[apache2] 01/03: CVE-2015-0228: mod_lua DoS

[Stefan Fritsch]

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit b90b1ef7430d5cd890e1317075c5a95ab03a5aa3
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Sun Mar 15 10:35:44 2015 +0100

    CVE-2015-0228: mod_lua DoS
---
 debian/changelog                          |  2 ++
 debian/patches/CVE-2015-0228_mod_lua.diff | 53 +++++++++++++++++++++++++++++++
 debian/patches/series                     |  1 +
 3 files changed, 56 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 342ea62..f572a0c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
 apache2 (2.4.10-10) UNRELEASED; urgency=medium
 
+  * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in
+    wsupgrade().
   * Tweak mention of mod_access_compat in NEWS.Debian. The module does
     not really work in practice.
 
diff --git a/debian/patches/CVE-2015-0228_mod_lua.diff b/debian/patches/CVE-2015-0228_mod_lua.diff
new file mode 100644
index 0000000..1a4847b
--- /dev/null
+++ b/debian/patches/CVE-2015-0228_mod_lua.diff
@@ -0,0 +1,53 @@
+#commit 1f1375a2a615337d3fd1da2aad7a080243cbdcb7
+#Author: Eric Covener <covener at apache.org>
+#Date:   Wed Mar 4 19:18:27 2015 +0000
+#
+#    Merge r1657261 from trunk:
+#    
+#      *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+#         mod_lua: A maliciously crafted websockets PING after a script
+#         calls r:wsupgrade() can cause a child process crash.
+#         [Edward Lu <Chaosed0 gmail.com>]
+#    
+#    Discovered by Guido Vranken <guidovranken gmail.com>
+#    
+#    Submitted by: Edward Lu
+#    Committed by: covener
+#    
+#    
+#    
+#    
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/lua/lua_request.c
++++ apache2/modules/lua/lua_request.c
+@@ -2229,6 +2229,7 @@ static int lua_websocket_read(lua_State
+ {
+     apr_socket_t *sock;
+     apr_status_t rv;
++    int do_read = 1;
+     int n = 0;
+     apr_size_t len = 1;
+     apr_size_t plen = 0;
+@@ -2246,6 +2247,8 @@ static int lua_websocket_read(lua_State
+     mask_bytes = apr_pcalloc(r->pool, 4);
+     sock = ap_get_conn_socket(r->connection);
+ 
++    while (do_read) { 
++    do_read = 0;
+     /* Get opcode and FIN bit */
+     if (plaintext) {
+         rv = apr_socket_recv(sock, &byte, &len);
+@@ -2372,10 +2375,11 @@ static int lua_websocket_read(lua_State
+                 frame[0] = 0x8A;
+                 frame[1] = 0;
+                 apr_socket_send(sock, frame, &plen); /* Pong! */
+-                lua_websocket_read(L); /* read the next frame instead */
++                do_read = 1;
+             }
+         }
+     }
++    }
+     return 0;
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 4dbaed9..f871db9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ mpm_event_use_after_free.diff
 mod_ssl_memleak.diff
 mod_ssl-oscp_stapling_crash.diff
 CVE-2014-8109_mod_lua.diff
+CVE-2015-0228_mod_lua.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git