[apache2] 02/05: mod_log_config: Fix cookie logging bug related to CVE-2014-0098
Stefan Fritsch
sf at moszumanska.debian.org
Sun May 25 15:43:59 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit 73728670d5e9633f79da38c3fd72a26ea5c0043a
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun May 25 17:30:59 2014 +0200
mod_log_config: Fix cookie logging bug related to CVE-2014-0098
---
debian/changelog | 4 ++
debian/patches/cookie-logging-CVE-2014-0098.diff | 81 ++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 86 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index baa6fd2..39375ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,10 @@ apache2 (2.2.22-13+deb7u2) UNRELEASED; urgency=medium
* CVE-2013-6438: mod_dav: Fix potential denial of service from
specifically crafted DAV WRITE requests.
+ * mod_log_config: Fix a bug that cookies whose values contain '=' would
+ only be logged partially. This is related to CVE-2014-0098, but Apache
+ 2.2.22 is not vulnerable to that issue.
+
-- Stefan Fritsch <sf at debian.org> Sun, 30 Mar 2014 10:40:41 +0200
apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium
diff --git a/debian/patches/cookie-logging-CVE-2014-0098.diff b/debian/patches/cookie-logging-CVE-2014-0098.diff
new file mode 100644
index 0000000..eab2cce
--- /dev/null
+++ b/debian/patches/cookie-logging-CVE-2014-0098.diff
@@ -0,0 +1,81 @@
+#commit 57beef76acf54b147116636b98f9e0ea56ee503f
+#Author: Rainer Jung <rjung at apache.org>
+#Date: Sat Aug 18 09:32:36 2012 +0000
+#
+# mod_log_config: %{abc}C truncates cookies whose values contain '='.
+# PR 53104
+#
+# Backport of r1328133 from trunk resp. r1359690 from 2.4.
+#
+# Submitted by: gregames
+# Reviewed by: trawick, wrowe
+# Backported by: rjung
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374538 13f79535-47bb-0310-9956-ffa450edef68
+#
+#commit 4bab699bdccdd3f48943d6ae224a1253a9a1a0d2
+#Author: Ruediger Pluem <rpluem at apache.org>
+#Date: Wed Mar 12 12:41:07 2014 +0000
+#
+# Merge r1575400 from trunk:
+#
+# CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>)
+# Segfaults w/ truncated cookie logging.
+#
+# Clean up the cookie logging parser to recognize only the cookie=value pairs,
+# not valueless cookies. This refactors multiple passes over the same string
+# buffer into a single pass parser.
+#
+# Submitted by: wrowe
+# Reviewed by: rpluem, jim
+#
+# Reviewed by: wrowe, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68
+#
+Index: apache2/modules/loggers/mod_log_config.c
+===================================================================
+--- apache2.orig/modules/loggers/mod_log_config.c
++++ apache2/modules/loggers/mod_log_config.c
+@@ -524,14 +524,24 @@
+
+ while ((cookie = apr_strtok(cookies, ";", &last1))) {
+ char *name = apr_strtok(cookie, "=", &last2);
+- if (name) {
+- char *value;
+- apr_collapse_spaces(name, name);
++ /* last2 points to the next char following an '=' delim,
++ or the trailing NUL char of the string */
++ char *value = last2;
++ if (name && *name && value && *value) {
++ char *last = value - 2;
++ /* Move past leading WS */
++ name += strspn(name, " \t");
++ while (last >= name && apr_isspace(*last)) {
++ *last = '\0';
++ --last;
++ }
+
+- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+- char *last;
+- value += strspn(value, " \t"); /* Move past leading WS */
+- last = value + strlen(value) - 1;
++ if (!strcasecmp(name, a)) {
++ /* last1 points to the next char following the ';' delim,
++ or the trailing NUL char of the string */
++ last = last1 - (*last1 ? 2 : 1);
++ /* Move past leading WS */
++ value += strspn(value, " \t");
+ while (last >= value && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+@@ -540,6 +550,7 @@
+ return ap_escape_logitem(r->pool, value);
+ }
+ }
++ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
+ cookies = NULL;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2d87f6f..152ffbb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,3 +39,4 @@ mod_rewrite-CVE-2013-1862.patch
CVE-2013-1896.patch
mod_dav_crash_PR_52559.patch
mod_dav-CVE-2013-6438.patch
+cookie-logging-CVE-2014-0098.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list