[SCM] Debian packaging for apache2 branch, squeeze, updated. d52b91fc66df864fc02278929125019240955ba5

Stefan Fritsch sf at sfritsch.de
Fri Sep 7 22:43:14 UTC 2012 

The following commit has been merged in the squeeze branch:
commit d52b91fc66df864fc02278929125019240955ba5
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sat Sep 8 00:41:31 2012 +0200

    Fix CVE-2012-2687 in mod_negotiation

diff --git a/debian/changelog b/debian/changelog
index 3a2e962..f3b8034 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 apache2 (2.2.16-6+squeeze8) UNRELEASED; urgency=low
 
+  * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to
+    prevent a possible XSS vulnerability for a site where untrusted users
+    can upload files to a location with MultiViews enabled.
   * Send 408 status instead of 400 if reading of a request fails with a
     timeout. This allows browsers to retry. Closes: #677086
   * mod_cache: Prevent Partial Content responses from being cached and served
diff --git a/debian/patches/00list b/debian/patches/00list
index 733e804..4ec2917 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -38,6 +38,7 @@
 094_CVE-2012-0053.dpatch
 095_send_408_status.dpatch
 096_mod_cache_partial_content-2.2.x.dpatch
+097_CVE-2012-2687.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch
diff --git a/debian/patches/097_CVE-2012-2687.dpatch b/debian/patches/097_CVE-2012-2687.dpatch
new file mode 100755
index 0000000..ba3c84b
--- /dev/null
+++ b/debian/patches/097_CVE-2012-2687.dpatch
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: low impact XSS in mod_negotiation
+## DP: backport of upstream r1374421
+diff --git a/modules/mappers/mod_negotiation.c b/modules/mappers/mod_negotiation.c
+index 25e6034..ef4a72a 100644
+--- a/modules/mappers/mod_negotiation.c
++++ b/modules/mappers/mod_negotiation.c
+@@ -2658,9 +2658,9 @@ static char *make_variant_list(request_rec *r, negotiation_state *neg)
+          * need to change the calculation of max_vlist_array above.
+          */
+         *((const char **) apr_array_push(arr)) = "<li><a href=\"";
+-        *((const char **) apr_array_push(arr)) = filename;
++        *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
+         *((const char **) apr_array_push(arr)) = "\">";
+-        *((const char **) apr_array_push(arr)) = filename;
++        *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
+         *((const char **) apr_array_push(arr)) = "</a> ";
+         *((const char **) apr_array_push(arr)) = description;
+ 

-- 
Debian packaging for apache2

More information about the Pkg-apache-commits mailing list