[apache2] 03/04: CVE-2014-0118: mod_deflate DoS
Stefan Fritsch
sf at moszumanska.debian.org
Sat Aug 16 19:38:23 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit fbc1b3765e4aca14088fbbd77468635b7efec734
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Jul 23 23:32:58 2014 +0200
CVE-2014-0118: mod_deflate DoS
---
debian/changelog | 6 +
debian/patches/CVE-2014-0118_mod_deflate-DoS.patch | 284 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 291 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 11d20db..648aa5f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,12 @@ apache2 (2.2.22-13+deb7u3) UNRELEASED; urgency=medium
By default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
+ * CVE-2014-0118: mod_deflate: The DEFLATE input filter (inflates request
+ bodies) now limits the length and compression ratio of inflated request
+ bodies to avoid denial of sevice via highly compressed bodies.
+ By default, LimitRequestBody is applied after decompression. Fine-tuning
+ is possible with the new directives DeflateInflateLimitRequestBody,
+ DeflateInflateRatioLimit, and DeflateInflateRatioBurst.
-- Stefan Fritsch <sf at debian.org> Wed, 23 Jul 2014 23:13:37 +0200
diff --git a/debian/patches/CVE-2014-0118_mod_deflate-DoS.patch b/debian/patches/CVE-2014-0118_mod_deflate-DoS.patch
new file mode 100644
index 0000000..1b03185
--- /dev/null
+++ b/debian/patches/CVE-2014-0118_mod_deflate-DoS.patch
@@ -0,0 +1,284 @@
+# https://svn.apache.org/r1611426
+#
+# *) SECURITY: CVE-2014-0118 (cve.mitre.org)
+# mod_deflate: The DEFLATE input filter (inflates request bodies) now
+# limits the length and compression ratio of inflated request bodies to avoid
+# denial of sevice via highly compressed bodies. See directives
+# DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
+# and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener]
+#
+Index: apache2/modules/filters/mod_deflate.c
+===================================================================
+--- apache2.orig/modules/filters/mod_deflate.c
++++ apache2/modules/filters/mod_deflate.c
+@@ -37,6 +37,7 @@
+ #include "httpd.h"
+ #include "http_config.h"
+ #include "http_log.h"
++#include "http_core.h"
+ #include "apr_lib.h"
+ #include "apr_strings.h"
+ #include "apr_general.h"
+@@ -51,6 +52,9 @@
+ static const char deflateFilterName[] = "DEFLATE";
+ module AP_MODULE_DECLARE_DATA deflate_module;
+
++#define AP_INFLATE_RATIO_LIMIT 200
++#define AP_INFLATE_RATIO_BURST 3
++
+ typedef struct deflate_filter_config_t
+ {
+ int windowSize;
+@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t
+ char *note_output_name;
+ } deflate_filter_config;
+
++typedef struct deflate_dirconf_t {
++ apr_off_t inflate_limit;
++ int ratio_limit,
++ ratio_burst;
++} deflate_dirconf_t;
++
+ /* RFC 1952 Section 2.3 defines the gzip header:
+ *
+ * +---+---+---+---+---+---+---+---+---+---+
+@@ -193,6 +203,14 @@ static void *create_deflate_server_confi
+ return c;
+ }
+
++static void *create_deflate_dirconf(apr_pool_t *p, char *dummy)
++{
++ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc));
++ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT;
++ dc->ratio_burst = AP_INFLATE_RATIO_BURST;
++ return dc;
++}
++
+ static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy,
+ const char *arg)
+ {
+@@ -284,6 +302,55 @@ static const char *deflate_set_compressi
+ return NULL;
+ }
+
++
++static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ char *errp;
++
++ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) {
++ return "DeflateInflateLimitRequestBody is not parsable.";
++ }
++ if (*errp || dc->inflate_limit < 0) {
++ return "DeflateInflateLimitRequestBody requires a non-negative integer.";
++ }
++
++ return NULL;
++}
++
++static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd,
++ void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ int i;
++
++ i = atoi(arg);
++ if (i <= 0)
++ return "DeflateInflateRatioLimit must be positive";
++
++ dc->ratio_limit = i;
++
++ return NULL;
++}
++
++static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd,
++ void *dirconf,
++ const char *arg)
++{
++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf;
++ int i;
++
++ i = atoi(arg);
++ if (i <= 0)
++ return "DeflateInflateRatioBurst must be positive";
++
++ dc->ratio_burst = i;
++
++ return NULL;
++}
++
+ typedef struct deflate_ctx_t
+ {
+ z_stream stream;
+@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t
+ unsigned char *validation_buffer;
+ apr_size_t validation_buffer_length;
+ int inflate_init;
++ int ratio_hits;
++ apr_off_t inflate_total;
+ } deflate_ctx;
+
++/* Check whether the (inflate) ratio exceeds the configured limit/burst. */
++static int check_ratio(request_rec *r, deflate_ctx *ctx,
++ const deflate_dirconf_t *dc)
++{
++ if (ctx->stream.total_in) {
++ int ratio = ctx->stream.total_out / ctx->stream.total_in;
++ if (ratio < dc->ratio_limit) {
++ ctx->ratio_hits = 0;
++ }
++ else if (++ctx->ratio_hits > dc->ratio_burst) {
++ return 0;
++ }
++ }
++ return 1;
++}
++
+ /* Number of validation bytes (CRC and length) after the compressed data */
+ #define VALIDATION_SIZE 8
+ /* Do not update ctx->crc, see comment in flush_libz_buffer */
+@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap
+ int zRC;
+ apr_status_t rv;
+ deflate_filter_config *c;
++ deflate_dirconf_t *dc;
++ apr_off_t inflate_limit;
+
+ /* just get out of the way of things we don't want. */
+ if (mode != AP_MODE_READBYTES) {
+@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap
+ }
+
+ c = ap_get_module_config(r->server->module_config, &deflate_module);
++ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
+
+ if (!ctx) {
+ char deflate_hdr[10];
+@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap
+ if (len != 10 ||
+ deflate_hdr[0] != deflate_magic[0] ||
+ deflate_hdr[1] != deflate_magic[1]) {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes");
+ return APR_EGENERAL;
+ }
+
+ /* We can't handle flags for now. */
+ if (deflate_hdr[3] != 0) {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags");
+ return APR_EGENERAL;
+ }
+
+@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap
+ apr_brigade_cleanup(ctx->bb);
+ }
+
++ inflate_limit = dc->inflate_limit;
++ if (inflate_limit == 0) {
++ /* The core is checking the deflated body, we'll check the inflated */
++ inflate_limit = ap_get_limit_req_body(f->r);
++ }
++
+ if (APR_BRIGADE_EMPTY(ctx->proc_bb)) {
+ rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes);
+
+@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap
+
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
++
++ ctx->inflate_total += len;
++ if (inflate_limit && ctx->inflate_total > inflate_limit) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content length of %" APR_OFF_T_FMT
++ " is larger than the configured limit"
++ " of %" APR_OFF_T_FMT,
++ ctx->inflate_total, inflate_limit);
++ return APR_ENOSPC;
++ }
+
+ ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
+ tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
+@@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
+
++ ctx->inflate_total += len;
++ if (inflate_limit && ctx->inflate_total > inflate_limit) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content length of %" APR_OFF_T_FMT
++ " is larger than the configured limit"
++ " of %" APR_OFF_T_FMT,
++ ctx->inflate_total, inflate_limit);
++ return APR_ENOSPC;
++ }
++
++ if (!check_ratio(r, ctx, dc)) {
++ inflateEnd(&ctx->stream);
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content ratio is larger than the "
++ "configured limit %i by %i time(s)",
++ dc->ratio_limit, dc->ratio_burst);
++ return APR_EINVAL;
++ }
++
+ ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len);
+ tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len,
+ NULL, f->c->bucket_alloc);
+@@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(a
+ int zRC;
+ apr_status_t rv;
+ deflate_filter_config *c;
++ deflate_dirconf_t *dc;
+
+ /* Do nothing if asked to filter nothing. */
+ if (APR_BRIGADE_EMPTY(bb)) {
+@@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(a
+ }
+
+ c = ap_get_module_config(r->server->module_config, &deflate_module);
++ dc = ap_get_module_config(r->per_dir_config, &deflate_module);
+
+ if (!ctx) {
+
+@@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(a
+ while (ctx->stream.avail_in != 0) {
+ if (ctx->stream.avail_out == 0) {
+
++ if (!check_ratio(r, ctx, dc)) {
++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
++ "Inflated content ratio is larger than the "
++ "configured limit %i by %i time(s)",
++ dc->ratio_limit, dc->ratio_burst);
++ return APR_EINVAL;
++ }
++
+ ctx->stream.next_out = ctx->buffer;
+ len = c->bufferSize - ctx->stream.avail_out;
+
+@@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_
+ "Set the Deflate Memory Level (1-9)"),
+ AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF,
+ "Set the Deflate Compression Level (1-9)"),
++ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL,
++ "Set a limit on size of inflated input"),
++ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL,
++ "Set the inflate ratio limit above which inflation is "
++ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"),
++ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL,
++ "Set the maximum number of following inflate ratios above limit "
++ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"),
+ {NULL}
+ };
+
+ module AP_MODULE_DECLARE_DATA deflate_module = {
+ STANDARD20_MODULE_STUFF,
+- NULL, /* dir config creater */
++ create_deflate_dirconf, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ create_deflate_server_config, /* server config */
+ NULL, /* merge server config */
diff --git a/debian/patches/series b/debian/patches/series
index 2bc954f..3d1d61f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -44,3 +44,4 @@ SSL-ECC.patch
mod_proxy-crash-PR_50335.patch
CVE-2014-0226_scoreboard.patch
CVE-2014-0231_mod_cgid-DoS.patch
+CVE-2014-0118_mod_deflate-DoS.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list