Bug#1106286: modsecurity-apache: CVE-2025-47947

Alberto Gonzalez Iniesta Wed, 28 May 2025 04:03:25 -0700

Hmmmmmm, now attached. Sorry for the noise.


On Tue, May 27, 2025 at 10:51:56PM +0200, Alberto Gonzalez Iniesta wrote:
> Hi, all.
> 
> I just requested the unblock for trixie.
> 
> Please find attached the debdiffs for both bullseye-security and
> bookworm-security. I'll wait for the OK to upload them.
> 
> Thanks,
> 
> Alberto
> 
> On Fri, May 23, 2025 at 09:52:38PM +0200, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > [looping in the Debian security team alias]
> > 
> > On Fri, May 23, 2025 at 09:25:36PM +0200, Ervin Hegedüs wrote:
> > > Hi Alberto,
> > > 
> > > Unfortunately I dont know what's the SPU. And as I know there is no DSA,
> > > just a bug id.
> > 
> > spu is stable-proposed-update. The issue might warrant a DSA, can you
> > prepare an update to go via bookworm-security and send a debdiff for
> > the update to the security team?
> > 
> > Please make sure the package get as well unblocked for trixie. As the
> > package has no autopkgtests it needs a manual unblock at this stage of
> > the freeze for trixie.
> > 
> > Regards,
> > Salvatore
> 

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
a...@inittab.org             | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.org

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

diff -Nru modsecurity-apache-2.9.7/debian/changelog 
modsecurity-apache-2.9.7/debian/changelog
--- modsecurity-apache-2.9.7/debian/changelog   2023-01-23 11:39:50.000000000 
+0100
+++ modsecurity-apache-2.9.7/debian/changelog   2025-05-23 14:55:57.000000000 
+0200
@@ -1,3 +1,10 @@
+modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium
+
+  * Fix CVE-2025-47497: Added d/patches/cve-2025-47497.patch
+    (Closes: #1106286)
+
+ -- Ervin Hegedüs <airw...@gmail.com>  Fri, 23 May 2025 14:55:57 +0200
+
 modsecurity-apache (2.9.7-1) unstable; urgency=medium
 
   * New upstream version 2.9.7
diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch 
modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch
--- modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch        
1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch        
2025-05-23 14:55:57.000000000 +0200
@@ -0,0 +1,48 @@
+Description: Patch for CVE-2025-47947
+Author: Ervin Hegedüs <airw...@gmail.com>
+Last-Update: 2025-05-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -694,6 +694,7 @@
+     unsigned int             value_origin_offset;
+     unsigned int             value_origin_len;
+     const char              *origin;
++    unsigned int             marked_for_sanitization;
+ };
+ 
+ struct msc_string {
+--- a/apache2/msc_json.c
++++ b/apache2/msc_json.c
+@@ -67,6 +67,7 @@
+         return 0;
+     }
+ 
++    arg->marked_for_sanitization = 0;
+     apr_table_addn(msr->arguments,
+         log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
+ 
+--- a/apache2/msc_parsers.c
++++ b/apache2/msc_parsers.c
+@@ -340,6 +340,7 @@
+  */
+ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+ {
++    arg->marked_for_sanitization = 0;
+     if (msr->txcfg->debuglog_level >= 5) {
+         msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value 
\"%s\"",
+                 arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1413,8 +1413,9 @@
+             telts = (const apr_table_entry_t*)tarr->elts;
+             for (i = 0; i < tarr->nelts; i++) {
+                 msc_arg *arg = (msc_arg *)telts[i].val;
+-                if (strcasecmp(sargname, arg->name) == 0) {
++                if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, 
arg->name) == 0) {
+                     apr_table_addn(msr->arguments_to_sanitize, arg->name, 
(void *)arg);
++                    arg->marked_for_sanitization = 1;
+                 }
+             }
+             break;
diff -Nru modsecurity-apache-2.9.7/debian/patches/series 
modsecurity-apache-2.9.7/debian/patches/series
--- modsecurity-apache-2.9.7/debian/patches/series      2023-01-23 
11:39:50.000000000 +0100
+++ modsecurity-apache-2.9.7/debian/patches/series      2025-05-23 
14:55:57.000000000 +0200
@@ -1,2 +1,3 @@
 debian_log_dir.patch
 improve_defaults.patch
+cve-2025-47947.patch

diff -Nru modsecurity-apache-2.9.3/debian/changelog 
modsecurity-apache-2.9.3/debian/changelog
--- modsecurity-apache-2.9.3/debian/changelog   2023-01-27 10:09:29.000000000 
+0100
+++ modsecurity-apache-2.9.3/debian/changelog   2025-05-23 14:06:46.000000000 
+0200
@@ -1,3 +1,10 @@
+modsecurity-apache (2.9.3-3+deb11u3) bullseye-security; urgency=medium
+
+  * Fix CVE-2025-47497: Added d/patches/cve-2025-47497.patch
+    (Closes: #1106286)
+
+ -- Ervin Hegedüs <airw...@gmail.com>  Fri, 23 May 2025 14:06:46 +0200
+
 modsecurity-apache (2.9.3-3+deb11u2) bullseye; urgency=medium
 
   * Non-maintainer upload by the LTS security team.
diff -Nru modsecurity-apache-2.9.3/debian/patches/cve-2025-47947.patch 
modsecurity-apache-2.9.3/debian/patches/cve-2025-47947.patch
--- modsecurity-apache-2.9.3/debian/patches/cve-2025-47947.patch        
1970-01-01 01:00:00.000000000 +0100
+++ modsecurity-apache-2.9.3/debian/patches/cve-2025-47947.patch        
2025-05-23 14:06:46.000000000 +0200
@@ -0,0 +1,48 @@
+Description: Patch for CVE-2025-47947
+Author: Ervin Hegedüs <airw...@gmail.com>
+Last-Update: 2025-05-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -686,6 +686,7 @@
+     unsigned int             value_origin_offset;
+     unsigned int             value_origin_len;
+     const char              *origin;
++    unsigned int             marked_for_sanitization;
+ };
+ 
+ struct msc_string {
+--- a/apache2/msc_json.c
++++ b/apache2/msc_json.c
+@@ -59,6 +59,7 @@
+             arg->name, arg->value);
+     }
+ 
++    arg->marked_for_sanitization = 0;
+     apr_table_addn(msr->arguments,
+         log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
+ 
+--- a/apache2/msc_parsers.c
++++ b/apache2/msc_parsers.c
+@@ -340,6 +340,7 @@
+  */
+ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+ {
++    arg->marked_for_sanitization = 0;
+     if (msr->txcfg->debuglog_level >= 5) {
+         msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value 
\"%s\"",
+                 arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1404,8 +1404,9 @@
+             telts = (const apr_table_entry_t*)tarr->elts;
+             for (i = 0; i < tarr->nelts; i++) {
+                 msc_arg *arg = (msc_arg *)telts[i].val;
+-                if (strcasecmp(sargname, arg->name) == 0) {
++                if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, 
arg->name) == 0) {
+                     apr_table_addn(msr->arguments_to_sanitize, arg->name, 
(void *)arg);
++                    arg->marked_for_sanitization = 1;
+                 }
+             }
+             break;
diff -Nru modsecurity-apache-2.9.3/debian/patches/series 
modsecurity-apache-2.9.3/debian/patches/series
--- modsecurity-apache-2.9.3/debian/patches/series      2023-01-27 
10:09:29.000000000 +0100
+++ modsecurity-apache-2.9.3/debian/patches/series      2025-05-23 
14:06:46.000000000 +0200
@@ -4,3 +4,5 @@
 json_depth_limit.patch
 multipart_part_headers.patch
 CVE-2023-24021_FILES_TMP_CONTENT.patch
+cve-2025-47947.patch
+

Bug#1106286: modsecurity-apache: CVE-2025-47947

Reply via email to