[apache2] 01/05: CVE-2017-3167: ap_get_basic_auth_pw()
Stefan Fritsch
sf at moszumanska.debian.org
Tue Jun 20 19:54:47 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch jessie
in repository apache2.
commit b184cf1582800584d6077dfbefecabc33530d79f
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Jun 20 20:46:05 2017 +0200
CVE-2017-3167: ap_get_basic_auth_pw()
---
debian/changelog | 6 ++
debian/patches/CVE-2017-3167.diff | 189 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 196 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 88285c2..6787e03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apache2 (2.4.10-10+deb8u9) UNRELEASED; urgency=medium
+
+ * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
+
+ -- Stefan Fritsch <sf at debian.org> Tue, 20 Jun 2017 20:42:01 +0200
+
apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium
* CVE-2016-8743: Enforce more HTTP conformance for request lines and
diff --git a/debian/patches/CVE-2017-3167.diff b/debian/patches/CVE-2017-3167.diff
new file mode 100644
index 0000000..c22729b
--- /dev/null
+++ b/debian/patches/CVE-2017-3167.diff
@@ -0,0 +1,189 @@
+#commit 78f0f0b6585f13ec1175c7020ee01cd0237fc1ba
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue May 30 12:27:41 2017 +0000
+#
+# Merge r1796348 from trunk:
+#
+# core: deprecate and replace ap_get_basic_auth_pw
+#
+# *) core: Deprecate ap_get_basic_auth_pw() and add
+# ap_get_basic_auth_components().
+#
+# Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
+#
+#
+#
+# Submitted by: covener
+# Reviewed by: covener, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796855 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/include/http_protocol.h
++++ apache2/include/http_protocol.h
+@@ -541,7 +541,11 @@ AP_DECLARE(void) ap_note_digest_auth_fai
+ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
+
+ /**
+- * Get the password from the request headers
++ * Get the password from the request headers. This function has multiple side
++ * effects due to its prior use in the old authentication framework.
++ * ap_get_basic_auth_components() should be preferred.
++ *
++ * @deprecated @see ap_get_basic_auth_components
+ * @param r The current request
+ * @param pw The password as set in the headers
+ * @return 0 (OK) if it set the 'pw' argument (and assured
+@@ -554,6 +558,25 @@ AP_DECLARE_HOOK(int, note_auth_failure,
+ */
+ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
+
++#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
++
++/**
++ * Get the username and/or password from the request's Basic authentication
++ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
++ * effects on the passed request_rec.
++ *
++ * @param r The current request
++ * @param username If not NULL, set to the username sent by the client
++ * @param password If not NULL, set to the password sent by the client
++ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
++ * APR_EINVAL if there was no authentication header sent or if the
++ * client was not using the Basic authentication scheme. username and
++ * password are unchanged on failure.
++ */
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++ const char **username,
++ const char **password);
++
+ /**
+ * parse_uri: break apart the uri
+ * @warning Side Effects:
+--- apache2.orig/server/protocol.c
++++ apache2/server/protocol.c
+@@ -1592,6 +1592,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req
+
+ t = ap_pbase64decode(r->pool, auth_line);
+ r->user = ap_getword_nulls (r->pool, &t, ':');
++ apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
+ r->ap_auth_type = "Basic";
+
+ *pw = t;
+@@ -1599,6 +1600,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req
+ return OK;
+ }
+
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++ const char **username,
++ const char **password)
++{
++ const char *auth_header;
++ const char *credentials;
++ const char *decoded;
++ const char *user;
++
++ auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
++ : "Authorization";
++ credentials = apr_table_get(r->headers_in, auth_header);
++
++ if (!credentials) {
++ /* No auth header. */
++ return APR_EINVAL;
++ }
++
++ if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
++ /* These aren't Basic credentials. */
++ return APR_EINVAL;
++ }
++
++ while (*credentials == ' ' || *credentials == '\t') {
++ credentials++;
++ }
++
++ /* XXX Our base64 decoding functions don't actually error out if the string
++ * we give it isn't base64; they'll just silently stop and hand us whatever
++ * they've parsed up to that point.
++ *
++ * Since this function is supposed to be a drop-in replacement for the
++ * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
++ */
++ decoded = ap_pbase64decode(r->pool, credentials);
++ user = ap_getword_nulls(r->pool, &decoded, ':');
++
++ if (username) {
++ *username = user;
++ }
++ if (password) {
++ *password = decoded;
++ }
++
++ return APR_SUCCESS;
++}
++
+ struct content_length_ctx {
+ int data_sent; /* true if the C-L filter has already sent at
+ * least one bucket on to the next output filter
+--- apache2.orig/server/request.c
++++ apache2/server/request.c
+@@ -124,6 +124,8 @@ static int decl_die(int status, const ch
+ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
+ {
+ int access_status;
++ char *olduser = r->user;
++ int rv = FALSE;
+
+ switch (ap_satisfies(r)) {
+ case SATISFY_ALL:
+@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(r
+
+ access_status = ap_run_access_checker_ex(r);
+ if (access_status == DECLINED) {
+- return TRUE;
++ rv = TRUE;
+ }
+
+ break;
+@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(r
+
+ access_status = ap_run_access_checker_ex(r);
+ if (access_status == DECLINED) {
+- return TRUE;
++ rv = TRUE;
+ }
+
+ break;
+ }
+
+- return FALSE;
++ r->user = olduser;
++ return rv;
+ }
+
+ /* This is the master logic for processing requests. Do NOT duplicate
+@@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_inter
+ r->ap_auth_type = r->main->ap_auth_type;
+ }
+ else {
++ /* A module using a confusing API (ap_get_basic_auth_pw) caused
++ ** r->user to be filled out prior to check_authn hook. We treat
++ ** it is inadvertent.
++ */
++ if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) {
++ r->user = NULL;
++ }
++
+ switch (ap_satisfies(r)) {
+ case SATISFY_ALL:
+ case SATISFY_NOSPEC:
+--- apache2.orig/include/ap_mmn.h
++++ apache2/include/ap_mmn.h
+@@ -435,6 +435,8 @@
+ * 20120211.37 (2.4.11-dev) Add r->trailers_{in,out}
+ * 20120211.47 (2.4.13-dev) Add ap_some_authn_required, ap_force_authn hook.
+ * Deprecate broken ap_some_auth_required.
++ * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate
++ * ap_get_basic_auth_pw()
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
diff --git a/debian/patches/series b/debian/patches/series
index afcc9c6..00a6572 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ CVE-2016-2161-mod_auth_digest_segfault.diff
CVE-2016-0736-mod_session_crypto-padding-oracle.diff
CVE-2016-8743-enforce_http.diff
hostnames_with_underscores.diff
+CVE-2017-3167.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list