Version in base suite: 2.9.7-1

Base version: modsecurity-apache_2.9.7-1
Target version: modsecurity-apache_2.9.7-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity-apache/modsecurity-apache_2.9.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity-apache/modsecurity-apache_2.9.7-1+deb12u1.dsc

 changelog                    |    9 ++++++++
 patches/cve-2025-47947.patch |   48 +++++++++++++++++++++++++++++++++++++++++++
 patches/cve-2025-48866.patch |   18 ++++++++++++++++
 patches/series               |    2 +
 4 files changed, 77 insertions(+)

diff -Nru modsecurity-apache-2.9.7/debian/changelog modsecurity-apache-2.9.7/debian/changelog
--- modsecurity-apache-2.9.7/debian/changelog	2023-01-23 10:39:50.000000000 +0000
+++ modsecurity-apache-2.9.7/debian/changelog	2025-06-03 12:03:05.000000000 +0000
@@ -1,3 +1,12 @@
+modsecurity-apache (2.9.7-1+deb12u1) bookworm-security; urgency=medium
+
+  * Fix CVE-2025-47947: Added d/patches/cve-2025-47947.patch
+    (Closes: #1106286)
+  * Fix CVE-2025-48866: Added d/patches/cve-2025-48866.patch
+    (Closes: #1107196)
+
+ -- Ervin Hegedüs <airween@gmail.com>  Tue, 03 Jun 2025 14:03:05 +0200
+
 modsecurity-apache (2.9.7-1) unstable; urgency=medium
 
   * New upstream version 2.9.7
diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch
--- modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-apache-2.9.7/debian/patches/cve-2025-47947.patch	2025-06-03 12:03:05.000000000 +0000
@@ -0,0 +1,48 @@
+Description: Patch for CVE-2025-47947
+Author: Ervin Hegedüs <airween@gmail.com>
+Last-Update: 2025-05-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/apache2/modsecurity.h
++++ b/apache2/modsecurity.h
+@@ -694,6 +694,7 @@
+     unsigned int             value_origin_offset;
+     unsigned int             value_origin_len;
+     const char              *origin;
++    unsigned int             marked_for_sanitization;
+ };
+ 
+ struct msc_string {
+--- a/apache2/msc_json.c
++++ b/apache2/msc_json.c
+@@ -67,6 +67,7 @@
+         return 0;
+     }
+ 
++    arg->marked_for_sanitization = 0;
+     apr_table_addn(msr->arguments,
+         log_escape_nq_ex(msr->mp, arg->name, arg->name_len), (void *) arg);
+ 
+--- a/apache2/msc_parsers.c
++++ b/apache2/msc_parsers.c
+@@ -340,6 +340,7 @@
+  */
+ void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+ {
++    arg->marked_for_sanitization = 0;
+     if (msr->txcfg->debuglog_level >= 5) {
+         msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
+                 arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1413,8 +1413,9 @@
+             telts = (const apr_table_entry_t*)tarr->elts;
+             for (i = 0; i < tarr->nelts; i++) {
+                 msc_arg *arg = (msc_arg *)telts[i].val;
+-                if (strcasecmp(sargname, arg->name) == 0) {
++                if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
+                     apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
++                    arg->marked_for_sanitization = 1;
+                 }
+             }
+             break;
diff -Nru modsecurity-apache-2.9.7/debian/patches/cve-2025-48866.patch modsecurity-apache-2.9.7/debian/patches/cve-2025-48866.patch
--- modsecurity-apache-2.9.7/debian/patches/cve-2025-48866.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-apache-2.9.7/debian/patches/cve-2025-48866.patch	2025-06-03 12:03:05.000000000 +0000
@@ -0,0 +1,18 @@
+Description: Patch for CVE-2025-48866
+Author: Ervin Hegedüs <airween@gmail.com>
+Last-Update: 2025-06-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/apache2/re_actions.c
++++ b/apache2/re_actions.c
+@@ -1348,8 +1348,9 @@
+     for (i = 0; i < tarr->nelts; i++) {
+         msc_arg *arg = (msc_arg *)telts[i].val;
+ 
+-        if (strcasecmp(sargname, arg->name) == 0) {
++        if (arg->marked_for_sanitization == 0 && strcasecmp(sargname, arg->name) == 0) {
+             apr_table_addn(msr->arguments_to_sanitize, arg->name, (void *)arg);
++            arg->marked_for_sanitization = 1;
+         }
+     }
+ 
diff -Nru modsecurity-apache-2.9.7/debian/patches/series modsecurity-apache-2.9.7/debian/patches/series
--- modsecurity-apache-2.9.7/debian/patches/series	2023-01-23 10:39:50.000000000 +0000
+++ modsecurity-apache-2.9.7/debian/patches/series	2025-06-03 12:03:05.000000000 +0000
@@ -1,2 +1,4 @@
 debian_log_dir.patch
 improve_defaults.patch
+cve-2025-47947.patch
+cve-2025-48866.patch