[apache2] 02/04: CVE-2014-0231: mod_cgid DoS
Stefan Fritsch
sf at moszumanska.debian.org
Sat Aug 16 19:38:23 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit b68d3a6dac18922905d1a551c14d5a2ac9b3843c
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Jul 23 23:20:37 2014 +0200
CVE-2014-0231: mod_cgid DoS
---
debian/changelog | 6 +
debian/patches/CVE-2014-0231_mod_cgid-DoS.patch | 155 ++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 162 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 0c2b3dc..11d20db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ apache2 (2.2.22-13+deb7u3) UNRELEASED; urgency=medium
* CVE-2014-0226: Fix a race condition in scoreboard handling,
which could lead to a heap buffer overflow.
+ * CVE-2014-0231: mod_cgid: Fix a denial of service against CGI scripts
+ that do not consume stdin that could lead to lingering HTTPD child
+ processes filling up the scoreboard and eventually hanging the server.
+ By default, the client I/O timeout (Timeout directive) now applies to
+ communication with scripts. The CGIDScriptTimeout directive can be
+ used to set a different timeout for communication with scripts.
-- Stefan Fritsch <sf at debian.org> Wed, 23 Jul 2014 23:13:37 +0200
diff --git a/debian/patches/CVE-2014-0231_mod_cgid-DoS.patch b/debian/patches/CVE-2014-0231_mod_cgid-DoS.patch
new file mode 100644
index 0000000..494b07f
--- /dev/null
+++ b/debian/patches/CVE-2014-0231_mod_cgid-DoS.patch
@@ -0,0 +1,155 @@
+# https://svn.apache.org/r1611185
+#
+# *) SECURITY: CVE-2014-0231 (cve.mitre.org)
+# mod_cgid: Fix a denial of service against CGI scripts that do
+# not consume stdin that could lead to lingering HTTPD child processes
+# filling up the scoreboard and eventually hanging the server. By
+# default, the client I/O timeout (Timeout directive) now applies to
+# communication with scripts. The CGIDScriptTimeout directive can be
+# used to set a different timeout for communication with scripts.
+# [Rainer Jung, Eric Covener, Yann Ylavic]
+Index: apache2/modules/generators/mod_cgid.c
+===================================================================
+--- apache2.orig/modules/generators/mod_cgid.c
++++ apache2/modules/generators/mod_cgid.c
+@@ -93,6 +93,10 @@ static const char *sockname;
+ static pid_t parent_pid;
+ static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 };
+
++typedef struct {
++ apr_interval_time_t timeout;
++} cgid_dirconf;
++
+ /* The APR other-child API doesn't tell us how the daemon exited
+ * (SIGSEGV vs. exit(1)). The other-child maintenance function
+ * needs to decide whether to restart the daemon after a failure
+@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_
+ return overrides->logname ? overrides : base;
+ }
+
++static void *create_cgid_dirconf(apr_pool_t *p, char *dummy)
++{
++ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf));
++ return c;
++}
++
+ static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg)
++
+ {
+ server_rec *s = cmd->server;
+ cgid_server_conf *conf = ap_get_module_config(s->module_config,
+@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd
+
+ return NULL;
+ }
++static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg)
++{
++ cgid_dirconf *dc = dummy;
+
++ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) {
++ return "CGIDScriptTimeout has wrong format";
++ }
++
++ return NULL;
++}
+ static const command_rec cgid_cmds[] =
+ {
+ AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF,
+@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] =
+ AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF,
+ "the name of the socket to use for communication with "
+ "the cgi daemon."),
++ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF,
++ "The amount of time to wait between successful reads from "
++ "the CGI script, in seconds."),
++
+ {NULL}
+ };
+
+@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r)
+ apr_file_t *tempsock;
+ struct cleanup_script_info *info;
+ apr_status_t rv;
++ cgid_dirconf *dc;
+
+ if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script"))
+ return DECLINED;
+
+ conf = ap_get_module_config(r->server->module_config, &cgid_module);
++ dc = ap_get_module_config(r->per_dir_config, &cgid_module);
++
++
+ is_included = !strcmp(r->protocol, "INCLUDED");
+
+ if ((argv0 = strrchr(r->filename, '/')) != NULL)
+@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r)
+ */
+
+ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
++ if (dc->timeout > 0) {
++ apr_file_pipe_timeout_set(tempsock, dc->timeout);
++ }
++ else {
++ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
++ }
+ apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
+
+ if ((argv0 = strrchr(r->filename, '/')) != NULL)
+@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r)
+ if (rv != APR_SUCCESS) {
+ /* silly script stopped reading, soak up remaining message */
+ child_stopped_reading = 1;
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
++ "Error writing request body to script %s",
++ r->filename);
++
+ }
+ }
+ apr_brigade_cleanup(bb);
+@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r)
+ return HTTP_MOVED_TEMPORARILY;
+ }
+
+- ap_pass_brigade(r->output_filters, bb);
++ rv = ap_pass_brigade(r->output_filters, bb);
++ if (rv != APR_SUCCESS) {
++ /* APLOG_ERR because the core output filter message is at error,
++ * but doesn't know it's passing CGI output
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client");
++ }
+ }
+
+ if (nph) {
+@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct
+ request_rec *r = f->r;
+ cgid_server_conf *conf = ap_get_module_config(r->server->module_config,
+ &cgid_module);
++ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module);
++
+ struct cleanup_script_info *info;
+
+ add_ssi_vars(r);
+@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct
+ * get rid of the cleanup we registered when we created the socket.
+ */
+ apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool);
++ if (dc->timeout > 0) {
++ apr_file_pipe_timeout_set(tempsock, dc->timeout);
++ }
++ else {
++ apr_file_pipe_timeout_set(tempsock, r->server->timeout);
++ }
++
+ apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket);
+
+ APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock,
+@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p)
+
+ module AP_MODULE_DECLARE_DATA cgid_module = {
+ STANDARD20_MODULE_STUFF,
+- NULL, /* dir config creater */
++ create_cgid_dirconf, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ create_cgid_config, /* server config */
+ merge_cgid_config, /* merge server config */
diff --git a/debian/patches/series b/debian/patches/series
index 7493e68..2bc954f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -43,3 +43,4 @@ cookie-logging-CVE-2014-0098.diff
SSL-ECC.patch
mod_proxy-crash-PR_50335.patch
CVE-2014-0226_scoreboard.patch
+CVE-2014-0231_mod_cgid-DoS.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list