From 5e31b6c4ae0639aa7e88a96d7981b781870f215e Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Tue, 7 Mar 2023 09:46:31 +0100
Subject: [PATCH] fix CVE-2022-1304 for autoconf, add missing load_module for
 ngx_stream_lua_module.so and fix missing -lpcre in configure step

---
 src/autoconf/Dockerfile     | 2 +-
 src/common/confs/nginx.conf | 1 +
 src/deps/install.sh         | 8 ++++----
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/autoconf/Dockerfile b/src/autoconf/Dockerfile
index 1d0db2727..629972ca6 100644
--- a/src/autoconf/Dockerfile
+++ b/src/autoconf/Dockerfile
@@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
     chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
 
 # Fix CVEs
-RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2"
+RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "libcom_err>=1.46.6-r0"
 
 VOLUME /data /etc/nginx
 
diff --git a/src/common/confs/nginx.conf b/src/common/confs/nginx.conf
index 38420cafe..5a32f4ec3 100644
--- a/src/common/confs/nginx.conf
+++ b/src/common/confs/nginx.conf
@@ -8,6 +8,7 @@ load_module /usr/share/bunkerweb/modules/ngx_http_lua_module.so;
 load_module /usr/share/bunkerweb/modules/ngx_http_modsecurity_module.so;
 load_module /usr/share/bunkerweb/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/share/bunkerweb/modules/ngx_http_brotli_static_module.so;
+load_module /usr/share/bunkerweb/modules/ngx_stream_lua_module.so;
 
 # PID file
 pid /var/tmp/bunkerweb/nginx.pid;
diff --git a/src/deps/install.sh b/src/deps/install.sh
index 394129fb2..bf2e3d37c 100755
--- a/src/deps/install.sh
+++ b/src/deps/install.sh
@@ -127,10 +127,10 @@ do_and_check_cmd cp -r /tmp/bunkerweb/deps/src/lua-resty-env/src/resty/env.lua /
 echo "ℹ️ Compiling and installing dynamic modules"
 CONFARGS="$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p')"
 CONFARGS="${CONFARGS/-Os -fomit-frame-pointer -g/-Os}"
-CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt=-Wl/--with-ld-opt='-lpcre -Wl'/")"
-if [ "$OS" = "fedora" ] ; then
-	CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'/--with-ld-opt=-lpcre/" | sed "s/--with-cc-opt='.*'//")"
-fi
+CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='/--with-ld-opt='-lpcre /")"
+# if [ "$OS" = "fedora" ] ; then
+# 	CONFARGS="$(echo -n "$CONFARGS" | sed "s/--with-ld-opt='.*'/--with-ld-opt=-lpcre/" | sed "s/--with-cc-opt='.*'//")"
+# fi
 echo '#!/bin/bash' > "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
 echo "./configure $CONFARGS --add-dynamic-module=/tmp/bunkerweb/deps/src/ModSecurity-nginx --add-dynamic-module=/tmp/bunkerweb/deps/src/headers-more-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/nginx_cookie_flag_module --add-dynamic-module=/tmp/bunkerweb/deps/src/lua-nginx-module --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_brotli --add-dynamic-module=/tmp/bunkerweb/deps/src/ngx_devel_kit --add-dynamic-module=/tmp/bunkerweb/deps/src/stream-lua-nginx-module" >> "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"
 do_and_check_cmd chmod +x "/tmp/bunkerweb/deps/src/nginx-${NGINX_VERSION}/configure-fix.sh"