[apache2] 01/05: mod_proxy_fcgi: Fix DoS by fcgi script. CVE-2014-3583
Stefan Fritsch
sf at moszumanska.debian.org
Tue Nov 18 14:31:05 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 12fa6b3740b9a5730c4bd53a15c1a9d5847e373d
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Nov 18 14:33:43 2014 +0100
mod_proxy_fcgi: Fix DoS by fcgi script. CVE-2014-3583
---
debian/changelog | 3 ++
debian/patches/CVE-2014-3583_mod_proxy_fcgi.diff | 66 ++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 70 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c9878a2..c3ec3fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ apache2 (2.4.10-8) UNRELEASED; urgency=medium
* Bump dpkg Pre-Depends to version that supports relative symlinks in
dpkg-maintscript-helper's symlink_to_dir. Closes: #769821
+ * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi
+ script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even
+ though it does not seem to be exploitable.
-- Stefan Fritsch <sf at debian.org> Mon, 17 Nov 2014 00:38:07 +0100
diff --git a/debian/patches/CVE-2014-3583_mod_proxy_fcgi.diff b/debian/patches/CVE-2014-3583_mod_proxy_fcgi.diff
new file mode 100644
index 0000000..dc6b37a
--- /dev/null
+++ b/debian/patches/CVE-2014-3583_mod_proxy_fcgi.diff
@@ -0,0 +1,66 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1640036
+# mod_proxy_fcgi: SECURITY: CVE-2014-3583 (cve.mitre.org)
+# Fix a potential crash with response headers' size above 8K.
+#
+# The code changes to mod_authnz_fcgi keep the handle_headers()
+# function in sync between the two modules. mod_authnz_fcgi
+# does not have this issue because it allocated a separate byte
+# for terminating '\0'. Changes with Apache 2.5.0
+--- apache2.orig/modules/proxy/mod_proxy_fcgi.c
++++ apache2/modules/proxy/mod_proxy_fcgi.c
+@@ -308,13 +308,12 @@ enum {
+ *
+ * Returns 0 if it can't find the end of the headers, and 1 if it found the
+ * end of the headers. */
+-static int handle_headers(request_rec *r,
+- int *state,
+- char *readbuf)
++static int handle_headers(request_rec *r, int *state,
++ const char *readbuf, apr_size_t readlen)
+ {
+ const char *itr = readbuf;
+
+- while (*itr) {
++ while (readlen--) {
+ if (*itr == '\r') {
+ switch (*state) {
+ case HDR_STATE_GOT_CRLF:
+@@ -561,7 +560,8 @@ recv_again:
+ APR_BRIGADE_INSERT_TAIL(ob, b);
+
+ if (! seen_end_of_headers) {
+- int st = handle_headers(r, &header_state, iobuf);
++ int st = handle_headers(r, &header_state,
++ iobuf, readbuflen);
+
+ if (st == 1) {
+ int status;
+--- apache2.orig/modules/aaa/mod_authnz_fcgi.c
++++ apache2/modules/aaa/mod_authnz_fcgi.c
+@@ -406,13 +406,12 @@ enum {
+ *
+ * Returns 0 if it can't find the end of the headers, and 1 if it found the
+ * end of the headers. */
+-static int handle_headers(request_rec *r,
+- int *state,
+- char *readbuf)
++static int handle_headers(request_rec *r, int *state,
++ const char *readbuf, apr_size_t readlen)
+ {
+ const char *itr = readbuf;
+
+- while (*itr) {
++ while (readlen--) {
+ if (*itr == '\r') {
+ switch (*state) {
+ case HDR_STATE_GOT_CRLF:
+@@ -555,7 +554,8 @@ static apr_status_t handle_response(cons
+ APR_BRIGADE_INSERT_TAIL(ob, b);
+
+ if (!seen_end_of_headers) {
+- int st = handle_headers(r, &header_state, readbuf);
++ int st = handle_headers(r, &header_state,
++ readbuf, readbuflen);
+
+ if (st == 1) {
+ int status;
diff --git a/debian/patches/series b/debian/patches/series
index 9945c54..4e784fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ build_suexec-custom.patch
pull_upstream_2.4.x_branch.patch
# This patch is applied manually
#suexec-custom.patch
+CVE-2014-3583_mod_proxy_fcgi.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list