[apache2] 01/03: CVE-2015-0228: mod_lua DoS
Stefan Fritsch
sf at moszumanska.debian.org
Sun Mar 15 10:27:07 UTC 2015
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit b90b1ef7430d5cd890e1317075c5a95ab03a5aa3
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun Mar 15 10:35:44 2015 +0100
CVE-2015-0228: mod_lua DoS
---
debian/changelog | 2 ++
debian/patches/CVE-2015-0228_mod_lua.diff | 53 +++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 56 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 342ea62..f572a0c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
apache2 (2.4.10-10) UNRELEASED; urgency=medium
+ * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
+ wsupgrade().
* Tweak mention of mod_access_compat in NEWS.Debian. The module does
not really work in practice.
diff --git a/debian/patches/CVE-2015-0228_mod_lua.diff b/debian/patches/CVE-2015-0228_mod_lua.diff
new file mode 100644
index 0000000..1a4847b
--- /dev/null
+++ b/debian/patches/CVE-2015-0228_mod_lua.diff
@@ -0,0 +1,53 @@
+#commit 1f1375a2a615337d3fd1da2aad7a080243cbdcb7
+#Author: Eric Covener <covener at apache.org>
+#Date: Wed Mar 4 19:18:27 2015 +0000
+#
+# Merge r1657261 from trunk:
+#
+# *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+# mod_lua: A maliciously crafted websockets PING after a script
+# calls r:wsupgrade() can cause a child process crash.
+# [Edward Lu <Chaosed0 gmail.com>]
+#
+# Discovered by Guido Vranken <guidovranken gmail.com>
+#
+# Submitted by: Edward Lu
+# Committed by: covener
+#
+#
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/lua/lua_request.c
++++ apache2/modules/lua/lua_request.c
+@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State
+ {
+ apr_socket_t *sock;
+ apr_status_t rv;
++ int do_read = 1;
+ int n = 0;
+ apr_size_t len = 1;
+ apr_size_t plen = 0;
+@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State
+ mask_bytes = apr_pcalloc(r->pool, 4);
+ sock = ap_get_conn_socket(r->connection);
+
++ while (do_read) {
++ do_read = 0;
+ /* Get opcode and FIN bit */
+ if (plaintext) {
+ rv = apr_socket_recv(sock, &byte, &len);
+@@ -2372,10 +2375,11 @@ static int lua_websocket_read(lua_State
+ frame[0] = 0x8A;
+ frame[1] = 0;
+ apr_socket_send(sock, frame, &plen); /* Pong! */
+- lua_websocket_read(L); /* read the next frame instead */
++ do_read = 1;
+ }
+ }
+ }
++ }
+ return 0;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 4dbaed9..f871db9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ mpm_event_use_after_free.diff
mod_ssl_memleak.diff
mod_ssl-oscp_stapling_crash.diff
CVE-2014-8109_mod_lua.diff
+CVE-2015-0228_mod_lua.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list