[apache2] 01/02: Backport security fixes from 2.4.26:
Stefan Fritsch
sf at moszumanska.debian.org
Tue Jun 20 19:40:17 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit cec0fbd98c3f5ac2914054e609dea20066af5c55
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Jun 20 21:31:33 2017 +0200
Backport security fixes from 2.4.26:
---
debian/changelog | 11 ++
debian/patches/CVE-2017-3167.diff | 206 ++++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2017-3169.diff | 84 ++++++++++++++++
debian/patches/CVE-2017-7659.diff | 33 ++++++
debian/patches/CVE-2017-7668.diff | 34 +++++++
debian/patches/CVE-2017-7679.diff | 34 +++++++
debian/patches/series | 6 ++
7 files changed, 408 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 066eb19..460aadc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+apache2 (2.4.25-4) UNRELEASED; urgency=high
+
+ * Backport security fixes from 2.4.26:
+ * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
+ * CVE-2017-3169: mod_ssl NULL pointer dereference
+ * CVE-2017-7668: Buffer overrun in ap_find_token()
+ * CVE-2017-7679: mod_mime buffer overread
+ * CVE-2017-7659: mod_http2 NULL pointer dereference
+
+ -- Stefan Fritsch <sf at debian.org> Tue, 20 Jun 2017 21:29:11 +0200
+
apache2 (2.4.25-3) unstable; urgency=medium
* Fix detection of systemd to fix 'apache2ctl start' on sysv-init.
diff --git a/debian/patches/CVE-2017-3167.diff b/debian/patches/CVE-2017-3167.diff
new file mode 100644
index 0000000..22b41fc
--- /dev/null
+++ b/debian/patches/CVE-2017-3167.diff
@@ -0,0 +1,206 @@
+#commit 78f0f0b6585f13ec1175c7020ee01cd0237fc1ba
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue May 30 12:27:41 2017 +0000
+#
+# Merge r1796348 from trunk:
+#
+# core: deprecate and replace ap_get_basic_auth_pw
+#
+# *) core: Deprecate ap_get_basic_auth_pw() and add
+# ap_get_basic_auth_components().
+#
+# Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
+#
+#
+#
+# Submitted by: covener
+# Reviewed by: covener, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796855 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/include/ap_mmn.h b/include/ap_mmn.h
+index 124057ca7d..2764501833 100644
+--- a/include/ap_mmn.h
++++ b/include/ap_mmn.h
+@@ -494,6 +494,8 @@
+ * and ap_scan_vchar_obstext()
+ * Replaced fold boolean with with multiple bit flags
+ * to ap_[r]getline()
++ * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate
++ * ap_get_basic_auth_pw()
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
+@@ -501,7 +503,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20120211
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 67 /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 68 /* 0...n */
+
+ /**
+ * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+diff --git a/include/http_protocol.h b/include/http_protocol.h
+index a9e09904bd..29d887c61e 100644
+--- a/include/http_protocol.h
++++ b/include/http_protocol.h
+@@ -558,7 +558,11 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
+ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
+
+ /**
+- * Get the password from the request headers
++ * Get the password from the request headers. This function has multiple side
++ * effects due to its prior use in the old authentication framework.
++ * ap_get_basic_auth_components() should be preferred.
++ *
++ * @deprecated @see ap_get_basic_auth_components
+ * @param r The current request
+ * @param pw The password as set in the headers
+ * @return 0 (OK) if it set the 'pw' argument (and assured
+@@ -571,6 +575,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
+ */
+ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
+
++#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
++
++/**
++ * Get the username and/or password from the request's Basic authentication
++ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
++ * effects on the passed request_rec.
++ *
++ * @param r The current request
++ * @param username If not NULL, set to the username sent by the client
++ * @param password If not NULL, set to the password sent by the client
++ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
++ * APR_EINVAL if there was no authentication header sent or if the
++ * client was not using the Basic authentication scheme. username and
++ * password are unchanged on failure.
++ */
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++ const char **username,
++ const char **password);
++
+ /**
+ * parse_uri: break apart the uri
+ * @warning Side Effects:
+diff --git a/server/protocol.c b/server/protocol.c
+index 19d087cbea..ff44b3937c 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1593,6 +1593,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+
+ t = ap_pbase64decode(r->pool, auth_line);
+ r->user = ap_getword_nulls (r->pool, &t, ':');
++ apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
+ r->ap_auth_type = "Basic";
+
+ *pw = t;
+@@ -1600,6 +1601,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+ return OK;
+ }
+
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++ const char **username,
++ const char **password)
++{
++ const char *auth_header;
++ const char *credentials;
++ const char *decoded;
++ const char *user;
++
++ auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
++ : "Authorization";
++ credentials = apr_table_get(r->headers_in, auth_header);
++
++ if (!credentials) {
++ /* No auth header. */
++ return APR_EINVAL;
++ }
++
++ if (ap_cstr_casecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
++ /* These aren't Basic credentials. */
++ return APR_EINVAL;
++ }
++
++ while (*credentials == ' ' || *credentials == '\t') {
++ credentials++;
++ }
++
++ /* XXX Our base64 decoding functions don't actually error out if the string
++ * we give it isn't base64; they'll just silently stop and hand us whatever
++ * they've parsed up to that point.
++ *
++ * Since this function is supposed to be a drop-in replacement for the
++ * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
++ */
++ decoded = ap_pbase64decode(r->pool, credentials);
++ user = ap_getword_nulls(r->pool, &decoded, ':');
++
++ if (username) {
++ *username = user;
++ }
++ if (password) {
++ *password = decoded;
++ }
++
++ return APR_SUCCESS;
++}
++
+ struct content_length_ctx {
+ int data_sent; /* true if the C-L filter has already sent at
+ * least one bucket on to the next output filter
+diff --git a/server/request.c b/server/request.c
+index b2280cb5a8..fac5f8c7cd 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -124,6 +124,8 @@ static int decl_die(int status, const char *phase, request_rec *r)
+ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
+ {
+ int access_status;
++ char *olduser = r->user;
++ int rv = FALSE;
+
+ switch (ap_satisfies(r)) {
+ case SATISFY_ALL:
+@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
+
+ access_status = ap_run_access_checker_ex(r);
+ if (access_status == DECLINED) {
+- return TRUE;
++ rv = TRUE;
+ }
+
+ break;
+@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
+
+ access_status = ap_run_access_checker_ex(r);
+ if (access_status == DECLINED) {
+- return TRUE;
++ rv = TRUE;
+ }
+
+ break;
+ }
+
+- return FALSE;
++ r->user = olduser;
++ return rv;
+ }
+
+ /* This is the master logic for processing requests. Do NOT duplicate
+@@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+ r->ap_auth_type = r->main->ap_auth_type;
+ }
+ else {
++ /* A module using a confusing API (ap_get_basic_auth_pw) caused
++ ** r->user to be filled out prior to check_authn hook. We treat
++ ** it is inadvertent.
++ */
++ if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) {
++ r->user = NULL;
++ }
++
+ switch (ap_satisfies(r)) {
+ case SATISFY_ALL:
+ case SATISFY_NOSPEC:
diff --git a/debian/patches/CVE-2017-3169.diff b/debian/patches/CVE-2017-3169.diff
new file mode 100644
index 0000000..feb1c10
--- /dev/null
+++ b/debian/patches/CVE-2017-3169.diff
@@ -0,0 +1,84 @@
+#commit 54e0c857b1b019c147b778c09d5e72d99183ff61
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue May 30 12:26:05 2017 +0000
+#
+# Merge r1796343 from trunk:
+#
+# mod_ssl: fix ctx passed to ssl_io_filter_error()
+#
+# Consistently pass the expected bio_filter_in_ctx_t
+# to ssl_io_filter_error().
+#
+# Submitted By: Yann Ylavic
+#
+#
+#
+# Submitted by: covener
+# Reviewed by: covener, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/ssl/ssl_engine_io.c
++++ apache2/modules/ssl/ssl_engine_io.c
+@@ -877,20 +877,21 @@ static apr_status_t ssl_filter_write(ap_
+ * establish an outgoing SSL connection. */
+ #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
+
+-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
++static void ssl_io_filter_disable(SSLConnRec *sslconn,
++ bio_filter_in_ctx_t *inctx)
+ {
+- bio_filter_in_ctx_t *inctx = f->ctx;
+ SSL_free(inctx->ssl);
+ sslconn->ssl = NULL;
+ inctx->ssl = NULL;
+ inctx->filter_ctx->pssl = NULL;
+ }
+
+-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
++static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
+ apr_bucket_brigade *bb,
+ apr_status_t status,
+ int is_init)
+ {
++ ap_filter_t *f = inctx->f;
+ SSLConnRec *sslconn = myConnConfig(f->c);
+ apr_bucket *bucket;
+ int send_eos = 1;
+@@ -903,7 +904,7 @@ static apr_status_t ssl_io_filter_error(
+ "trying to send HTML error page");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
+
+- ssl_io_filter_disable(sslconn, f);
++ ssl_io_filter_disable(sslconn, inctx);
+ f->c->keepalive = AP_CONN_CLOSE;
+ if (is_init) {
+ sslconn->non_ssl_request = NON_SSL_SEND_REQLINE;
+@@ -1454,7 +1455,7 @@ static apr_status_t ssl_io_filter_input(
+ * rather than have SSLEngine On configured.
+ */
+ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status, is_init);
++ return ssl_io_filter_error(inctx, bb, status, is_init);
+ }
+
+ if (is_init) {
+@@ -1508,7 +1509,7 @@ static apr_status_t ssl_io_filter_input(
+
+ /* Handle custom errors. */
+ if (status != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status, 0);
++ return ssl_io_filter_error(inctx, bb, status, 0);
+ }
+
+ /* Create a transient bucket out of the decrypted data. */
+@@ -1693,7 +1694,7 @@ static apr_status_t ssl_io_filter_output
+ inctx->block = APR_BLOCK_READ;
+
+ if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status, 0);
++ return ssl_io_filter_error(inctx, bb, status, 0);
+ }
+
+ while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) {
diff --git a/debian/patches/CVE-2017-7659.diff b/debian/patches/CVE-2017-7659.diff
new file mode 100644
index 0000000..f89f318
--- /dev/null
+++ b/debian/patches/CVE-2017-7659.diff
@@ -0,0 +1,33 @@
+#commit 672187c168b94b562d8065e08e2cad5b00cdd0e3
+#Author: Stefan Eissing <icing at apache.org>
+#Date: Wed Feb 1 20:40:38 2017 +0000
+#
+# On the trunk:
+#
+# mod_http2: fix for crash when running out of memory. Initial patch by Robert Swiecki <robert at swiecki.net>
+#
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781304 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/modules/http2/h2_stream.c
++++ apache2/modules/http2/h2_stream.c
+@@ -286,11 +286,13 @@ apr_status_t h2_stream_set_request_rec(h
+ return APR_ECONNRESET;
+ }
+ status = h2_request_rcreate(&req, stream->pool, r);
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
+- "h2_request(%d): set_request_rec %s host=%s://%s%s",
+- stream->id, req->method, req->scheme, req->authority,
+- req->path);
+- stream->rtmp = req;
++ if (status == APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
++ "h2_request(%d): set_request_rec %s host=%s://%s%s",
++ stream->id, req->method, req->scheme, req->authority,
++ req->path);
++ stream->rtmp = req;
++ }
+ return status;
+ }
+
diff --git a/debian/patches/CVE-2017-7668.diff b/debian/patches/CVE-2017-7668.diff
new file mode 100644
index 0000000..00b1dcd
--- /dev/null
+++ b/debian/patches/CVE-2017-7668.diff
@@ -0,0 +1,34 @@
+#commit a585e36e06a53170be6d2d462ceb5b30b8382988
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue May 30 12:28:20 2017 +0000
+#
+# Merge r1796350 from trunk:
+#
+# short-circuit on NULL
+#
+# Submitted By: jchampion
+#
+#
+# Submitted by: covener
+# Reviewed by: covener, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796856 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/server/util.c b/server/util.c
+index 6667ac2e46..830ce5b38b 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -1679,10 +1679,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
+
+ s = (const unsigned char *)line;
+ for (;;) {
+- /* find start of token, skip all stop characters, note NUL
+- * isn't a token stop, so we don't need to test for it
+- */
+- while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
++ /* find start of token, skip all stop characters */
++ while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+ ++s;
+ }
+ if (!*s) {
diff --git a/debian/patches/CVE-2017-7679.diff b/debian/patches/CVE-2017-7679.diff
new file mode 100644
index 0000000..1c975aa
--- /dev/null
+++ b/debian/patches/CVE-2017-7679.diff
@@ -0,0 +1,34 @@
+#commit 398f3ddeb1ceb8ba710eadf7036a36a41e0e769a
+#Author: Eric Covener <covener at apache.org>
+#Date: Mon Jun 5 12:12:31 2017 +0000
+#
+# Merge 1797550 from trunk:
+#
+# mod_mime: fix quoted pair scanning
+#
+#
+# Submitted By: ylavic
+# Reviewed By: covener, ylavic, jim
+#
+#
+#
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1797653 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c
+index f92119b633..28c53be132 100644
+--- a/modules/http/mod_mime.c
++++ b/modules/http/mod_mime.c
+@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
+ int res = -1;
+ int c;
+
+- if (((s + 1) != NULL) && (*s == '\\')) {
++ if (*s == '\\') {
+ c = (int) *(s + 1);
+- if (apr_isascii(c)) {
++ if (c && apr_isascii(c)) {
+ res = 1;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index ff1313a..d46db24 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,9 @@ reproducible_builds.diff
fix_logresolve_segfault.patch
mpm_event_restart_segfault_PR60487.patch
+
+CVE-2017-3167.diff
+CVE-2017-3169.diff
+CVE-2017-7659.diff
+CVE-2017-7668.diff
+CVE-2017-7679.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list