[Pkg-apache-commits] r1052 - in /trunk/apache2: changelog patches/00list patches/071_CVE-2009-3094.dpatch patches/072_CVE-2009-3095.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Wed Sep 16 18:54:57 UTC 2009
Author: sf
Date: Wed Sep 16 18:54:57 2009
New Revision: 1052
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1052
Log:
CVE-2009-3094/CVE-2009-3095
Added:
trunk/apache2/patches/071_CVE-2009-3094.dpatch
trunk/apache2/patches/072_CVE-2009-3095.dpatch
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1052&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Wed Sep 16 18:54:57 2009
@@ -1,5 +1,9 @@
apache2 (2.2.13-2) UNRELEASED; urgency=high
+ * mod_proxy_ftp security fixes (closes: #545951):
+ - DoS by malicious ftp server (CVE-2009-3094)
+ - missing input sanitization: a user could execute arbitrary ftp commands
+ on the backend ftp server (CVE-2009-3095)
* Add entries to NEWS.Debian and README.Debian about Apache being stricter
about certain misconfigurations involving name based SSL virtual hosts.
Also make Apache print the location of the misconfigured VirtualHost when
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1052&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Wed Sep 16 18:54:57 2009
@@ -20,6 +20,8 @@
068_mod_dav_detect_EOF.dpatch
069_no_deflate_for_HEAD.dpatch
070_better_missing_cert_error_msg.dpatch
+071_CVE-2009-3094.dpatch
+072_CVE-2009-3095.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/071_CVE-2009-3094.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/071_CVE-2009-3094.dpatch?rev=1052&op=file
==============================================================================
--- trunk/apache2/patches/071_CVE-2009-3094.dpatch (added)
+++ trunk/apache2/patches/071_CVE-2009-3094.dpatch Wed Sep 16 18:54:57 2009
@@ -1,0 +1,116 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+
+ at DPATCH@
+commit 239d6a38f8fba2a2e03ee632985706a0a77d60dd
+Author: Graham Leggett <minfrin at apache.org>
+Date: Mon Sep 14 20:51:49 2009 +0000
+
+ Backport 814652, 814785
+ CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+ Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814844 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index 639f9f8..fdcfc6a 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -604,6 +604,31 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
+ return APR_SUCCESS;
+ }
+
++/* Parse EPSV reply and return port, or zero on error. */
++static apr_port_t parse_epsv_reply(const char *reply)
++{
++ const char *p;
++ char *ep;
++ long port;
++
++ /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
++ * can be any character in ASCII from 33-126, obscurely. Verify
++ * the syntax. */
++ p = ap_strchr_c(reply, '(');
++ if (p == NULL || !p[1] || p[1] != p[2] || p[1] != p[3]
++ || p[4] == p[1]) {
++ return 0;
++ }
++
++ errno = 0;
++ port = strtol(p + 4, &ep, 10);
++ if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
++ return 0;
++ }
++
++ return (apr_port_t)port;
++}
++
+ /*
+ * Generic "send FTP command to server" routine, using the control socket.
+ * Returns the FTP returncode (3 digit code)
+@@ -1210,26 +1235,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage);
+ }
+ else if (rc == 229) {
+- char *pstr;
+- char *tok_cntx;
++ /* Parse the port out of the EPSV reply. */
++ data_port = parse_epsv_reply(ftpmessage);
+
+- pstr = ftpmessage;
+- pstr = apr_strtok(pstr, " ", &tok_cntx); /* separate result code */
+- if (pstr != NULL) {
+- if (*(pstr + strlen(pstr) + 1) == '=') {
+- pstr += strlen(pstr) + 2;
+- }
+- else {
+- pstr = apr_strtok(NULL, "(", &tok_cntx); /* separate address &
+- * port params */
+- if (pstr != NULL)
+- pstr = apr_strtok(NULL, ")", &tok_cntx);
+- }
+- }
+-
+- if (pstr) {
++ if (data_port) {
+ apr_sockaddr_t *epsv_addr;
+- data_port = atoi(pstr + 3);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: EPSV contacting remote host on port %d",
+@@ -1272,10 +1282,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ connect = 1;
+ }
+ }
+- else {
+- /* and try the regular way */
+- apr_socket_close(data_sock);
+- }
+ }
+ }
+
+@@ -1364,10 +1370,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ connect = 1;
+ }
+ }
+- else {
+- /* and try the regular way */
+- apr_socket_close(data_sock);
+- }
+ }
+ }
+ /*bypass:*/
+@@ -1851,7 +1853,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ * for a slow client to eat these bytes
+ */
+ ap_flush_conn(data);
+- apr_socket_close(data_sock);
++ if (data_sock) {
++ apr_socket_close(data_sock);
++ }
+ data_sock = NULL;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: data connection closed");
Added: trunk/apache2/patches/072_CVE-2009-3095.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/072_CVE-2009-3095.dpatch?rev=1052&op=file
==============================================================================
--- trunk/apache2/patches/072_CVE-2009-3095.dpatch (added)
+++ trunk/apache2/patches/072_CVE-2009-3095.dpatch Wed Sep 16 18:54:57 2009
@@ -1,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+
+ at DPATCH@
+commit 5e9bca418ec4087e398053dac44348b977b219e8
+Author: Graham Leggett <minfrin at apache.org>
+Date: Mon Sep 14 20:53:28 2009 +0000
+
+ Backport 814045
+ CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+ Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index fdcfc6a..924ac31 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
+ && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
+ && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
++ /* Check the decoded string for special characters. */
++ if (!ftp_check_string(password)) {
++ return ap_proxyerror(r, HTTP_BAD_REQUEST,
++ "user credentials contained invalid character");
++ }
+ /*
+ * Note that this allocation has to be made from r->connection->pool
+ * because it has the lifetime of the connection. The other
More information about the Pkg-apache-commits
mailing list