[apache2] 01/02: fix CVE-2014-8109 in mod_lua
Stefan Fritsch
sf at moszumanska.debian.org
Mon Dec 22 20:02:09 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit eaa56f957bbfc4c4ae62d6c3834f612db0b0e698
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Mon Dec 22 19:55:13 2014 +0100
fix CVE-2014-8109 in mod_lua
---
debian/changelog | 3 +
debian/patches/CVE-2014-8109_mod_lua.diff | 118 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 122 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 084860d..2086695 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
apache2 (2.4.10-9) UNRELEASED; urgency=medium
+ * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
+ LuaAuthzProvider is used in multiple Require directives with different
+ arguments.
* Also bump debhelper build-depends to get dh_installdeb with support for
symlink_to_dir. Closes: #770421
diff --git a/debian/patches/CVE-2014-8109_mod_lua.diff b/debian/patches/CVE-2014-8109_mod_lua.diff
new file mode 100644
index 0000000..ce18499
--- /dev/null
+++ b/debian/patches/CVE-2014-8109_mod_lua.diff
@@ -0,0 +1,118 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1642861
+#
+#commit 3f1693d558d0758f829c8b53993f1749ddf6ffcb
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue Dec 2 12:50:59 2014 +0000
+#
+# Merge r1642499 from trunk:
+#
+# *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+# mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+# used in multiple Require directives with different arguments.
+# PR57204 [Edward Lu <Chaosed0 gmail.com>]
+#
+# Submitted By: Edward Lu
+# Committed By: covener
+#
+#
+# Submitted by: covener
+# Reviewed/backported by: jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642861 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/CHANGES
++++ apache2/CHANGES
+@@ -6,6 +6,11 @@ Changes with Apache 2.4.11
+ mod_cache: Avoid a crash when Content-Type has an empty value.
+ PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+
++ *) SECURITY: CVE-2014-8109 (cve.mitre.org)
++ mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
++ used in multiple Require directives with different arguments.
++ PR57204 [Edward Lu <Chaosed0 gmail.com>]
++
+ *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+ core: HTTP trailers could be used to replace HTTP headers
+ late during request processing, potentially undoing or
+--- apache2.orig/modules/lua/mod_lua.c
++++ apache2/modules/lua/mod_lua.c
+@@ -66,9 +66,13 @@ typedef struct {
+ const char *file_name;
+ const char *function_name;
+ ap_lua_vm_spec *spec;
+- apr_array_header_t *args;
+ } lua_authz_provider_spec;
+
++typedef struct {
++ lua_authz_provider_spec *spec;
++ apr_array_header_t *args;
++} lua_authz_provider_func;
++
+ apr_hash_t *lua_authz_providers;
+
+ typedef struct
+@@ -1692,6 +1696,7 @@ static const char *lua_authz_parse(cmd_p
+ {
+ const char *provider_name;
+ lua_authz_provider_spec *spec;
++ lua_authz_provider_func *func = apr_pcalloc(cmd->pool, sizeof(lua_authz_provider_func));
+
+ apr_pool_userdata_get((void**)&provider_name, AUTHZ_PROVIDER_NAME_NOTE,
+ cmd->temp_pool);
+@@ -1699,16 +1704,17 @@ static const char *lua_authz_parse(cmd_p
+
+ spec = apr_hash_get(lua_authz_providers, provider_name, APR_HASH_KEY_STRING);
+ ap_assert(spec != NULL);
++ func->spec = spec;
+
+ if (require_line && *require_line) {
+ const char *arg;
+- spec->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
++ func->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
+ while ((arg = ap_getword_conf(cmd->pool, &require_line)) && *arg) {
+- APR_ARRAY_PUSH(spec->args, const char *) = arg;
++ APR_ARRAY_PUSH(func->args, const char *) = arg;
+ }
+ }
+
+- *parsed_require_line = spec;
++ *parsed_require_line = func;
+ return NULL;
+ }
+
+@@ -1722,7 +1728,8 @@ static authz_status lua_authz_check(requ
+ &lua_module);
+ const ap_lua_dir_cfg *cfg = ap_get_module_config(r->per_dir_config,
+ &lua_module);
+- const lua_authz_provider_spec *prov_spec = parsed_require_line;
++ const lua_authz_provider_func *prov_func = parsed_require_line;
++ const lua_authz_provider_spec *prov_spec = prov_func->spec;
+ int result;
+ int nargs = 0;
+
+@@ -1744,19 +1751,19 @@ static authz_status lua_authz_check(requ
+ return AUTHZ_GENERAL_ERROR;
+ }
+ ap_lua_run_lua_request(L, r);
+- if (prov_spec->args) {
++ if (prov_func->args) {
+ int i;
+- if (!lua_checkstack(L, prov_spec->args->nelts)) {
++ if (!lua_checkstack(L, prov_func->args->nelts)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02315)
+ "Error: authz provider %s: too many arguments", prov_spec->name);
+ ap_lua_release_state(L, spec, r);
+ return AUTHZ_GENERAL_ERROR;
+ }
+- for (i = 0; i < prov_spec->args->nelts; i++) {
+- const char *arg = APR_ARRAY_IDX(prov_spec->args, i, const char *);
++ for (i = 0; i < prov_func->args->nelts; i++) {
++ const char *arg = APR_ARRAY_IDX(prov_func->args, i, const char *);
+ lua_pushstring(L, arg);
+ }
+- nargs = prov_spec->args->nelts;
++ nargs = prov_func->args->nelts;
+ }
+ if (lua_pcall(L, 1 + nargs, 1, 0)) {
+ const char *err = lua_tostring(L, -1);
diff --git a/debian/patches/series b/debian/patches/series
index 3be72f8..4dbaed9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ CVE-2014-3583_mod_proxy_fcgi.diff
mpm_event_use_after_free.diff
mod_ssl_memleak.diff
mod_ssl-oscp_stapling_crash.diff
+CVE-2014-8109_mod_lua.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list