[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, lenny, updated. be39de2f3a38db24793fe0eccfec927959413dc5
Stefan Fritsch
sf at sfritsch.de
Sun Feb 5 21:20:35 UTC 2012
The following commit has been merged in the lenny branch:
commit 2451c57c2387f014c70a4813aa953b415eac636f
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun Feb 5 21:43:36 2012 +0100
Security fixes
CVE-2011-3368
CVE-2011-3639
CVE-2011-4317
CVE-2011-3607
CVE-2012-0031
CVE-2012-0053
diff --git a/debian/changelog b/debian/changelog
index f741870..e1be0cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.2.9-10+lenny12) UNRELEASED; urgency=high
+
+ * Prevent unintended pattern expansion in some reverse proxy
+ configurations by strictly validating the request-URI. Fixes
+ CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
+ * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
+ privilege escalation.
+ * CVE-2012-0031: Fix client process being able to crash parent process
+ during shutdown.
+ * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
+ "httpOnly" cookies.
+
+ -- Stefan Fritsch <sf at debian.org> Sun, 05 Feb 2012 21:52:43 +0100
+
apache2 (2.2.9-10+lenny11) lenny-security; urgency=high
* Fix regressions related to range requests introduced by 2.2.9-10+lenny10.
diff --git a/debian/patches/00list b/debian/patches/00list
index dc2ef74..f70db75 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -42,6 +42,12 @@
081_CVE-2010-1452.dpatch
082_CVE-2011-3192.dpatch
083_range_regressions.dpatch
+089_CVE-2011-3368.dpatch
+090_CVE-2011-4317.dpatch
+091_CVE-2011-3639.dpatch
+092_CVE-2011-3607.dpatch
+093_CVE-2012-0031.dpatch
+094_CVE-2012-0053.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
diff --git a/debian/patches/089_CVE-2011-3368.dpatch b/debian/patches/089_CVE-2011-3368.dpatch
new file mode 100755
index 0000000..3b2bf8c
--- /dev/null
+++ b/debian/patches/089_CVE-2011-3368.dpatch
@@ -0,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1179525
+
+ at DPATCH@
+commit d239e98144d468928fbd2d3f519bd9265d162932
+Author: Joe Orton <jorton at apache.org>
+Date: Thu Oct 6 07:39:13 2011 +0000
+
+ Merge r1179239 from trunk:
+
+ SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+ reverse proxy configurations by strictly validating the request-URI:
+
+ * server/protocol.c (read_request_line): Send a 400 response if the
+ request-URI does not match the grammar from RFC 2616. This ensures
+ the input string for RewriteRule et al really is an absolute path.
+
+ Reviewed by: jim, covener, rjung
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 55468fc..b45851a 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,6 +640,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+
+ ap_parse_uri(r, uri);
+
++ /* RFC 2616:
++ * Request-URI = "*" | absoluteURI | abs_path | authority
++ *
++ * authority is a special case for CONNECT. If the request is not
++ * using CONNECT, and the parsed URI does not have scheme, and
++ * it does not begin with '/', and it is not '*', then, fail
++ * and give a 400 response. */
++ if (r->method_number != M_CONNECT
++ && !r->parsed_uri.scheme
++ && uri[0] != '/'
++ && !(uri[0] == '*' && uri[1] == '\0')) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "invalid request-URI %s", uri);
++ r->args = NULL;
++ r->hostname = NULL;
++ r->status = HTTP_BAD_REQUEST;
++ r->uri = apr_pstrdup(r->pool, uri);
++ }
++
+ if (ll[0]) {
+ r->assbackwards = 0;
+ pro = ll;
diff --git a/debian/patches/090_CVE-2011-4317.dpatch b/debian/patches/090_CVE-2011-4317.dpatch
new file mode 100755
index 0000000..7e9a54b
--- /dev/null
+++ b/debian/patches/090_CVE-2011-4317.dpatch
@@ -0,0 +1,85 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1235443
+
+ at DPATCH@
+commit 99f9da5c79bc0de71f0982ac1c47a615d86b8b62
+Author: Jeff Trawick <trawick at apache.org>
+Date: Tue Jan 24 19:39:31 2012 +0000
+
+ Backport trunk revisions 1209432 and 1233604:
+
+ SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+
+ Submitted by: jorton
+ Reviewed by: trawick, covener, gregames
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235443 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 8887bea..89b5af5 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4266,6 +4266,11 @@ static int hook_uri2file(request_rec *r)
+ return DECLINED;
+ }
+
++ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++ || !r->uri || r->uri[0] != '/') {
++ return DECLINED;
++ }
++
+ /*
+ * add the SCRIPT_URL variable to the env. this is a bit complicated
+ * due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 1efe95c..fb9ff39 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -566,6 +566,11 @@ static int proxy_trans(request_rec *r)
+ return OK;
+ }
+
++ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
++ || !r->uri || r->uri[0] != '/') {
++ return DECLINED;
++ }
++
+ /* XXX: since r->uri has been manipulated already we're not really
+ * compliant with RFC1945 at this point. But this probably isn't
+ * an issue because this is a hybrid proxy/origin server.
+diff --git a/server/protocol.c b/server/protocol.c
+index d018096..2e3ce93 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,25 +640,6 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+
+ ap_parse_uri(r, uri);
+
+- /* RFC 2616:
+- * Request-URI = "*" | absoluteURI | abs_path | authority
+- *
+- * authority is a special case for CONNECT. If the request is not
+- * using CONNECT, and the parsed URI does not have scheme, and
+- * it does not begin with '/', and it is not '*', then, fail
+- * and give a 400 response. */
+- if (r->method_number != M_CONNECT
+- && !r->parsed_uri.scheme
+- && uri[0] != '/'
+- && !(uri[0] == '*' && uri[1] == '\0')) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+- "invalid request-URI %s", uri);
+- r->args = NULL;
+- r->hostname = NULL;
+- r->status = HTTP_BAD_REQUEST;
+- r->uri = apr_pstrdup(r->pool, uri);
+- }
+-
+ if (ll[0]) {
+ r->assbackwards = 0;
+ pro = ll;
diff --git a/debian/patches/091_CVE-2011-3639.dpatch b/debian/patches/091_CVE-2011-3639.dpatch
new file mode 100755
index 0000000..83edd5b
--- /dev/null
+++ b/debian/patches/091_CVE-2011-3639.dpatch
@@ -0,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 091_CVE-2011-3639.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1188745
+commit daadb710ab9c207e717a6cfdd5e9cf0ed3ba4f59
+Author: Ruediger Pluem <rpluem at apache.org>
+Date: Tue Oct 25 15:56:08 2011 +0000
+
+ * Correctly return a 400 (Bad request) in case of a HTTP/0.9 request like GET @example.org/foo
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1188745 13f79535-47bb-0310-9956-ffa450edef68
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze-apache2~/server/protocol.c squeeze-apache2/server/protocol.c
+--- squeeze-apache2~/server/protocol.c 2011-12-03 18:28:59.000000000 +0100
++++ squeeze-apache2/server/protocol.c 2011-12-03 18:33:23.331921967 +0100
+@@ -654,6 +654,7 @@
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
++ return 0;
+ }
+
+ if (ll[0]) {
+@@ -908,9 +909,17 @@
+
+ /* Get the request... */
+ if (!read_request_line(r, tmp_bb)) {
+- if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+- "request failed: URI too long (longer than %d)", r->server->limit_req_line);
++ if (r->status == HTTP_REQUEST_URI_TOO_LARGE
++ || r->status == HTTP_BAD_REQUEST) {
++ if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "request failed: URI too long (longer than %d)",
++ r->server->limit_req_line);
++ }
++ else if (r->method == NULL) {
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "request failed: invalid characters in URI");
++ }
+ ap_send_error_response(r, 0);
+ ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+ ap_run_log_transaction(r);
diff --git a/debian/patches/092_CVE-2011-3607.dpatch b/debian/patches/092_CVE-2011-3607.dpatch
new file mode 100644
index 0000000..e7ea6c8
--- /dev/null
+++ b/debian/patches/092_CVE-2011-3607.dpatch
@@ -0,0 +1,52 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1227280
+commit ffcd2b1a24a1eeb94cb460e41875c442738ece54
+Author: Stefan Fritsch <sf at apache.org>
+Date: Wed Jan 4 19:45:22 2012 +0000
+
+ Merge fix for CVE-2011-3607:
+
+ Fix integer overflow in ap_pregsub()
+
+ Trunk fix: r1198940
+ Submitted by: Stefan Fritsch, Greg Ames
+ Reviewed by: Stefan Fritsch, Greg Ames, Eric Covener
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227280 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/util.c b/server/util.c
+index d0b90c6..a50d034 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -82,6 +82,8 @@
+ #define IS_SLASH(s) (s == '/')
+ #endif
+
++/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
++#define UTIL_SIZE_MAX (~((apr_size_t)0))
+
+ /*
+ * Examine a field value (such as a media-/content-type) string and return
+@@ -366,7 +368,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
+ char *dest, *dst;
+ char c;
+ size_t no;
+- int len;
++ apr_size_t len;
+
+ if (!source)
+ return NULL;
+@@ -391,6 +393,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
+ len++;
+ }
+ else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
++ "integer overflow or out of memory condition." );
++ return NULL;
++ }
+ len += pmatch[no].rm_eo - pmatch[no].rm_so;
+ }
+
diff --git a/debian/patches/093_CVE-2012-0031.dpatch b/debian/patches/093_CVE-2012-0031.dpatch
new file mode 100644
index 0000000..27b03a9
--- /dev/null
+++ b/debian/patches/093_CVE-2012-0031.dpatch
@@ -0,0 +1,41 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1231058
+
+ Merge r1230069 from trunk:
+ Submitted by: jorton
+ Reviewed/backported by: jim
+
+ SECURITY (CVE-2012-0031) patch
+
+diff --git a/server/scoreboard.c b/server/scoreboard.c
+index 060de5c..1c60fdd 100644
+--- a/server/scoreboard.c
++++ b/server/scoreboard.c
+@@ -42,6 +42,8 @@ AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL;
+ AP_DECLARE_DATA int ap_extended_status = 0;
+ AP_DECLARE_DATA int ap_mod_status_reqtail = 0;
+
++static ap_scoreboard_e scoreboard_type;
++
+ #if APR_HAS_SHARED_MEMORY
+
+ #include "apr_shm.h"
+@@ -250,7 +252,7 @@ apr_status_t ap_cleanup_scoreboard(void *d)
+ if (ap_scoreboard_image == NULL) {
+ return APR_SUCCESS;
+ }
+- if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
++ if (scoreboard_type == SB_SHARED) {
+ ap_cleanup_shared_mem(NULL);
+ }
+ else {
+@@ -314,7 +316,7 @@ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type)
+ ap_init_scoreboard(sb_mem);
+ }
+
+- ap_scoreboard_image->global->sb_type = sb_type;
++ ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type;
+ ap_scoreboard_image->global->running_generation = running_gen;
+ ap_scoreboard_image->global->restart_time = apr_time_now();
+
diff --git a/debian/patches/094_CVE-2012-0053.dpatch b/debian/patches/094_CVE-2012-0053.dpatch
new file mode 100644
index 0000000..23b49ae
--- /dev/null
+++ b/debian/patches/094_CVE-2012-0053.dpatch
@@ -0,0 +1,105 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1235454
+commit 2bb066730e059da7127804a2dd9c999b50934a67
+Author: Eric Covener <covener at apache.org>
+Date: Tue Jan 24 20:02:19 2012 +0000
+
+ backport r1234837 from trunk:
+
+ CVE-2012-0053: Fix an issue in error responses that could expose
+ "httpOnly" cookies when no custom ErrorDocument is specified for
+ status code 400.
+
+ Reviewed By: covener, trawick, gregames
+
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235454 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 2e3ce93..796ae58 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -670,6 +670,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+ return 1;
+ }
+
++/* get the length of the field name for logging, but no more than 80 bytes */
++#define LOG_NAME_MAX_LEN 80
++static int field_name_len(const char *field)
++{
++ const char *end = ap_strchr_c(field, ':');
++ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
++ return LOG_NAME_MAX_LEN;
++ return end - field;
++}
++
+ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
+ {
+ char *last_field = NULL;
+@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ /* insure ap_escape_html will terminate correctly */
+ field[len - 1] = '\0';
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "exceeds server limit.<br />\n"
+- "<pre>\n",
+- ap_escape_html(r->pool, field),
+- "</pre>\n", NULL));
++ "<pre>\n%.*s\n</pre>/n",
++ field_name_len(field),
++ ap_escape_html(r->pool, field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize: "
++ "%.*s", field_name_len(field), field);
+ }
+ return;
+ }
+@@ -735,13 +748,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ * overflow (last_field) as the field with the problem
+ */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "after folding "
+ "exceeds server limit.<br />\n"
+- "<pre>\n",
+- ap_escape_html(r->pool, last_field),
+- "</pre>\n", NULL));
++ "<pre>\n%.*s\n</pre>\n",
++ field_name_len(last_field),
++ ap_escape_html(r->pool, last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize "
++ "after folding: %.*s",
++ field_name_len(last_field), last_field);
+ return;
+ }
+
+@@ -773,13 +790,18 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
+ r->status = HTTP_BAD_REQUEST; /* abort bad request */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Request header field is "
+ "missing ':' separator.<br />\n"
+- "<pre>\n",
++ "<pre>\n%.*s</pre>\n",
++ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool,
+- last_field),
+- "</pre>\n", NULL));
++ last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Request header field is missing ':' "
++ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
++ last_field);
++
+ return;
+ }
+
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list