecurity3: Add patch for CVE-2020-15598 PR: 249312 Submitted by: Felipe Zipitria Approved by: Marius Halden (maintainer) MFH: 2020Q3 Security: CVE-2020-15598 Added: head/security/modsecurity3/files/ head/security/modsecurity3/files/patch-src_operators_rx.cc (contents, props changed) head/security/modsecurity3/files/patch-src_utils_regex.cc (contents, props changed) head/security/modsecurity3/files/patch-src_utils_regex.h (contents, props changed) head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json (contents, props changed) Modified: head/security/modsecurity3/Makefile Modified: head/security/modsecurity3/Makefile ============================================================================== --- head/security/modsecurity3/Makefile Wed Sep 30 17:08:36 2020 (r550722) +++ head/security/modsecurity3/Makefile Wed Sep 30 17:11:21 2020 (r550723) @@ -3,7 +3,7 @@ PORTNAME= modsecurity DISTVERSIONPREFIX= v DISTVERSION= 3.0.4 -PORTREVISION= 0 +PORTREVISION= 1 CATEGORIES= security www MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/ PKGNAMESUFFIX= 3 Added: head/security/modsecurity3/files/patch-src_operators_rx.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/modsecurity3/files/patch-src_operators_rx.cc Wed Sep 30 17:11:21 2020 (r550723) @@ -0,0 +1,51 @@ +--- src/operators/rx.cc.orig 2020-01-13 13:09:28 UTC ++++ src/operators/rx.cc +@@ -38,7 +38,6 @@ bool Rx::init(const std::string &arg, st + + bool Rx::evaluate(Transaction *transaction, Rule *rule, + const std::string& input, std::shared_ptr ruleMessage) { +- std::list matches; + Regex *re; + + if (m_param.empty() && !m_string->m_containsMacro) { +@@ -52,29 +51,29 @@ bool Rx::evaluate(Transaction *transacti + re = m_re; + } + +- matches = re->searchAll(input); ++ std::vector captures; ++ re->searchOneMatch(input, captures); ++ + if (rule && rule->m_containsCaptureAction && transaction) { +- int i = 0; +- matches.reverse(); +- for (const SMatch& a : matches) { ++ for (const Utils::SMatchCapture& capture : captures) { ++ const std::string capture_substring(input.substr(capture.m_offset,capture.m_length)); + transaction->m_collections.m_tx_collection->storeOrUpdateFirst( +- std::to_string(i), a.str()); ++ std::to_string(capture.m_group), capture_substring); + ms_dbg_a(transaction, 7, "Added regex subexpression TX." + +- std::to_string(i) + ": " + a.str()); +- transaction->m_matched.push_back(a.str()); +- i++; ++ std::to_string(capture.m_group) + ": " + capture_substring); ++ transaction->m_matched.push_back(capture_substring); + } + } + +- for (const auto & i : matches) { +- logOffset(ruleMessage, i.offset(), i.str().size()); ++ for (const auto & capture : captures) { ++ logOffset(ruleMessage, capture.m_offset, capture.m_length); + } + + if (m_string->m_containsMacro) { + delete re; + } + +- if (matches.size() > 0) { ++ if (captures.size() > 0) { + return true; + } + Added: head/security/modsecurity3/files/patch-src_utils_regex.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/modsecurity3/files/patch-src_utils_regex.cc Wed Sep 30 17:11:21 2020 (r550723) @@ -0,0 +1,40 @@ +--- src/utils/regex.cc.orig 2020-01-13 13:09:28 UTC ++++ src/utils/regex.cc +@@ -16,10 +16,6 @@ + #include "src/utils/regex.h" + + #include +-#include +-#include +-#include +-#include + #include + #include + +@@ -99,6 +95,26 @@ std::list Regex::searchAll(const + return retList; + } + ++bool Regex::searchOneMatch(const std::string& s, std::vector& captures) const { ++ const char *subject = s.c_str(); ++ int ovector[OVECCOUNT]; ++ ++ int rc = pcre_exec(m_pc, m_pce, subject, s.size(), 0, 0, ovector, OVECCOUNT); ++ ++ for (int i = 0; i < rc; i++) { ++ size_t start = ovector[2*i]; ++ size_t end = ovector[2*i+1]; ++ size_t len = end - start; ++ if (end > s.size()) { ++ continue; ++ } ++ SMatchCapture capture(i, start, len); ++ captures.push_back(capture); ++ } ++ ++ return (rc > 0); ++} ++ + int Regex::search(const std::string& s, SMatch *match) const { + int ovector[OVECCOUNT]; + int ret = pcre_exec(m_pc, m_pce, s.c_str(), Added: head/security/modsecurity3/files/patch-src_utils_regex.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/modsecurity3/files/patch-src_utils_regex.h Wed Sep 30 17:11:21 2020 (r550723) @@ -0,0 +1,35 @@ +--- src/utils/regex.h.orig 2020-01-13 13:09:28 UTC ++++ src/utils/regex.h +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #ifndef SRC_UTILS_REGEX_H_ + #define SRC_UTILS_REGEX_H_ +@@ -47,6 +48,16 @@ class SMatch { + size_t m_offset; + }; + ++struct SMatchCapture { ++ SMatchCapture(size_t group, size_t offset, size_t length) : ++ m_group(group), ++ m_offset(offset), ++ m_length(length) { } ++ ++ size_t m_group; // E.g. 0 = full match; 6 = capture group 6 ++ size_t m_offset; // offset of match within the analyzed string ++ size_t m_length; ++}; + + class Regex { + public: +@@ -58,6 +69,7 @@ class Regex { + Regex& operator=(const Regex&) = delete; + + std::list searchAll(const std::string& s) const; ++ bool searchOneMatch(const std::string& s, std::vector& captures) const; + int search(const std::string &s, SMatch *m) const; + int search(const std::string &s) const; + Added: head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json Wed Sep 30 17:11:21 2020 (r550723) @@ -0,0 +1,146 @@ +--- test/test-cases/regression/variable-TX.json.orig 2020-01-13 13:09:28 UTC ++++ test/test-cases/regression/variable-TX.json +@@ -80,5 +80,143 @@ + "SecRule REQUEST_HEADERS \"@rx ([A-z]+)\" \"id:1,log,pass,capture,id:14\"", + "SecRule TX:0 \"@rx ([A-z]+)\" \"id:15\"" + ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: capture group match after unused group", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=aadd", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx (aa)(bb|cc)?(dd)\" \"id:1,log,pass,capture,id:16\"", ++ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: empty capture group match followed by nonempty capture group", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=aadd", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.3: dd[\\s\\S]*Target value: \"dd\" \\(Variable\\: TX\\:3[\\s\\S]*Rule returned 1" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx (aa)(bb|cc|)(dd)\" \"id:18,phase:1,log,pass,capture\"", ++ "SecRule TX:3 \"@streq dd\" \"id:19,phase:2,log,pass\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: repeating capture group -- alternates", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=_abc123_", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.2: abc[\\s\\S]*Added regex subexpression TX\\.3: 123" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx _((?:(abc)|(123))+)_\" \"id:18,phase:1,log,pass,capture\"" ++ ] ++ }, ++ { ++ "enabled":1, ++ "version_min":300000, ++ "title":"Testing Variables :: repeating capture group -- same (nested)", ++ "client":{ ++ "ip":"200.249.12.31", ++ "port":123 ++ }, ++ "server":{ ++ "ip":"200.249.12.31", ++ "port":80 ++ }, ++ "request":{ ++ "uri":"/?key=a:5a:8a:9", ++ "method":"GET" ++ }, ++ "response":{ ++ "headers":{ ++ "Date":"Mon, 13 Jul 2015 20:02:41 GMT", ++ "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT", ++ "Content-Type":"text/html" ++ }, ++ "body":[ ++ "no need." ++ ] ++ }, ++ "expected":{ ++ "debug_log":"Added regex subexpression TX\\.1: 5[\\s\\S]*Added regex subexpression TX\\.2: 8[\\s\\S]*Added regex subexpression TX\\.3: 9" ++ }, ++ "rules":[ ++ "SecRuleEngine On", ++ "SecRule ARGS \"@rx a:([0-9])(?:a:([0-9])(?:a:([0-9]))*)*\" \"id:18,phase:1,log,pass,capture\"" ++ ] + } + ]