[Pkg-apache-commits] r1060 - in /branches/lenny-apache2: changelog patches/00list patches/074_CVE-2009-3094.dpatch patches/075_CVE-2009-3095.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sun Sep 27 08:46:07 UTC 2009
Author: sf
Date: Sun Sep 27 08:46:07 2009
New Revision: 1060
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1060
Log:
CVE-2009-309[45]
Added:
branches/lenny-apache2/patches/074_CVE-2009-3094.dpatch
branches/lenny-apache2/patches/075_CVE-2009-3095.dpatch
Modified:
branches/lenny-apache2/changelog
branches/lenny-apache2/patches/00list
Modified: branches/lenny-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/changelog?rev=1060&op=diff
==============================================================================
--- branches/lenny-apache2/changelog (original)
+++ branches/lenny-apache2/changelog Sun Sep 27 08:46:07 2009
@@ -1,5 +1,9 @@
apache2 (2.2.9-10+lenny5) UNRELEASED; urgency=low
+ * Minor security fixes in mod_proxy_ftp (closes: #545951):
+ - DoS by malicious ftp server (CVE-2009-3094)
+ - missing input sanitization: a user could execute arbitrary ftp commands
+ on the backend ftp server (CVE-2009-3095)
* Take care to not override existing index.shtml files when upgrading from
before 2.2.8-1 (closes: #517089).
* mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
Modified: branches/lenny-apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/00list?rev=1060&op=diff
==============================================================================
--- branches/lenny-apache2/patches/00list (original)
+++ branches/lenny-apache2/patches/00list Sun Sep 27 08:46:07 2009
@@ -32,6 +32,8 @@
071_CVE-2009-1891.dpatch
072_CVE-2009-1890.dpatch
073_no_deflate_for_HEAD.dpatch
+074_CVE-2009-3094.dpatch
+075_CVE-2009-3095.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: branches/lenny-apache2/patches/074_CVE-2009-3094.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/074_CVE-2009-3094.dpatch?rev=1060&op=file
==============================================================================
--- branches/lenny-apache2/patches/074_CVE-2009-3094.dpatch (added)
+++ branches/lenny-apache2/patches/074_CVE-2009-3094.dpatch Sun Sep 27 08:46:07 2009
@@ -1,0 +1,116 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+
+ at DPATCH@
+commit 239d6a38f8fba2a2e03ee632985706a0a77d60dd
+Author: Graham Leggett <minfrin at apache.org>
+Date: Mon Sep 14 20:51:49 2009 +0000
+
+ Backport 814652, 814785
+ CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+ Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814844 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index 639f9f8..fdcfc6a 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -604,6 +604,31 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
+ return APR_SUCCESS;
+ }
+
++/* Parse EPSV reply and return port, or zero on error. */
++static apr_port_t parse_epsv_reply(const char *reply)
++{
++ const char *p;
++ char *ep;
++ long port;
++
++ /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
++ * can be any character in ASCII from 33-126, obscurely. Verify
++ * the syntax. */
++ p = ap_strchr_c(reply, '(');
++ if (p == NULL || !p[1] || p[1] != p[2] || p[1] != p[3]
++ || p[4] == p[1]) {
++ return 0;
++ }
++
++ errno = 0;
++ port = strtol(p + 4, &ep, 10);
++ if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
++ return 0;
++ }
++
++ return (apr_port_t)port;
++}
++
+ /*
+ * Generic "send FTP command to server" routine, using the control socket.
+ * Returns the FTP returncode (3 digit code)
+@@ -1210,26 +1235,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage);
+ }
+ else if (rc == 229) {
+- char *pstr;
+- char *tok_cntx;
++ /* Parse the port out of the EPSV reply. */
++ data_port = parse_epsv_reply(ftpmessage);
+
+- pstr = ftpmessage;
+- pstr = apr_strtok(pstr, " ", &tok_cntx); /* separate result code */
+- if (pstr != NULL) {
+- if (*(pstr + strlen(pstr) + 1) == '=') {
+- pstr += strlen(pstr) + 2;
+- }
+- else {
+- pstr = apr_strtok(NULL, "(", &tok_cntx); /* separate address &
+- * port params */
+- if (pstr != NULL)
+- pstr = apr_strtok(NULL, ")", &tok_cntx);
+- }
+- }
+-
+- if (pstr) {
++ if (data_port) {
+ apr_sockaddr_t *epsv_addr;
+- data_port = atoi(pstr + 3);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: EPSV contacting remote host on port %d",
+@@ -1272,10 +1282,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ connect = 1;
+ }
+ }
+- else {
+- /* and try the regular way */
+- apr_socket_close(data_sock);
+- }
+ }
+ }
+
+@@ -1364,10 +1370,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ connect = 1;
+ }
+ }
+- else {
+- /* and try the regular way */
+- apr_socket_close(data_sock);
+- }
+ }
+ }
+ /*bypass:*/
+@@ -1851,7 +1853,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ * for a slow client to eat these bytes
+ */
+ ap_flush_conn(data);
+- apr_socket_close(data_sock);
++ if (data_sock) {
++ apr_socket_close(data_sock);
++ }
+ data_sock = NULL;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: data connection closed");
Added: branches/lenny-apache2/patches/075_CVE-2009-3095.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/075_CVE-2009-3095.dpatch?rev=1060&op=file
==============================================================================
--- branches/lenny-apache2/patches/075_CVE-2009-3095.dpatch (added)
+++ branches/lenny-apache2/patches/075_CVE-2009-3095.dpatch Sun Sep 27 08:46:07 2009
@@ -1,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+
+ at DPATCH@
+commit 5e9bca418ec4087e398053dac44348b977b219e8
+Author: Graham Leggett <minfrin at apache.org>
+Date: Mon Sep 14 20:53:28 2009 +0000
+
+ Backport 814045
+ CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+ Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index fdcfc6a..924ac31 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+ if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
+ && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
+ && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
++ /* Check the decoded string for special characters. */
++ if (!ftp_check_string(password)) {
++ return ap_proxyerror(r, HTTP_BAD_REQUEST,
++ "user credentials contained invalid character");
++ }
+ /*
+ * Note that this allocation has to be made from r->connection->pool
+ * because it has the lifetime of the connection. The other
More information about the Pkg-apache-commits
mailing list