[apache2] 02/02: CVE-2013-1896 mod_dav DoS

Mon Jan 27 21:38:41 UTC 2014

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch squeeze
in repository apache2.

commit 352d5e16eb597557f4adeec67652c4b3b7e0d0cb
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun Jan 26 13:32:34 2014 +0100

    CVE-2013-1896 mod_dav DoS
---
 debian/changelog                        |  4 +++-
 debian/patches/00list                   |  1 +
 debian/patches/304_CVE-2013-1896.dpatch | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 3904abc..88364de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,11 @@
 apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
 
-  Low impact security issues:
+  Low impact security fixes:
   * CVE-2013-1862: mod_rewrite: Ensure that client data written to the
     RewriteLog is escaped to prevent terminal escape sequences from entering
     the log file. Closes: #722333
+  * CVE-2013-1896: mod_dav: denial of service via MERGE request.
+    Closes: #717272
 
  -- Stefan Fritsch <sf at debian.org>  Sun, 03 Mar 2013 12:25:22 +0100
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 6ac8222..9282ed8 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -47,3 +47,4 @@
 301_CVE-2012-4557_proxy_ajp.dpatch
 302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch
 303_mod_rewrite-CVE-2013-1862.dpatch
+304_CVE-2013-1896.dpatch
diff --git a/debian/patches/304_CVE-2013-1896.dpatch b/debian/patches/304_CVE-2013-1896.dpatch
new file mode 100755
index 0000000..4efe9fd
--- /dev/null
+++ b/debian/patches/304_CVE-2013-1896.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+#
+ at DPATCH@
+Index: apache2/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2.orig/modules/dav/main/mod_dav.c
++++ apache2/modules/dav/main/mod_dav.c
+@@ -719,6 +719,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2655,11 +2661,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

