[apache2] 02/05: mod_log_config: Fix cookie logging bug related to CVE-2014-0098

Stefan Fritsch sf at moszumanska.debian.org
Sun May 25 15:43:59 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch wheezy
in repository apache2.

commit 73728670d5e9633f79da38c3fd72a26ea5c0043a
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun May 25 17:30:59 2014 +0200

    mod_log_config: Fix cookie logging bug related to CVE-2014-0098
---
 debian/changelog                                 |  4 ++
 debian/patches/cookie-logging-CVE-2014-0098.diff | 81 ++++++++++++++++++++++++
 debian/patches/series                            |  1 +
 3 files changed, 86 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index baa6fd2..39375ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,10 @@ apache2 (2.2.22-13+deb7u2) UNRELEASED; urgency=medium
   * CVE-2013-6438: mod_dav: Fix potential denial of service from
     specifically crafted DAV WRITE requests.
 
+  * mod_log_config: Fix a bug that cookies whose values contain '=' would
+    only be logged partially. This is related to CVE-2014-0098, but Apache
+    2.2.22 is not vulnerable to that issue.
+
  -- Stefan Fritsch <sf at debian.org>  Sun, 30 Mar 2014 10:40:41 +0200
 
 apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium
diff --git a/debian/patches/cookie-logging-CVE-2014-0098.diff b/debian/patches/cookie-logging-CVE-2014-0098.diff
new file mode 100644
index 0000000..eab2cce
--- /dev/null
+++ b/debian/patches/cookie-logging-CVE-2014-0098.diff
@@ -0,0 +1,81 @@
+#commit 57beef76acf54b147116636b98f9e0ea56ee503f
+#Author: Rainer Jung <rjung at apache.org>
+#Date:   Sat Aug 18 09:32:36 2012 +0000
+#
+#    mod_log_config: %{abc}C truncates cookies whose values contain '='.
+#    PR 53104
+#
+#    Backport of r1328133 from trunk resp. r1359690 from 2.4.
+#
+#    Submitted by: gregames
+#    Reviewed by: trawick, wrowe
+#    Backported by: rjung
+#
+#
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374538 13f79535-47bb-0310-9956-ffa450edef68
+#
+#commit 4bab699bdccdd3f48943d6ae224a1253a9a1a0d2
+#Author: Ruediger Pluem <rpluem at apache.org>
+#Date:   Wed Mar 12 12:41:07 2014 +0000
+#
+#    Merge r1575400 from trunk:
+#
+#    CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
+#    Segfaults w/ truncated cookie logging.
+#
+#    Clean up the cookie logging parser to recognize only the cookie=value pairs,
+#    not valueless cookies.  This refactors multiple passes over the same string
+#    buffer into a single pass parser.
+#
+#    Submitted by: wrowe
+#    Reviewed by: rpluem, jim
+#
+#    Reviewed by: wrowe, ylavic, jim
+#
+#
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68
+#
+Index: apache2/modules/loggers/mod_log_config.c
+===================================================================
+--- apache2.orig/modules/loggers/mod_log_config.c
++++ apache2/modules/loggers/mod_log_config.c
+@@ -524,14 +524,24 @@
+ 
+         while ((cookie = apr_strtok(cookies, ";", &last1))) {
+             char *name = apr_strtok(cookie, "=", &last2);
+-            if (name) {
+-                char *value;
+-                apr_collapse_spaces(name, name);
++            /* last2 points to the next char following an '=' delim,
++               or the trailing NUL char of the string */
++            char *value = last2;
++            if (name && *name &&  value && *value) {
++                char *last = value - 2;
++                /* Move past leading WS */
++                name += strspn(name, " \t");
++                while (last >= name && apr_isspace(*last)) {
++                    *last = '\0';
++                    --last;
++                }
+ 
+-                if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+-                    char *last;
+-                    value += strspn(value, " \t");  /* Move past leading WS */
+-                    last = value + strlen(value) - 1;
++                if (!strcasecmp(name, a)) {
++                    /* last1 points to the next char following the ';' delim,
++                       or the trailing NUL char of the string */
++                    last = last1 - (*last1 ? 2 : 1);
++                    /* Move past leading WS */
++                    value += strspn(value, " \t");
+                     while (last >= value && apr_isspace(*last)) {
+                        *last = '\0';
+                        --last;
+@@ -540,6 +550,7 @@
+                     return ap_escape_logitem(r->pool, value);
+                 }
+             }
++            /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
+             cookies = NULL;
+         }
+     }
diff --git a/debian/patches/series b/debian/patches/series
index 2d87f6f..152ffbb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,3 +39,4 @@ mod_rewrite-CVE-2013-1862.patch
 CVE-2013-1896.patch
 mod_dav_crash_PR_52559.patch
 mod_dav-CVE-2013-6438.patch
+cookie-logging-CVE-2014-0098.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list