!150 fix CVE-2019-17567

From: @chengyechun 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

backport-Add-readbuffsize-api.patch

@@ -0,0 +1,254 @@
+From ed8996d9a0e503031ef70915ee0f067a71b20a16 Mon Sep 17 00:00:00 2001
+From: ylavic <ylavic@apache.org>
+Date: Mon, 16 Jul 2018 08:49:45 PM GMT+0800
+Subject: [PATCH] Add readbuffsize api
+
+Reference:https://github.com/apache/httpd/commit/ed8996d9a0e503031ef70915ee0f067a71b20a16
+
+---
+ include/ap_mmn.h    |   5 +-
+ include/http_core.h |  12 +++++
+ server/core.c       | 109 +++++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 118 insertions(+), 8 deletions(-)
+
+diff --git a/include/ap_mmn.h b/include/ap_mmn.h
+index 549c869..2d87cb6 100644
+--- a/include/ap_mmn.h
++++ b/include/ap_mmn.h
+@@ -537,6 +537,9 @@
+  * 20120211.93 (2.4.47-dev) Add proxy_tunnel_rec, ap_proxy_tunnel_create()
+  *                          and ap_proxy_tunnel_run() to proxy_util.
+  * 20120211.93 (2.4.47-dev) Add ap_proxy_worker_can_upgrade()
++ * 20120211.94 (2.4.47-dev) Add read_buf_size member to core_dir_config,
++ *                          flush_max_threshold and flush_max_pipelined to
++ *                          core_server_config, and ap_get_read_buf_size().
+  */
+ 
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
+@@ -544,7 +547,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20120211
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 93                  /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 94                  /* 0...n */
+ 
+ /**
+  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+diff --git a/include/http_core.h b/include/http_core.h
+index 8e10988..1172ea3 100644
+--- a/include/http_core.h
++++ b/include/http_core.h
+@@ -253,6 +253,13 @@ AP_DECLARE(const char *) ap_get_server_name_for_url(request_rec *r);
+  */
+ AP_DECLARE(apr_port_t) ap_get_server_port(const request_rec *r);
+ 
++/**
++ * Get the size of read buffers
++ * @param r The current request
++ * @return The read buffers size
++ */
++AP_DECLARE(apr_size_t) ap_get_read_buf_size(const request_rec *r);
++
+ /**
+  * Return the limit on bytes in request msg body
+  * @param r The current request
+@@ -672,6 +679,8 @@ typedef struct {
+ 
+     /** Table of rules for building CGI variables, NULL if none configured */
+     apr_hash_t *cgi_var_rules;
++
++    apr_size_t read_buf_size;
+ } core_dir_config;
+ 
+ /* macro to implement off by default behaviour */
+@@ -741,6 +750,9 @@ typedef struct {
+ #define AP_HTTP_METHODS_REGISTERED    2
+     char http_methods;
+     unsigned int merge_slashes;
++
++    apr_size_t   flush_max_threshold;
++    apr_int32_t  flush_max_pipelined;
+ } core_server_config;
+ 
+ /* for AddOutputFiltersByType in core.c */
+diff --git a/server/core.c b/server/core.c
+index 4e7acc8..c6e032c 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -22,6 +22,11 @@
+ #include "apr_thread_proc.h"    /* for RLIMIT stuff */
+ #include "apr_random.h"
+ 
++#include "apr_version.h"
++#if APR_MAJOR_VERSION < 2
++#include "apu_version.h"
++#endif
++
+ #define APR_WANT_IOVEC
+ #define APR_WANT_STRFUNC
+ #define APR_WANT_MEMFUNC
+@@ -87,6 +92,9 @@
+ #define AP_CONTENT_MD5_ON    1
+ #define AP_CONTENT_MD5_UNSET 2
+ 
++#define AP_FLUSH_MAX_THRESHOLD 65536
++#define AP_FLUSH_MAX_PIPELINED 5
++
+ APR_HOOK_STRUCT(
+     APR_HOOK_LINK(get_mgmt_items)
+     APR_HOOK_LINK(insert_network_bucket)
+@@ -397,6 +405,13 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)
+         conf->enable_sendfile = new->enable_sendfile;
+     }
+ 
++    if (new->read_buf_size) {
++        conf->read_buf_size = new->read_buf_size;
++    }
++    else {
++        conf->read_buf_size = base->read_buf_size;
++    }
++
+     conf->allow_encoded_slashes = new->allow_encoded_slashes;
+     conf->decode_encoded_slashes = new->decode_encoded_slashes;
+ 
+@@ -468,14 +483,12 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s)
+         apr_table_setn(conf->accf_map, "http", "data");
+         apr_table_setn(conf->accf_map, "https", "data");
+ #endif
++        conf->flush_max_threshold = AP_FLUSH_MAX_THRESHOLD;
++        conf->flush_max_pipelined = AP_FLUSH_MAX_PIPELINED;
+     }
+-    /* pcalloc'ed - we have NULL's/0's
+-    else ** is_virtual ** {
+-        conf->ap_document_root = NULL;
+-        conf->access_name = NULL;
+-        conf->accf_map = NULL;
++    else {
++        conf->flush_max_pipelined = -1;
+     }
+-     */
+ 
+     /* initialization, no special case for global context */
+ 
+@@ -563,7 +576,14 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv)
+                                        base->protocols_honor_order :
+                                        virt->protocols_honor_order);
+     AP_CORE_MERGE_FLAG(merge_slashes, conf, base, virt);
+-    
++
++    conf->flush_max_threshold = (virt->flush_max_threshold)
++                                  ? virt->flush_max_threshold
++                                  : base->flush_max_threshold;
++    conf->flush_max_pipelined = (virt->flush_max_pipelined >= 0)
++                                  ? virt->flush_max_pipelined
++                                  : base->flush_max_pipelined;
++
+     return conf;
+ }
+ 
+@@ -1225,6 +1245,12 @@ AP_DECLARE(apr_off_t) ap_get_limit_req_body(const request_rec *r)
+     return d->limit_req_body;
+ }
+ 
++AP_DECLARE(apr_size_t) ap_get_read_buf_size(const request_rec *r)
++{
++    core_dir_config *d = ap_get_core_module_config(r->per_dir_config);
++
++    return d->read_buf_size ? d->read_buf_size : AP_IOBUFSIZE;
++}
+ 
+ /*****************************************************************
+  *
+@@ -2229,6 +2255,64 @@ static const char *set_enable_sendfile(cmd_parms *cmd, void *d_,
+     return NULL;
+ }
+ 
++static const char *set_read_buf_size(cmd_parms *cmd, void *d_,
++                                     const char *arg)
++{
++    core_dir_config *d = d_;
++    apr_off_t size;
++    char *end;
++
++    if (apr_strtoff(&size, arg, &end, 10)
++            || size < 0 || size > APR_SIZE_MAX || *end)
++        return apr_pstrcat(cmd->pool,
++                           "parameter must be a number between 0 and "
++                           APR_STRINGIFY(APR_SIZE_MAX) "): ",
++                           arg, NULL);
++
++    d->read_buf_size = (apr_size_t)size;
++
++    return NULL;
++}
++
++static const char *set_flush_max_threshold(cmd_parms *cmd, void *d_,
++                                           const char *arg)
++{
++    core_server_config *conf =
++        ap_get_core_module_config(cmd->server->module_config);
++    apr_off_t size;
++    char *end;
++
++    if (apr_strtoff(&size, arg, &end, 10)
++            || size <= 0 || size > APR_SIZE_MAX || *end)
++        return apr_pstrcat(cmd->pool,
++                           "parameter must be a number between 1 and "
++                           APR_STRINGIFY(APR_SIZE_MAX) "): ",
++                           arg, NULL);
++
++    conf->flush_max_threshold = (apr_size_t)size;
++
++    return NULL;
++}
++
++static const char *set_flush_max_pipelined(cmd_parms *cmd, void *d_,
++                                           const char *arg)
++{
++    core_server_config *conf =
++        ap_get_core_module_config(cmd->server->module_config);
++    apr_off_t num;
++    char *end;
++
++    if (apr_strtoff(&num, arg, &end, 10)
++            || num < 0 || num > APR_INT32_MAX || *end)
++        return apr_pstrcat(cmd->pool,
++                           "parameter must be a number between 0 and "
++                           APR_STRINGIFY(APR_INT32_MAX) ": ",
++                           arg, NULL);
++
++    conf->flush_max_pipelined = (apr_int32_t)num;
++
++    return NULL;
++}
+ 
+ /*
+  * Report a missing-'>' syntax error.
+@@ -4403,6 +4487,12 @@ AP_INIT_TAKE1("EnableMMAP", set_enable_mmap, NULL, OR_FILEINFO,
+   "Controls whether memory-mapping may be used to read files"),
+ AP_INIT_TAKE1("EnableSendfile", set_enable_sendfile, NULL, OR_FILEINFO,
+   "Controls whether sendfile may be used to transmit files"),
++AP_INIT_TAKE1("ReadBufferSize", set_read_buf_size, NULL, OR_FILEINFO,
++  "Size (in bytes) of the memory buffers used to read data"),
++AP_INIT_TAKE1("FlushMaxThreshold", set_flush_max_threshold, NULL, RSRC_CONF,
++  "Maximum size (in bytes) above which pending data are flushed (blocking) to the network"),
++AP_INIT_TAKE1("FlushMaxPipelined", set_flush_max_pipelined, NULL, RSRC_CONF,
++  "Number of pipelined/pending responses above which they are flushed to the network"),
+ 
+ /* Old server config file commands */
+ 
+@@ -4847,6 +4937,11 @@ static int default_handler(request_rec *r)
+             if (d->enable_mmap == ENABLE_MMAP_OFF) {
+                 (void)apr_bucket_file_enable_mmap(e, 0);
+             }
++#endif
++#if APR_MAJOR_VERSION > 1 || (APU_MAJOR_VERSION == 1 && APU_MINOR_VERSION >= 6)
++            if (d->read_buf_size) {
++                apr_bucket_file_set_buf_size(e, d->read_buf_size);
++            }
+ #endif
+         }
+ 
+-- 
+2.27.0
+

httpd.spec

@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.43
-Release:          21
+Release:          22
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -105,6 +105,8 @@ Patch51:          backport-CVE-2022-36760.patch
 Patch52:          backport-CVE-2022-37436.patch
 Patch53:          backport-CVE-2023-27522.patch
 Patch54:          backport-CVE-2023-25690.patch
+Patch55:          backport-CVE-2019-17567.patch
+Patch56:          backport-Add-readbuffsize-api.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -541,6 +543,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Apr 6 2023 chengyechun <chengyechun1@huawei.com> - 2.4.43-22
+- Type:CVE
+- ID:CVE-2019-17567
+- SUG:restart
+- DESC:fix CVE-2019-17567
+
 * Thu Mar 9 2023 chengyechun <chengyechun1@huawei.com> - 2.4.43-21
 - Type:CVE
 - ID:CVE-2023-27522, CVE-2023-25690