[apache2] 01/01: CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
Stefan Fritsch
sf at moszumanska.debian.org
Tue Jul 18 18:47:51 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch stretch
in repository apache2.
commit b2010cb906696f5aff3b75765de0ac04a4ca6c6d
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Jul 18 20:30:14 2017 +0200
CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
---
debian/changelog | 6 +++++
debian/patches/CVE-2017-9788-mod_auth_digest.diff | 28 +++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 35 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 99b5c16..51ef728 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apache2 (2.4.25-3+deb9u2) stretch-security; urgency=medium
+
+ * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
+
+ -- Stefan Fritsch <sf at debian.org> Tue, 18 Jul 2017 20:37:33 +0200
+
apache2 (2.4.25-3+deb9u1) stretch-security; urgency=high
* Backport security fixes from 2.4.26:
diff --git a/debian/patches/CVE-2017-9788-mod_auth_digest.diff b/debian/patches/CVE-2017-9788-mod_auth_digest.diff
new file mode 100644
index 0000000..4426088
--- /dev/null
+++ b/debian/patches/CVE-2017-9788-mod_auth_digest.diff
@@ -0,0 +1,28 @@
+# https://svn.apache.org/viewvc?view=revision&revision=1800955
+--- apache2.orig/modules/aaa/mod_auth_digest.c
++++ apache2/modules/aaa/mod_auth_digest.c
+@@ -956,13 +956,13 @@ static int get_digest_rec(request_rec *r
+
+ /* find value */
+
++ vv = 0;
+ if (auth_line[0] == '=') {
+ auth_line++;
+ while (apr_isspace(auth_line[0])) {
+ auth_line++;
+ }
+
+- vv = 0;
+ if (auth_line[0] == '\"') { /* quoted string */
+ auth_line++;
+ while (auth_line[0] != '\"' && auth_line[0] != '\0') {
+@@ -981,8 +981,8 @@ static int get_digest_rec(request_rec *r
+ value[vv++] = *auth_line++;
+ }
+ }
+- value[vv] = '\0';
+ }
++ value[vv] = '\0';
+
+ while (auth_line[0] != ',' && auth_line[0] != '\0') {
+ auth_line++;
diff --git a/debian/patches/series b/debian/patches/series
index d46db24..dcdf8c3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ CVE-2017-3169.diff
CVE-2017-7659.diff
CVE-2017-7668.diff
CVE-2017-7679.diff
+CVE-2017-9788-mod_auth_digest.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list