Hi Alberto, On Wed, May 28, 2025 at 01:01:20PM +0200, Alberto Gonzalez Iniesta wrote: > Hmmmmmm, now attached. Sorry for the noise. > > > On Tue, May 27, 2025 at 10:51:56PM +0200, Alberto Gonzalez Iniesta wrote: > > Hi, all. > > > > I just requested the unblock for trixie. > > > > Please find attached the debdiffs for both bullseye-security and > > bookworm-security. I'll wait for the OK to upload them. [...] > diff -Nru modsecurity-apache-2.9.7/debian/changelog > modsecurity-apache-2.9.7/debian/changelog > --- modsecurity-apache-2.9.7/debian/changelog 2023-01-23 11:39:50.000000000 > +0100 > +++ modsecurity-apache-2.9.7/debian/changelog 2025-05-23 14:55:57.000000000 > +0200 > @@ -1,3 +1,10 @@ > +modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium > + > + * Fix CVE-2025-47497: Added d/patches/cve-2025-47497.patch > + (Closes: #1106286)
This should be CVE-2025-47947 (and for the patch referenced). > + -- Ervin Hegedüs <airw...@gmail.com> Fri, 23 May 2025 14:55:57 +0200 > + > modsecurity-apache (2.9.7-1) unstable; urgency=medium > > * New upstream version 2.9.7 > diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > --- modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch > 2025-05-23 14:55:57.000000000 +0200 > @@ -0,0 +1,48 @@ > +Description: Patch for CVE-2025-47947 > +Author: Ervin Hegedüs <airw...@gmail.com> > +Last-Update: 2025-05-23 > +--- > +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ > +--- a/apache2/modsecurity.h > ++++ b/apache2/modsecurity.h > +@@ -694,6 +694,7 @@ > + unsigned int value_origin_offset; > + unsigned int value_origin_len; > + const char *origin; > ++ unsigned int marked_for_sanitization; > + }; > + > + struct msc_string { > +--- a/apache2/msc_json.c > ++++ b/apache2/msc_json.c > +@@ -67,6 +67,7 @@ > + return 0; > + } > + > ++ arg->marked_for_sanitization = 0; > + apr_table_addn(msr->arguments, > + log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg); > + > +--- a/apache2/msc_parsers.c > ++++ b/apache2/msc_parsers.c > +@@ -340,6 +340,7 @@ > + */ > + void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) > + { > ++ arg->marked_for_sanitization = 0; > + if (msr->txcfg->debuglog_level >= 5) { > + msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value > \"%s\"", > + arg->origin, log_escape_ex(msr->mp, arg->name, > arg->name_len), > +--- a/apache2/re_actions.c > ++++ b/apache2/re_actions.c > +@@ -1413,8 +1413,9 @@ > + telts = (const apr_table_entry_t*)tarr->elts; > + for (i = 0; i < tarr->nelts; i++) { > + msc_arg *arg = (msc_arg *)telts[i].val; > +- if (strcasecmp(sargname, arg->name) == 0) { > ++ if (arg->marked_for_sanitization == 0 && > strcasecmp(sargname, arg->name) == 0) { > + apr_table_addn(msr->arguments_to_sanitize, arg->name, > (void *)arg); > ++ arg->marked_for_sanitization = 1; > + } > + } > + break; > diff -Nru modsecurity-apache-2.9.7/debian/patches/series > modsecurity-apache-2.9.7/debian/patches/series > --- modsecurity-apache-2.9.7/debian/patches/series 2023-01-23 > 11:39:50.000000000 +0100 > +++ modsecurity-apache-2.9.7/debian/patches/series 2025-05-23 > 14:55:57.000000000 +0200 > @@ -1,2 +1,3 @@ > debian_log_dir.patch > improve_defaults.patch > +cve-2025-47947.patch Other than the above the debdiff looks good to me. With the above fixed feel free to upload for bookworm-security (will defer the ack for LTS to the LTS team). Make sure to build with -sa as the source is new to security-master. Regards, Salvatore
