From 59469b97a7fdbff5e46b0a60cc2c43f7b42e81cc Mon Sep 17 00:00:00 2001
From: pangqing <pangqing@uniontech.com>
Date: Fri, 25 Mar 2022 13:48:17 +0800
Subject: [PATCH] update to httpd-2.4.6-97.el7_9.5.src.rpm

Signed-off-by: pangqing <pangqing@uniontech.com>
---
 httpd-2.4.6-CVE-2022-22720.patch | 154 +++++++++++++++++++++++++++++++
 httpd.spec                       |  14 ++-
 index.html                       | 123 ------------------------
 3 files changed, 164 insertions(+), 127 deletions(-)
 create mode 100644 httpd-2.4.6-CVE-2022-22720.patch
 delete mode 100644 index.html

diff --git a/httpd-2.4.6-CVE-2022-22720.patch b/httpd-2.4.6-CVE-2022-22720.patch
new file mode 100644
index 0000000..55a6f8a
--- /dev/null
+++ b/httpd-2.4.6-CVE-2022-22720.patch
@@ -0,0 +1,154 @@
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index 6d85eb1..083e0b6 100644
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1592,9 +1592,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)
+  */
+ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
+ {
++    int rc = OK;
++    conn_rec *c = r->connection;
+     apr_bucket_brigade *bb;
+-    int seen_eos;
+-    apr_status_t rv;
+ 
+     /* Sometimes we'll get in a state where the input handling has
+      * detected an error where we want to drop the connection, so if
+@@ -1603,54 +1603,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
+      *
+      * This function is also a no-op on a subrequest.
+      */
+-    if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
+-        ap_status_drops_connection(r->status)) {
++    if (r->main || c->keepalive == AP_CONN_CLOSE) {
++        return OK;
++    }
++    if (ap_status_drops_connection(r->status)) {
++        c->keepalive = AP_CONN_CLOSE;
+         return OK;
+     }
+ 
+     bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+-    seen_eos = 0;
+-    do {
+-        apr_bucket *bucket;
++    for (;;) {
++        apr_status_t rv;
+ 
+         rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
+                             APR_BLOCK_READ, HUGE_STRING_LEN);
+-
+         if (rv != APR_SUCCESS) {
+-            apr_brigade_destroy(bb);
+-            return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
++            rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
++            goto cleanup;
+         }
+ 
+-        for (bucket = APR_BRIGADE_FIRST(bb);
+-             bucket != APR_BRIGADE_SENTINEL(bb);
+-             bucket = APR_BUCKET_NEXT(bucket))
+-        {
+-            const char *data;
+-            apr_size_t len;
++        while (!APR_BRIGADE_EMPTY(bb)) {
++            apr_bucket *b = APR_BRIGADE_FIRST(bb);
+ 
+-            if (APR_BUCKET_IS_EOS(bucket)) {
+-                seen_eos = 1;
+-                break;
++            if (APR_BUCKET_IS_EOS(b)) {
++                goto cleanup;
+             }
+ 
+-            /* These are metadata buckets. */
+-            if (bucket->length == 0) {
+-                continue;
+-            }
+-
+-            /* We MUST read because in case we have an unknown-length
+-             * bucket or one that morphs, we want to exhaust it.
++            /* There is no need to read empty or metadata buckets or
++             * buckets of known length, but we MUST read buckets of
++             * unknown length in order to exhaust them.
+              */
+-            rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
++            if (b->length == (apr_size_t)-1) {
++                apr_size_t len;
++                const char *data;
++
++                rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
+             if (rv != APR_SUCCESS) {
+-                apr_brigade_destroy(bb);
+-                return HTTP_BAD_REQUEST;
++                    rc = HTTP_BAD_REQUEST;
++                    goto cleanup;
+             }
+         }
+-        apr_brigade_cleanup(bb);
+-    } while (!seen_eos);
+ 
+-    return OK;
++            apr_bucket_delete(b);
++        }
++    }
++
++cleanup:
++    apr_brigade_cleanup(bb);
++    if (rc != OK) {
++        c->keepalive = AP_CONN_CLOSE;
++    }
++    return rc;
+ }
+ 
+ /* Here we deal with getting the request message body from the client.
+diff --git a/server/protocol.c b/server/protocol.c
+index 8428129..a6aeb24 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1480,23 +1480,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
+     rnew->main = (request_rec *) r;
+ }
+ 
+-static void end_output_stream(request_rec *r)
++static void end_output_stream(request_rec *r, int status)
+ {
+     conn_rec *c = r->connection;
+     apr_bucket_brigade *bb;
+     apr_bucket *b;
+ 
+     bb = apr_brigade_create(r->pool, c->bucket_alloc);
++    if (status != OK) {
++        b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);
++        APR_BRIGADE_INSERT_TAIL(bb, b);
++    }
+     b = apr_bucket_eos_create(c->bucket_alloc);
+     APR_BRIGADE_INSERT_TAIL(bb, b);
++
+     ap_pass_brigade(r->output_filters, bb);
++    apr_brigade_cleanup(bb);
+ }
+ 
+ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
+ {
+     /* tell the filter chain there is no more content coming */
+     if (!sub->eos_sent) {
+-        end_output_stream(sub);
++        end_output_stream(sub, OK);
+     }
+ }
+ 
+@@ -1507,11 +1513,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
+  */
+ AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)
+ {
+-    (void) ap_discard_request_body(r);
++    int status = ap_discard_request_body(r);
+ 
+     /* tell the filter chain there is no more content coming */
+     if (!r->eos_sent) {
+-        end_output_stream(r);
++        end_output_stream(r, status);
+     }
+ }
+ 
diff --git a/httpd.spec b/httpd.spec
index be1daa7..2b06484 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -2,7 +2,7 @@
 %define docroot /var/www
 %define suexec_caller apache
 %define mmn 20120211
-%define oldmmnisa %{mmn}-%{__isa_name}_%{__isa_bits}
+%define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
 %define vstring CentOS
 
@@ -15,7 +15,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.6
-Release: 97%{?dist}.4
+Release: 97%{?dist}.5
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: centos-noindex.tar.gz
@@ -246,6 +246,7 @@ Patch242: httpd-2.4.6-CVE-2021-44790.patch
 Patch243: httpd-2.4.6-CVE-2021-34798.patch
 Patch244: httpd-2.4.6-CVE-2021-39275.patch
 Patch245: httpd-2.4.6-CVE-2021-26691.patch
+Patch246: httpd-2.4.6-CVE-2022-22720.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -514,6 +515,7 @@ rm modules/ssl/ssl_engine_dh.c
 %patch243 -p1 -b .cve34798
 %patch244 -p1 -b .cve39275
 %patch245 -p1 -b .cve26691
+%patch246 -p1 -b .cve22720
 
 # Patch in the vendor string and the release string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -945,13 +947,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
-* Mon Jan 17 2022 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.4
+* Thu Mar 24 2022 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.5
 - Remove index.html, add centos-noindex.tar.gz
 - change vstring
 - change symlink for poweredby.png
 - update welcome.conf with proper aliases
 
-* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com>
+* Tue Mar 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.5
+- Resolves: #2065243 - CVE-2022-22720 httpd: HTTP request smuggling
+  vulnerability in Apache HTTP Server 2.4.52 and earlier
+
+* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.4
 - Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via
   malformed requests
 - Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in
diff --git a/index.html b/index.html
deleted file mode 100644
index 06ad3fc..0000000
--- a/index.html
+++ /dev/null
@@ -1,123 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
-	<head>
-		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
-		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
-		<style type="text/css">
-			/*<![CDATA[*/
-			body {
-				background-color: #fff;
-				color: #000;
-				font-size: 0.9em;
-				font-family: sans-serif,helvetica;
-				margin: 0;
-				padding: 0;
-			}
-			:link {
-				color: #c00;
-			}
-			:visited {
-				color: #c00;
-			}
-			a:hover {
-				color: #f50;
-			}
-			h1 {
-				text-align: center;
-				margin: 0;
-				padding: 0.6em 2em 0.4em;
-				background-color: #900;
-				color: #fff;
-				font-weight: normal;
-				font-size: 1.75em;
-				border-bottom: 2px solid #000;
-			}
-			h1 strong {
-				font-weight: bold;
-			}
-			h2 {
-				font-size: 1.1em;
-				font-weight: bold;
-			}
-			hr {
-				display: none;
-			}
-			.content {
-				padding: 1em 5em;
-			}
-			.content-columns {
-				/* Setting relative positioning allows for 
-				absolute positioning for sub-classes */
-				position: relative;
-				padding-top: 1em;
-			}
-			.content-column-left {
-				/* Value for IE/Win; will be overwritten for other browsers */
-				width: 47%;
-				padding-right: 3%;
-				float: left;
-				padding-bottom: 2em;
-			}
-			.content-column-left hr {
-				display: none;
-			}
-			.content-column-right {
-				/* Values for IE/Win; will be overwritten for other browsers */
-				width: 47%;
-				padding-left: 3%;
-				float: left;
-				padding-bottom: 2em;
-			}
-			.content-columns>.content-column-left, .content-columns>.content-column-right {
-				/* Non-IE/Win */
-			}
-			img {
-				border: 2px solid #fff;
-				padding: 2px;
-				margin: 2px;
-			}
-			a:hover img {
-				border: 2px solid #f50;
-			}
-			/*]]>*/
-		</style>
-	</head>
-
-	<body>
-		<h1>Red Hat Enterprise Linux <strong>Test Page</strong></h1>
-
-		<div class="content">
-			<div class="content-middle">
-				<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the Apache HTTP server installed at this site is working properly.</p>
-			</div>
-			<hr />
-
-			<div class="content-columns">
-				<div class="content-column-left">
-					<h2>If you are a member of the general public:</h2>
-
-					<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.</p>
-
-					<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
-
-					<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p>
-
-					<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
-					<hr />
-				</div>
-
-				<div class="content-column-right">
-					<h2>If you are the website administrator:</h2>
-
-					<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>
-
-                                        <p>You are free to use the image below on web sites powered by the Apache HTTP Server:</p>
-					
-                                        <p align="center"><a href="http://httpd.apache.org/"><img src="/icons/apache_pb2.gif" alt="[ Powered by Apache ]"/></a></p>
-
-				</div>
-			</div>
-		</div>
-	</body>
-</html>
-- 
Gitee