diff --git a/0001-Disable-commands-that-can-alter-the-binary.patch b/0001-Disable-commands-that-can-alter-the-binary.patch index 3b48ffb..aa32bf5 100644 --- a/0001-Disable-commands-that-can-alter-the-binary.patch +++ b/0001-Disable-commands-that-can-alter-the-binary.patch @@ -1,7 +1,7 @@ From 7bf03a1414b1ebc1a9ef573369fe8e7ee9956a33 Mon Sep 17 00:00:00 2001 From: Carl George Date: Wed, 16 Feb 2022 11:45:03 -0600 -Subject: [PATCH] Disable commands that can alter the binary +Subject: [PATCH 1/2] Disable commands that can alter the binary --- cmd/commands.go | 48 ------------------------------------------------ @@ -67,5 +67,5 @@ index 1e2c40de..cc091bce 100644 // RegisterCommand registers the command cmd. -- -2.35.1 +2.39.2 diff --git a/0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch b/0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch new file mode 100644 index 0000000..2209c5a --- /dev/null +++ b/0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch @@ -0,0 +1,43 @@ +From 7681fd2370d3b36e2839717fce59e6e6a9d5d00a Mon Sep 17 00:00:00 2001 +From: Francis Lavoie +Date: Thu, 30 Dec 2021 04:15:48 -0500 +Subject: [PATCH 2/2] caddyhttp: Fix `MatchPath` sanitizing (#4499) + +This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542 + +Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning. +--- + modules/caddyhttp/matchers.go | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/modules/caddyhttp/matchers.go b/modules/caddyhttp/matchers.go +index 439c4073..272c9242 100644 +--- a/modules/caddyhttp/matchers.go ++++ b/modules/caddyhttp/matchers.go +@@ -325,6 +325,11 @@ func (m MatchPath) Match(r *http.Request) bool { + + lowerPath := strings.ToLower(unescapedPath) + ++ // Clean the path, merges doubled slashes, etc. ++ // This ensures maliciously crafted requests can't bypass ++ // the path matcher. See #4407 ++ lowerPath = path.Clean(lowerPath) ++ + // see #2917; Windows ignores trailing dots and spaces + // when accessing files (sigh), potentially causing a + // security risk (cry) if PHP files end up being served +@@ -332,11 +337,6 @@ func (m MatchPath) Match(r *http.Request) bool { + // being matched by *.php to be treated as PHP scripts + lowerPath = strings.TrimRight(lowerPath, ". ") + +- // Clean the path, merges doubled slashes, etc. +- // This ensures maliciously crafted requests can't bypass +- // the path matcher. See #4407 +- lowerPath = path.Clean(lowerPath) +- + // Cleaning may remove the trailing slash, but we want to keep it + if lowerPath != "/" && strings.HasSuffix(r.URL.Path, "/") { + lowerPath = lowerPath + "/" +-- +2.39.2 + diff --git a/caddy.spec b/caddy.spec index b416b09..8bc6986 100644 --- a/caddy.spec +++ b/caddy.spec @@ -17,7 +17,7 @@ Version: %{basever}%{?prerel:~%{prerel}%{prerelnum}} Caddy is the web server with automatic HTTPS.} Name: caddy -Release: 4%{?dist} +Release: 6%{?dist} Summary: Web server with automatic HTTPS %if %{with vendor} # github.com/caddyserver/caddy ASL 2.0 @@ -80,6 +80,9 @@ Source7: zsh-completion # downstream only patch to disable commands that can alter the binary Patch: 0001-Disable-commands-that-can-alter-the-binary.patch +# backport of upstream fix for CVE-2022-29718 +# https://github.com/caddyserver/caddy/pull/4499 +Patch: 0002-caddyhttp-Fix-MatchPath-sanitizing-4499.patch # https://github.com/caddyserver/caddy/commit/6bc87ea2ff50a962f16dfafeb125f0f947c1a885 BuildRequires: golang >= 1.16 @@ -295,6 +298,12 @@ fi %changelog +* Wed Mar 01 2023 Carl George - 2.4.6-6 +- Backport of upstream fix for CVE-2022-29718 + +* Tue Jan 24 2023 Carl George - 2.4.6-5 +- Rebuild for CVE-2022-41717 in golang + * Tue Jul 19 2022 Maxwell G - 2.4.6-4 - Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang