[apache2] 02/05: CVE-2015-3185: add replacement for ap_some_auth_required
Stefan Fritsch
sf at moszumanska.debian.org
Sat Aug 1 21:11:47 UTC 2015
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch jessie
in repository apache2.
commit ffd224e530dd3fcdcfdab1d4396099c954e905b5
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Jun 9 23:57:36 2015 +0200
CVE-2015-3185: add replacement for ap_some_auth_required
ap_some_auth_required() cannot be fixed in 2.4
---
debian/changelog | 3 +
.../CVE-2015-3185-ap_some_auth_required.diff | 183 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 187 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6e8cedd..af8dbc8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
apache2 (2.4.10-10+deb8u1) UNRELEASED; urgency=medium
* CVE-2015-3183: Fix chunk header parsing defect.
+ * CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an
+ unfixable way. Add a new replacement API ap_some_authn_required()
+ and ap_force_authn hook.
-- Stefan Fritsch <sf at debian.org> Tue, 09 Jun 2015 23:26:23 +0200
diff --git a/debian/patches/CVE-2015-3185-ap_some_auth_required.diff b/debian/patches/CVE-2015-3185-ap_some_auth_required.diff
new file mode 100644
index 0000000..09c4edc
--- /dev/null
+++ b/debian/patches/CVE-2015-3185-ap_some_auth_required.diff
@@ -0,0 +1,183 @@
+# https://svn.apache.org/r1684525
+--- apache2.orig/include/ap_mmn.h
++++ apache2/include/ap_mmn.h
+@@ -433,6 +433,8 @@
+ to util_ldap_connection_t
+ * 20120211.36 (2.4.10-dev) Add ap_copy_scoreboard_worker()
+ * 20120211.37 (2.4.11-dev) Add r->trailers_{in,out}
++ * 20120211.47 (2.4.13-dev) Add ap_some_authn_required, ap_force_authn hook.
++ * Deprecate broken ap_some_auth_required.
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
+--- apache2.orig/include/http_request.h
++++ apache2/include/http_request.h
+@@ -185,6 +185,8 @@ AP_DECLARE(void) ap_internal_fast_redire
+ * is required for the current request
+ * @param r The current request
+ * @return 1 if authentication is required, 0 otherwise
++ * @bug Behavior changed in 2.4.x refactoring, API no longer usable
++ * @deprecated @see ap_some_authn_required()
+ */
+ AP_DECLARE(int) ap_some_auth_required(request_rec *r);
+
+@@ -539,6 +541,16 @@ AP_DECLARE_HOOK(void,insert_filter,(requ
+ AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r))
+
+ /**
++ * This hook allows a module to force authn to be required when
++ * processing a request.
++ * This hook should be registered with ap_hook_force_authn().
++ * @param r The current request
++ * @return OK (force authn), DECLINED (let later modules decide)
++ * @ingroup hooks
++ */
++AP_DECLARE_HOOK(int,force_authn,(request_rec *r))
++
++/**
+ * This hook allows modules to handle/emulate the apr_stat() calls
+ * needed for directory walk.
+ * @param finfo where to put the stat data
+@@ -584,6 +596,17 @@ AP_DECLARE(apr_bucket *) ap_bucket_eor_m
+ AP_DECLARE(apr_bucket *) ap_bucket_eor_create(apr_bucket_alloc_t *list,
+ request_rec *r);
+
++/**
++ * Can be used within any handler to determine if any authentication
++ * is required for the current request. Note that if used with an
++ * access_checker hook, an access_checker_ex hook or an authz provider; the
++ * caller should take steps to avoid a loop since this function is
++ * implemented by calling these hooks.
++ * @param r The current request
++ * @return TRUE if authentication is required, FALSE otherwise
++ */
++AP_DECLARE(int) ap_some_authn_required(request_rec *r);
++
+ #ifdef __cplusplus
+ }
+ #endif
+--- apache2.orig/server/request.c
++++ apache2/server/request.c
+@@ -71,6 +71,7 @@ APR_HOOK_STRUCT(
+ APR_HOOK_LINK(create_request)
+ APR_HOOK_LINK(post_perdir_config)
+ APR_HOOK_LINK(dirwalk_stat)
++ APR_HOOK_LINK(force_authn)
+ )
+
+ AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name,
+@@ -97,6 +98,8 @@ AP_IMPLEMENT_HOOK_RUN_ALL(int, post_perd
+ AP_IMPLEMENT_HOOK_RUN_FIRST(apr_status_t,dirwalk_stat,
+ (apr_finfo_t *finfo, request_rec *r, apr_int32_t wanted),
+ (finfo, r, wanted), AP_DECLINED)
++AP_IMPLEMENT_HOOK_RUN_FIRST(int,force_authn,
++ (request_rec *r), (r), DECLINED)
+
+ static int auth_internal_per_conf = 0;
+ static int auth_internal_per_conf_hooks = 0;
+@@ -118,6 +121,39 @@ static int decl_die(int status, const ch
+ }
+ }
+
++AP_DECLARE(int) ap_some_authn_required(request_rec *r)
++{
++ int access_status;
++
++ switch (ap_satisfies(r)) {
++ case SATISFY_ALL:
++ case SATISFY_NOSPEC:
++ if ((access_status = ap_run_access_checker(r)) != OK) {
++ break;
++ }
++
++ access_status = ap_run_access_checker_ex(r);
++ if (access_status == DECLINED) {
++ return TRUE;
++ }
++
++ break;
++ case SATISFY_ANY:
++ if ((access_status = ap_run_access_checker(r)) == OK) {
++ break;
++ }
++
++ access_status = ap_run_access_checker_ex(r);
++ if (access_status == DECLINED) {
++ return TRUE;
++ }
++
++ break;
++ }
++
++ return FALSE;
++}
++
+ /* This is the master logic for processing requests. Do NOT duplicate
+ * this logic elsewhere, or the security model will be broken by future
+ * API changes. Each phase must be individually optimized to pick up
+@@ -232,15 +268,8 @@ AP_DECLARE(int) ap_process_request_inter
+ }
+
+ access_status = ap_run_access_checker_ex(r);
+- if (access_status == OK) {
+- ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+- "request authorized without authentication by "
+- "access_checker_ex hook: %s", r->uri);
+- }
+- else if (access_status != DECLINED) {
+- return decl_die(access_status, "check access", r);
+- }
+- else {
++ if (access_status == DECLINED
++ || (access_status == OK && ap_run_force_authn(r) == OK)) {
+ if ((access_status = ap_run_check_user_id(r)) != OK) {
+ return decl_die(access_status, "check user", r);
+ }
+@@ -258,6 +287,14 @@ AP_DECLARE(int) ap_process_request_inter
+ return decl_die(access_status, "check authorization", r);
+ }
+ }
++ else if (access_status == OK) {
++ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
++ "request authorized without authentication by "
++ "access_checker_ex hook: %s", r->uri);
++ }
++ else {
++ return decl_die(access_status, "check access", r);
++ }
+ break;
+ case SATISFY_ANY:
+ if ((access_status = ap_run_access_checker(r)) == OK) {
+@@ -269,15 +306,8 @@ AP_DECLARE(int) ap_process_request_inter
+ }
+
+ access_status = ap_run_access_checker_ex(r);
+- if (access_status == OK) {
+- ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
+- "request authorized without authentication by "
+- "access_checker_ex hook: %s", r->uri);
+- }
+- else if (access_status != DECLINED) {
+- return decl_die(access_status, "check access", r);
+- }
+- else {
++ if (access_status == DECLINED
++ || (access_status == OK && ap_run_force_authn(r) == OK)) {
+ if ((access_status = ap_run_check_user_id(r)) != OK) {
+ return decl_die(access_status, "check user", r);
+ }
+@@ -295,6 +325,14 @@ AP_DECLARE(int) ap_process_request_inter
+ return decl_die(access_status, "check authorization", r);
+ }
+ }
++ else if (access_status == OK) {
++ ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
++ "request authorized without authentication by "
++ "access_checker_ex hook: %s", r->uri);
++ }
++ else {
++ return decl_die(access_status, "check access", r);
++ }
+ break;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 43c3bc8..e387a2d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ mod_ssl-oscp_stapling_crash.diff
CVE-2014-8109_mod_lua.diff
CVE-2015-0228_mod_lua.diff
CVE-2015-3183-chunk-header-parsing.diff
+CVE-2015-3185-ap_some_auth_required.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list