[Pkg-apache-commits] r979 - in /trunk/apache2: changelog patches/00list patches/072_CVE-2009-1890.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Fri Jul 10 19:59:38 UTC 2009


Author: sf
Date: Fri Jul 10 19:59:37 2009
New Revision: 979

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=979
Log:
CVE-2009-1890

Added:
    trunk/apache2/patches/072_CVE-2009-1890.dpatch   (with props)
Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/00list

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=979&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Fri Jul 10 19:59:37 2009
@@ -1,7 +1,8 @@
 apache2 (2.2.11-7) UNRELEASED; urgency=low
 
   * Security fixes:
-    CVE-2009-1891: denial of service in mod_deflate
+    - CVE-2009-1890: denial of service in mod_proxy
+    - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
   * Add symlinks for the debug info to the mpm packages.
   * Be slightly more informative in the default index.html without pointing
     to Apache or Debian (LP: #89364)

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=979&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Fri Jul 10 19:59:37 2009
@@ -22,6 +22,7 @@
 069_backports_from_2.2.12.dpatch
 070_CVE-2009-1195_mod_include_noexec.dpatch
 071_CVE-2009-1891.dpatch
+072_CVE-2009-1890.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: trunk/apache2/patches/072_CVE-2009-1890.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/072_CVE-2009-1890.dpatch?rev=979&op=file
==============================================================================
--- trunk/apache2/patches/072_CVE-2009-1890.dpatch (added)
+++ trunk/apache2/patches/072_CVE-2009-1890.dpatch Fri Jul 10 19:59:37 2009
@@ -1,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_proxy DoS
+## DP: http://svn.apache.org/viewvc?view=rev&revision=790587
+
+ at DPATCH@
+index bc59aad..bdfe594 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -427,10 +427,16 @@ static int stream_reqbody_cl(apr_pool_t *p,
+     apr_off_t bytes_streamed = 0;
+ 
+     if (old_cl_val) {
++        char *endstr;
++
+         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
+-        if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
+-                                                 0))) {
+-            return HTTP_INTERNAL_SERVER_ERROR;
++        status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
++        
++        if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++                          "proxy: could not parse request Content-Length (%s)",
++                          old_cl_val);
++            return HTTP_BAD_REQUEST;
+         }
+     }
+     terminate_headers(bucket_alloc, header_brigade);
+@@ -463,8 +469,13 @@ static int stream_reqbody_cl(apr_pool_t *p,
+          *
+          * Prevents HTTP Response Splitting.
+          */
+-        if (bytes_streamed > cl_val)
+-             continue;
++        if (bytes_streamed > cl_val) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                          "proxy: read more bytes of request body than expected "
++                          "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
++                          bytes_streamed, cl_val);
++            return HTTP_INTERNAL_SERVER_ERROR;
++        }
+ 
+         if (header_brigade) {
+             /* we never sent the header brigade, so go ahead and

Propchange: trunk/apache2/patches/072_CVE-2009-1890.dpatch
------------------------------------------------------------------------------
    svn:executable = *




More information about the Pkg-apache-commits mailing list