Hi!

Should the fixed packages for bullseye and bookworm target (O)SPU or
will a DSA be issued and the packages uploaded to s.d.o?

Thanks,

Alberto

On Thu, May 22, 2025 at 05:35:50PM +0200, Moritz M�hlenhoff wrote:

Source: modsecurity-apache
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security

Hi,

The following vulnerability was published for modsecurity-apache.

CVE-2025-47947[0]:
| ModSecurity is an open source, cross platform web application
| firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and
| including 2.9.8 are vulnerable to denial of service in one special
| case (in stable released versions): when the payload's content type
| is `application/json`, and there is at least one rule which does a
| `sanitiseMatchedBytes` action. A patch is available at pull request
| 3389 and expected to be part of version 2.9.9. No known workarounds
| are available.

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-859r-vvv8-rm8r

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-47947
https://www.cve.org/CVERecord?id=CVE-2025-47947

Please adjust the affected versions in the BTS as needed.

--
Alberto Gonzalez Iniesta | Formaci�n, consultor�a y soporte t�cnico [email protected] | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.org

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

[looping in the Debian security team alias]

On Fri, May 23, 2025 at 09:25:36PM +0200, Ervin Heged�s wrote:

Hi Alberto,

Unfortunately I dont know what's the SPU. And as I know there is no DSA,
just a bug id.

spu is stable-proposed-update. The issue might warrant a DSA, can you
prepare an update to go via bookworm-security and send a debdiff for
the update to the security team?

Please make sure the package get as well unblocked for trixie. As the
package has no autopkgtests it needs a manual unblock at this stage of
the freeze for trixie.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi, Salvatore.

I just uploaded modsecurity-apache_2.9.7-1+deb12u1 to security-master
with the CVE number fixed.

Regards,

Alberto

On Thu, May 29, 2025 at 09:52:12AM +0200, Salvatore Bonaccorso wrote:

Hi Alberto,

On Wed, May 28, 2025 at 01:01:20PM +0200, Alberto Gonzalez Iniesta wrote:

Hmmmmmm, now attached. Sorry for the noise.

On Tue, May 27, 2025 at 10:51:56PM +0200, Alberto Gonzalez Iniesta wrote:

Hi, all.

I just requested the unblock for trixie.

Please find attached the debdiffs for both bullseye-security and bookworm-security. I'll wait for the OK to upload them.

[...]

diff -Nru modsecurity-apache-2.9.7/debian/changelog modsecurity-apache-2.9.7/debian/changelog
--- modsecurity-apache-2.9.7/debian/changelog 2023-01-23 11:39:50.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/changelog 2025-05-23 14:55:57.000000000 +0200
@@ -1,3 +1,10 @@
+modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium
+
+ * Fix CVE-2025-47497: Added d/patches/cve-2025-47497.patch
+ (Closes: #1106286)

This should be CVE-2025-47947 (and for the patch referenced).

+ -- Ervin Heged�s <[email protected]> Fri, 23 May 2025 14:55:57 +0200
+
modsecurity-apache (2.9.7-1) unstable; urgency=medium

* New upstream version 2.9.7
diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch
--- modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch 1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch 2025-05-23 14:55:57.000000000 +0200
@@ -0,0 +1,48 @@
+Description: Patch for CVE-2025-47947
+Author: Ervin Heged�s <[email protected]>
+Last-Update: 2025-05-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -694,6 +694,7 @@
+ unsigned int value_origin_offset;
+ unsigned int value_origin_len;
+ const char *origin;
++ unsigned int marked_for_sanitization;
+ };
+
+ struct msc_string {
+--- a/apache2/msc_json.c
++++ b/apache2/msc_json.c
+@@ -67,6 +67,7 @@
+ return 0;
+ }
+
++ arg->marked_for_sanitization = 0;
+ apr_table_addn(msr->arguments,
+ log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
+
+--- a/apache2/msc_parsers.c
++++ b/apache2/msc_parsers.c
+@@ -340,6 +340,7 @@
+ */
+ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) + {
++ arg->marked_for_sanitization = 0;
+ if (msr->txcfg->debuglog_level >= 5) {
+ msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
+ arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1413,8 +1413,9 @@
+ telts = (const apr_table_entry_t*)tarr->elts;
+ for (i = 0; i < tarr->nelts; i++) {
+ msc_arg *arg = (msc_arg *)telts[i].val;
+- if (strcasecmp(sargname, arg->name) == 0) {
++ if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
+ apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
++ arg->marked_for_sanitization = 1;
+ }
+ }
+ break;
diff -Nru modsecurity-apache-2.9.7/debian/patches/series modsecurity-apache-2.9.7/debian/patches/series
--- modsecurity-apache-2.9.7/debian/patches/series 2023-01-23 11:39:50.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/patches/series 2025-05-23 14:55:57.000000000 +0200
@@ -1,2 +1,3 @@
debian_log_dir.patch
improve_defaults.patch
+cve-2025-47947.patch

Other than the above the debdiff looks good to me.

With the above fixed feel free to upload for bookworm-security (will
defer the ack for LTS to the LTS team).

Make sure to build with -sa as the source is new to security-master.

Regards,
Salvatore

--
Alberto Gonzalez Iniesta | Formaci�n, consultor�a y soporte t�cnico [email protected] | en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.org

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)