[apache2] 01/01: CVE-2013-1896 mod_dav DoS

Stefan Fritsch sf at moszumanska.debian.org
Sun Jan 26 12:33:51 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch wheezy
in repository apache2.

commit a839737bd4d5be73529fe75ec3e1111fae2ceb2c
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun Jan 26 13:32:34 2014 +0100

    CVE-2013-1896 mod_dav DoS
---
 debian/changelog                   |  4 ++++
 debian/patches/CVE-2013-1896.patch | 29 +++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 62a6b68..5dc434f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,12 @@
 apache2 (2.2.22-13+wheezy1) UNRELEASED; urgency=low
 
+  Low impact security fixes:
   * CVE-2013-1862: mod_rewrite: Ensure that client data written to the
     RewriteLog is escaped to prevent terminal escape sequences from entering
     the log file. Closes: #722333
+  * CVE-2013-1896: mod_dav: denial of service via MERGE request.
+    Closes: #717272
+
   * Make apache2ctl create the necessary directories even if started with
     special options for apache2. Closes: #731531
   * Adjust paragraph in README.Debian about MaxMemFree not working properly.
diff --git a/debian/patches/CVE-2013-1896.patch b/debian/patches/CVE-2013-1896.patch
new file mode 100644
index 0000000..8d60f24
--- /dev/null
+++ b/debian/patches/CVE-2013-1896.patch
@@ -0,0 +1,29 @@
+Index: apache2/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2.orig/modules/dav/main/mod_dav.c
++++ apache2/modules/dav/main/mod_dav.c
+@@ -719,6 +719,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2655,11 +2661,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff --git a/debian/patches/series b/debian/patches/series
index 52737dc..9425aae 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,3 +36,4 @@ disable-ssl-compression.patch
 CVE-2012-3499_CVE-2012-4558_XSS.patch
 mod_log_forensic_693292.patch
 mod_rewrite-CVE-2013-1862.patch
+CVE-2013-1896.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list