[apache2] 02/05: CVE-2017-3169: mod_ssl NULL pointer dereference
Stefan Fritsch
sf at moszumanska.debian.org
Tue Jun 20 19:54:47 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch jessie
in repository apache2.
commit 88ffa665a74fbda6797e94f05c3e0e3307e189a0
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Tue Jun 20 20:56:46 2017 +0200
CVE-2017-3169: mod_ssl NULL pointer dereference
---
debian/changelog | 1 +
debian/patches/CVE-2017-3169.diff | 85 +++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 87 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6787e03..87b6af0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
apache2 (2.4.10-10+deb8u9) UNRELEASED; urgency=medium
* CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
+ * CVE-2017-3169: mod_ssl NULL pointer dereference
-- Stefan Fritsch <sf at debian.org> Tue, 20 Jun 2017 20:42:01 +0200
diff --git a/debian/patches/CVE-2017-3169.diff b/debian/patches/CVE-2017-3169.diff
new file mode 100644
index 0000000..c218bf7
--- /dev/null
+++ b/debian/patches/CVE-2017-3169.diff
@@ -0,0 +1,85 @@
+# backport https://svn.apache.org/r796854
+#Author: Jim Jagielski <jim at apache.org>
+#Date: Tue May 30 12:26:05 2017 +0000
+#
+# Merge r1796343 from trunk:
+#
+# mod_ssl: fix ctx passed to ssl_io_filter_error()
+#
+# Consistently pass the expected bio_filter_in_ctx_t
+# to ssl_io_filter_error().
+#
+# Submitted By: Yann Ylavic
+#
+#
+#
+# Submitted by: covener
+# Reviewed by: covener, ylavic, jim
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 7f60cc2737..6702367035 100644
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -845,19 +845,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+ * establish an outgoing SSL connection. */
+ #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
+
+-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
++static void ssl_io_filter_disable(SSLConnRec *sslconn,
++ bio_filter_in_ctx_t *inctx)
+ {
+- bio_filter_in_ctx_t *inctx = f->ctx;
+ SSL_free(inctx->ssl);
+ sslconn->ssl = NULL;
+ inctx->ssl = NULL;
+ inctx->filter_ctx->pssl = NULL;
+ }
+
+-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
++static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
+ apr_bucket_brigade *bb,
+ apr_status_t status)
+ {
++ ap_filter_t *f = inctx->f;
+ SSLConnRec *sslconn = myConnConfig(f->c);
+ apr_bucket *bucket;
+ int send_eos = 1;
+@@ -871,7 +872,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
+
+ sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
+- ssl_io_filter_disable(sslconn, f);
++ ssl_io_filter_disable(sslconn, inctx);
+
+ /* fake the request line */
+ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+@@ -1348,7 +1349,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ * rather than have SSLEngine On configured.
+ */
+ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status);
++ return ssl_io_filter_error(inctx, bb, status);
+ }
+
+ if (is_init) {
+@@ -1402,7 +1403,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+
+ /* Handle custom errors. */
+ if (status != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status);
++ return ssl_io_filter_error(inctx, bb, status);
+ }
+
+ /* Create a transient bucket out of the decrypted data. */
+@@ -1588,7 +1589,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+ inctx->block = APR_BLOCK_READ;
+
+ if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
+- return ssl_io_filter_error(f, bb, status);
++ return ssl_io_filter_error(inctx, bb, status);
+ }
+
+ while (!APR_BRIGADE_EMPTY(bb)) {
diff --git a/debian/patches/series b/debian/patches/series
index 00a6572..69d7283 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ CVE-2016-0736-mod_session_crypto-padding-oracle.diff
CVE-2016-8743-enforce_http.diff
hostnames_with_underscores.diff
CVE-2017-3167.diff
+CVE-2017-3169.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list