From e7ffdbe22e41c6b5d6cecb0de8aa94b749c4e205 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 6 Aug 2025 18:47:13 +0800 Subject: [PATCH] Fix CVE-2022-47185 --- CVE-2022-47185.patch | 172 +++++++++++++++++++++++++++++++++++++++++++ trafficserver.spec | 7 +- 2 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-47185.patch diff --git a/CVE-2022-47185.patch b/CVE-2022-47185.patch new file mode 100644 index 0000000..b4ab261 --- /dev/null +++ b/CVE-2022-47185.patch @@ -0,0 +1,172 @@ +From 5d0835ea5a57003798497d07331fa4f89823c750 Mon Sep 17 00:00:00 2001 +From: Zhengxi Li +Date: Tue, 1 Aug 2023 19:05:41 -0400 +Subject: [PATCH] Fix a crash triggered by invalid range header (#10131) + +Co-authored-by: Katsutoshi Ikenoya +--- + proxy/http/HttpTransact.cc | 2 +- + .../headers/invalid_range_header.test.py | 73 +++++++++++++++++++ + .../replays/invalid_range_request.replay.yaml | 57 +++++++++++++++ + 3 files changed, 131 insertions(+), 1 deletion(-) + create mode 100644 tests/gold_tests/headers/invalid_range_header.test.py + create mode 100644 tests/gold_tests/headers/replays/invalid_range_request.replay.yaml + +diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc +index 859ac00..7256414 100644 +--- a/proxy/http/HttpTransact.cc ++++ b/proxy/http/HttpTransact.cc +@@ -3074,7 +3074,7 @@ HttpTransact::build_response_from_cache(State *s, HTTPWarningCode warning_code) + // this late. + TxnDebug("http_seq", "[HttpTransact::HandleCacheOpenReadHit] Out-of-order Range request - tunneling"); + s->cache_info.action = CACHE_DO_NO_ACTION; +- if (s->force_dns) { ++ if (s->force_dns || s->dns_info.lookup_success) { + HandleCacheOpenReadMiss(s); // DNS is already completed no need of doing DNS + } else { + CallOSDNSLookup(s); +diff --git a/tests/gold_tests/headers/invalid_range_header.test.py b/tests/gold_tests/headers/invalid_range_header.test.py +new file mode 100644 +index 0000000..c96f2f5 +--- /dev/null ++++ b/tests/gold_tests/headers/invalid_range_header.test.py +@@ -0,0 +1,73 @@ ++''' ++''' ++# Licensed to the Apache Software Foundation (ASF) under one ++# or more contributor license agreements. See the NOTICE file ++# distributed with this work for additional information ++# regarding copyright ownership. The ASF licenses this file ++# to you under the Apache License, Version 2.0 (the ++# "License"); you may not use this file except in compliance ++# with the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++import os ++ ++Test.Summary = ''' ++Test invalid values in range header ++''' ++Test.ContinueOnFail = True ++ ++ ++class InvalidRangeHeaderTest: ++ invalidRangeRequestReplayFile = "replays/invalid_range_request.replay.yaml" ++ ++ def __init__(self): ++ self.setupOriginServer() ++ self.setupTS() ++ ++ def setupOriginServer(self): ++ self.server = Test.MakeVerifierServerProcess("verifier-server1", self.invalidRangeRequestReplayFile) ++ ++ def setupTS(self): ++ self.ts = Test.MakeATSProcess("ts1") ++ self.ts.Disk.records_config.update({'proxy.config.diags.debug.enabled': 1, ++ 'proxy.config.diags.debug.tags': 'http', ++ 'proxy.config.http.cache.http': 1, ++ 'proxy.config.http.cache.range.write': 1, ++ 'proxy.config.http.cache.required_headers': 0, ++ 'proxy.config.http.insert_age_in_response': 0}) ++ self.ts.Disk.remap_config.AddLine( ++ f"map / http://127.0.0.1:{self.server.Variables.http_port}/", ++ ) ++ ++ def runTraffic(self): ++ tr = Test.AddTestRun() ++ tr.AddVerifierClientProcess( ++ "client1", ++ self.invalidRangeRequestReplayFile, ++ http_ports=[self.ts.Variables.port], ++ other_args='--thread-limit 1') ++ tr.Processes.Default.StartBefore(self.server) ++ tr.Processes.Default.StartBefore(self.ts) ++ tr.StillRunningAfter = self.server ++ tr.StillRunningAfter = self.ts ++ ++ # verification ++ tr.Processes.Default.Streams.stdout += Testers.ContainsExpression( ++ r"Received an HTTP/1 416 response for key 2", ++ "Verify that client receives a 416 response") ++ tr.Processes.Default.Streams.stdout += Testers.ContainsExpression( ++ r"x-responseheader: failed_response", ++ "Verify that the response came from the server") ++ ++ def run(self): ++ self.runTraffic() ++ ++ ++InvalidRangeHeaderTest().run() +diff --git a/tests/gold_tests/headers/replays/invalid_range_request.replay.yaml b/tests/gold_tests/headers/replays/invalid_range_request.replay.yaml +new file mode 100644 +index 0000000..5f6702b +--- /dev/null ++++ b/tests/gold_tests/headers/replays/invalid_range_request.replay.yaml +@@ -0,0 +1,57 @@ ++# Licensed to the Apache Software Foundation (ASF) under one ++# or more contributor license agreements. See the NOTICE file ++# distributed with this work for additional information ++# regarding copyright ownership. The ASF licenses this file ++# to you under the Apache License, Version 2.0 (the ++# "License"); you may not use this file except in compliance ++# with the License. You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++ ++meta: ++ version: "1.0" ++ ++sessions: ++ # Populate cache entry ++ - transactions: ++ - client-request: ++ method: "GET" ++ version: "1.1" ++ url: /range/1024 ++ headers: ++ fields: ++ - [Host, stack-overflow-example.com] ++ - [uuid, 1] ++ ++ server-response: ++ status: 200 ++ headers: ++ fields: ++ - [Content-Length, 1024] ++ - [Content-Range, "bytes 0-1023/1024"] ++ - transactions: ++ - client-request: ++ # Give ATS enough time to populate the cache. ++ delay: 100ms ++ method: "GET" ++ version: "1.1" ++ url: /range/1024 ++ headers: ++ fields: ++ - [Host, stack-overflow-example.com] ++ # Invalid range request ++ - [Range, bytes=100-20] ++ - [uuid, 2] ++ ++ server-response: ++ status: 416 ++ reason: Range Not Satisfiable ++ headers: ++ fields: ++ - [X-ResponseHeader, failed_response] +-- +2.27.0 + diff --git a/trafficserver.spec b/trafficserver.spec index ec15c58..870e092 100644 --- a/trafficserver.spec +++ b/trafficserver.spec @@ -1,7 +1,7 @@ %define _hardened_build 1 Name: trafficserver Version: 9.1.4 -Release: 3 +Release: 4 Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache License: Apache-2.0 URL: https://trafficserver.apache.org/ @@ -17,6 +17,8 @@ Patch0005: CVE-2022-47184.patch Patch0006: CVE-2023-33933.patch # https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 Patch0007: CVE-2023-39456.patch +# https://github.com/apache/trafficserver/commit/5d0835ea5a57003798497d07331fa4f89823c750 +Patch0008: CVE-2022-47185.patch BuildRequires: expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel BuildRequires: libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker BuildRequires: libcap-devel cmake libunwind-devel automake @@ -119,6 +121,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin - %{_datadir}/pkgconfig/trafficserver.pc %changelog +* Thu Aug 07 2025 yaoxin <1024769339@qq.com> - 9.1.4-4 +- Fix CVE-2022-47185 + * Mon Jun 16 2025 yaoxin <1024769339@qq.com> - 9.1.4-3 - Fix CVE-2023-39456 -- Gitee