Bug 249312

Summary: security/modsecurity3: patch for cve 2020-15598
Product: Ports & Packages Reporter: Felipe Zipitria <fzipitria>
Component: Individual Port(s)Assignee: Li-Wen Hsu <lwhsu>
Status: Closed FIXED    
Severity: Affects Many People CC: diizzy, ltning-freebsd, lwhsu, mail, marius.halden, matt
Priority: --- Keywords: needs-patch, needs-qa, security
Version: LatestFlags: marius.halden: maintainer-feedback+
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://coreruleset.org/20200914/cve-2020-15598/
Attachments:
Description Flags
ported version of patch none

Description Felipe Zipitria 2020-09-14 13:42:35 UTC 
Today the coreruleset project posted a CVE on modsecurity v3.0.4.

https://coreruleset.org/20200914/cve-2020-15598/

The patch to solve this one is in https://gist.githubusercontent.com/crsgists/0e1f6f7f1bd1f239ded64cecee46a11d/raw/181bc852065e9782367f1dc67c96d4d250e73a46/cve-2020-15598.patch.
Comment 1 Felipe Zipitria 2020-09-14 14:00:01 UTC 
Created attachment 217952 [details]
ported version of patch

Patch applied and generated with 'make makepatch' afterwards.
Comment 2 Li-Wen Hsu freebsd_committer freebsd_triage 2020-09-15 06:46:16 UTC 
(In reply to Felipe Zipitria from comment #1)
Thanks for the patch, it applies and builds fine. Can you let us know where does this patch come from? e.g., upstream commit or bug report.
Comment 3 Felipe Zipitria 2020-09-15 12:06:27 UTC 
Just too have it documented: there is some controversy around this patch. Trustwave has disputed the CVE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-regular-expressions-and-disputed-cve-2020-15598/

Nginx has applied it and discussed in https://www.nginx.com/blog/addressing-dos-vulnerability-cve-2020-15598-in-modsecurity/.

My take would be to apply it (but I am coreruleset developer).
Comment 4 Matthew Horan 2020-09-15 15:42:09 UTC 
(In reply to Felipe Zipitria from comment #3)

Thanks for the context, Felipe. When the CRS team made the announcement yesterday I immediately came here to make sure a bug had been filed. This is something I would expect to be addressed in modsecurity itself as it seems like a major regression.

Regardless of the validity of the CVE itself, it does seem the patch has already been applied upstream, though a release hasn't been cut yet: https://github.com/SpiderLabs/ModSecurity/pull/2348. So I would argue this is likely safe to apply to the port. If there is concern about a regression, perhaps it could be hidden behind OPTIONS.
Comment 5 Felipe Zipitria 2020-09-15 15:45:25 UTC 
Thanks Matt.

One of the problems was not releasing a 3.0.5 fixing this one.

I think we need to address it. Debian mantainers (and other distros) are applying it also.

And then wait till 3.0.5.
Comment 6 Li-Wen Hsu freebsd_committer freebsd_triage 2020-09-17 16:41:46 UTC 
Release this for now, I don't think I have time by the end of this week. Hope others can work on this before I have time on this one again.
Comment 7 Eirik Oeverby 2020-09-30 15:08:20 UTC 
Why is this still not merged? It's a CVE that is being exploited in the wild, affects pretty much any and all users of modsecurity, and the maintainer has accepted the patch. If I have a gripe it's that the portrevision is not bumped.
Comment 8 commit-hook freebsd_committer freebsd_triage 2020-09-30 17:11:32 UTC 
A commit references this bug:

Author: lwhsu
Date: Wed Sep 30 17:11:22 UTC 2020
New revision: 550723
URL: https://svnweb.freebsd.org/changeset/ports/550723

Log:
  security/modsecurity3: Add patch for CVE-2020-15598

  PR:		249312
  Submitted by:	Felipe Zipitria <fzipitria@perceptyx.com>
  Approved by:	Marius Halden <marius.halden@modirum.com> (maintainer)
  MFH:		2020Q3
  Security:	CVE-2020-15598

Changes:
  head/security/modsecurity3/Makefile
  head/security/modsecurity3/files/
  head/security/modsecurity3/files/patch-src_operators_rx.cc
  head/security/modsecurity3/files/patch-src_utils_regex.cc
  head/security/modsecurity3/files/patch-src_utils_regex.h
  head/security/modsecurity3/files/patch-test_test-cases_regression_variable-TX.json