Version in base suite: 3.0.3-1

Base version: modsecurity_3.0.3-1
Target version: modsecurity_3.0.3-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity/modsecurity_3.0.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity/modsecurity_3.0.3-1+deb10u1.dsc

 changelog                     |    6 ++
 patches/cookieparse_fix.patch |   92 ++++++++++++++++++++++++++++++++++++++++++
 patches/series                |    1 
 3 files changed, 99 insertions(+)

diff -Nru modsecurity-3.0.3/debian/changelog modsecurity-3.0.3/debian/changelog
--- modsecurity-3.0.3/debian/changelog	2018-12-12 07:17:40.000000000 +0000
+++ modsecurity-3.0.3/debian/changelog	2020-01-21 21:52:59.000000000 +0000
@@ -1,3 +1,9 @@
+modsecurity (3.0.3-1+deb10u1) buster; urgency=medium
+
+  * Fixes CVE-2019-19886 (Closes: #949682)
+
+ -- Ervin Hegedus <airween@gmail.com>  Tue, 21 Jan 2020 21:52:59 +0000
+
 modsecurity (3.0.3-1) unstable; urgency=medium
 
   [ Ervin Hegedüs ]
diff -Nru modsecurity-3.0.3/debian/patches/cookieparse_fix.patch modsecurity-3.0.3/debian/patches/cookieparse_fix.patch
--- modsecurity-3.0.3/debian/patches/cookieparse_fix.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-3.0.3/debian/patches/cookieparse_fix.patch	2020-01-21 21:52:59.000000000 +0000
@@ -0,0 +1,92 @@
+Description: Fix cookie header parsing bug
+ There was a bug in the transaction.cc, if the Cookie header contains a field (cookie)
+ without '=', the engine doesn't evaulate it as cookie. If the cookie started with
+ '=', then the engine crashed.
+Author: Ervin Hegedus <airween@gmail.com>
+
+---
+Origin: upstream, https://github.com/SpiderLabs/Misc/blob/master/ModSecurity_cookie_parsing_fix_303.patch
+Bug: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-denial-of-service-details-cve-2019-19886/
+Last-Update: 2020-01-21
+
+
+
+--- modsecurity-3.0.3.orig/src/transaction.cc
++++ modsecurity-3.0.3/src/transaction.cc
+@@ -556,20 +556,63 @@ int Transaction::addRequestHeader(const
+ 
+     if (keyl == "cookie") {
+         size_t localOffset = m_variableOffset;
++        size_t pos;
+         std::vector<std::string> cookies = utils::string::ssplit(value, ';');
++
++        if (!cookies.empty()) {
++            // Get rid of any optional whitespace after the cookie-string
++            // (i.e. after the end of the final cookie-pair)
++            std::string& final_cookie_pair = cookies.back();
++            while (!final_cookie_pair.empty() && isspace(final_cookie_pair.back())) {
++                final_cookie_pair.pop_back();
++            }
++        }
++
+         for (const std::string &c : cookies) {
+-            std::vector<std::string> s = utils::string::split(c,
+-               '=');
+-            if (s.size() > 1) {
+-                if (s[0].at(0) == ' ') {
+-                    s[0].erase(0, 1);
+-                }
+-                m_variableRequestCookiesNames.set(s[0],
+-                    s[0], localOffset);
+-
+-                localOffset = localOffset + s[0].size() + 1;
+-                m_variableRequestCookies.set(s[0], s[1], localOffset);
+-                localOffset = localOffset + s[1].size() + 2;
++            // skip empty substring, eg "Cookie: ;;foo=bar"
++            if (c.empty() == true) {
++                localOffset++; // add length of ';'
++                continue;
++            }
++
++            // find the first '='
++            pos = c.find_first_of("=", 0);
++            std::string ckey = "";
++            std::string cval = "";
++
++            // if the cookie doesn't contains '=', its just a key
++            if (pos == std::string::npos) {
++                ckey = c;
++            }
++            // else split to two substrings by first =
++            else {
++                ckey = c.substr(0, pos);
++                // value will contains the next '=' chars if exists
++                // eg. foo=bar=baz -> key: foo, value: bar=baz
++                cval = c.substr(pos+1);
++            }
++
++            // ltrim the key - following the modsec v2 way
++            while (ckey.empty() == false && isspace(ckey.at(0))) {
++                ckey.erase(0, 1);
++                localOffset++;
++            }
++
++            // if the key is empty (eg: "Cookie:   =bar;") skip it
++            if (ckey.empty() == true) {
++                localOffset = localOffset + c.length() + 1;
++                continue;
++            }
++            else {
++                // handle cookie only if the key is not empty
++                // set cookie name
++                m_variableRequestCookiesNames.set(ckey,
++                        ckey, localOffset);
++                localOffset = localOffset + ckey.size() + 1;
++                // set cookie value
++                m_variableRequestCookies.set(ckey, cval,
++                        localOffset);
++                localOffset = localOffset + cval.size() + 1;
+             }
+         }
+     }
+
diff -Nru modsecurity-3.0.3/debian/patches/series modsecurity-3.0.3/debian/patches/series
--- modsecurity-3.0.3/debian/patches/series	2018-12-12 07:13:38.000000000 +0000
+++ modsecurity-3.0.3/debian/patches/series	2020-01-21 21:52:59.000000000 +0000
@@ -1,3 +1,4 @@
 disable-network-dependent-tests.patch
 setenv_term_avoid.patch
 bigendian_fix.patch
+cookieparse_fix.patch