Bug 249312 - security/modsecurity3: patch for cve 2020-15598
Summary: security/modsecurity3: patch for cve 2020-15598
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Li-Wen Hsu
URL: https://coreruleset.org/20200914/cve-...
Keywords: needs-patch, needs-qa, security
Depends on:
Reported: 2020-09-14 13:42 UTC by Felipe Zipitria
Modified: 2020-09-30 17:11 UTC (History)
5 users (show)

See Also:
marius.halden: maintainer-feedback+
koobs: merge-quarterly?

ported version of patch (9.36 KB, patch)
2020-09-14 14:00 UTC, Felipe Zipitria
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felipe Zipitria 2020-09-14 13:42:35 UTC
Today the coreruleset project posted a CVE on modsecurity v3.0.4.


The patch to solve this one is in https://gist.githubusercontent.com/crsgists/0e1f6f7f1bd1f239ded64cecee46a11d/raw/181bc852065e9782367f1dc67c96d4d250e73a46/cve-2020-15598.patch.
Comment 1 Felipe Zipitria 2020-09-14 14:00:01 UTC
Created attachment 217952 [details]
ported version of patch

Patch applied and generated with 'make makepatch' afterwards.
Comment 2 Li-Wen Hsu freebsd_committer 2020-09-15 06:46:16 UTC
(In reply to Felipe Zipitria from comment #1)
Thanks for the patch, it applies and builds fine. Can you let us know where does this patch come from? e.g., upstream commit or bug report.
Comment 3 Felipe Zipitria 2020-09-15 12:06:27 UTC
Just too have it documented: there is some controversy around this patch. Trustwave has disputed the CVE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-regular-expressions-and-disputed-cve-2020-15598/

Nginx has applied it and discussed in https://www.nginx.com/blog/addressing-dos-vulnerability-cve-2020-15598-in-modsecurity/.

My take would be to apply it (but I am coreruleset developer).
Comment 4 Matthew Horan 2020-09-15 15:42:09 UTC
(In reply to Felipe Zipitria from comment #3)

Thanks for the context, Felipe. When the CRS team made the announcement yesterday I immediately came here to make sure a bug had been filed. This is something I would expect to be addressed in modsecurity itself as it seems like a major regression.

Regardless of the validity of the CVE itself, it does seem the patch has already been applied upstream, though a release hasn't been cut yet: https://github.com/SpiderLabs/ModSecurity/pull/2348. So I would argue this is likely safe to apply to the port. If there is concern about a regression, perhaps it could be hidden behind OPTIONS.
Comment 5 Felipe Zipitria 2020-09-15 15:45:25 UTC
Thanks Matt.

One of the problems was not releasing a 3.0.5 fixing this one.

I think we need to address it. Debian mantainers (and other distros) are applying it also.

And then wait till 3.0.5.
Comment 6 Li-Wen Hsu freebsd_committer 2020-09-17 16:41:46 UTC
Release this for now, I don't think I have time by the end of this week. Hope others can work on this before I have time on this one again.
Comment 7 Eirik Oeverby 2020-09-30 15:08:20 UTC
Why is this still not merged? It's a CVE that is being exploited in the wild, affects pretty much any and all users of modsecurity, and the maintainer has accepted the patch. If I have a gripe it's that the portrevision is not bumped.
Comment 8 commit-hook freebsd_committer 2020-09-30 17:11:32 UTC
A commit references this bug:

Author: lwhsu
Date: Wed Sep 30 17:11:22 UTC 2020
New revision: 550723
URL: https://svnweb.freebsd.org/changeset/ports/550723

  security/modsecurity3: Add patch for CVE-2020-15598

  PR:		249312
  Submitted by:	Felipe Zipitria <fzipitria@perceptyx.com>
  Approved by:	Marius Halden <marius.halden@modirum.com> (maintainer)
  MFH:		2020Q3
  Security:	CVE-2020-15598