[apache2] 02/05: CVE-2017-3169: mod_ssl NULL pointer dereference

Stefan Fritsch sf at moszumanska.debian.org
Tue Jun 20 19:54:47 UTC 2017 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch jessie
in repository apache2.

commit 88ffa665a74fbda6797e94f05c3e0e3307e189a0
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Tue Jun 20 20:56:46 2017 +0200

    CVE-2017-3169: mod_ssl NULL pointer dereference
---
 debian/changelog                  |  1 +
 debian/patches/CVE-2017-3169.diff | 85 +++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |  1 +
 3 files changed, 87 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6787e03..87b6af0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 apache2 (2.4.10-10+deb8u9) UNRELEASED; urgency=medium
 
   * CVE-2017-3167: Authentication bypass with ap_get_basic_auth_pw()
+  * CVE-2017-3169: mod_ssl NULL pointer dereference
 
  -- Stefan Fritsch <sf at debian.org>  Tue, 20 Jun 2017 20:42:01 +0200
 
diff --git a/debian/patches/CVE-2017-3169.diff b/debian/patches/CVE-2017-3169.diff
new file mode 100644
index 0000000..c218bf7
--- /dev/null
+++ b/debian/patches/CVE-2017-3169.diff
@@ -0,0 +1,85 @@
+# backport https://svn.apache.org/r796854
+#Author: Jim Jagielski <jim at apache.org>
+#Date:   Tue May 30 12:26:05 2017 +0000
+#
+#    Merge r1796343 from trunk:
+#    
+#    mod_ssl: fix ctx passed to ssl_io_filter_error()
+#    
+#    Consistently pass the expected bio_filter_in_ctx_t
+#    to ssl_io_filter_error().
+#    
+#    Submitted By: Yann Ylavic
+#    
+#    
+#    
+#    Submitted by: covener
+#    Reviewed by: covener, ylavic, jim
+#    
+#    
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 7f60cc2737..6702367035 100644
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -845,19 +845,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+  * establish an outgoing SSL connection. */
+ #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
+ 
+-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
++static void ssl_io_filter_disable(SSLConnRec *sslconn,
++                                  bio_filter_in_ctx_t *inctx)
+ {
+-    bio_filter_in_ctx_t *inctx = f->ctx;
+     SSL_free(inctx->ssl);
+     sslconn->ssl = NULL;
+     inctx->ssl = NULL;
+     inctx->filter_ctx->pssl = NULL;
+ }
+ 
+-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
++static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
+                                         apr_bucket_brigade *bb,
+                                         apr_status_t status)
+ {
++    ap_filter_t *f = inctx->f;
+     SSLConnRec *sslconn = myConnConfig(f->c);
+     apr_bucket *bucket;
+     int send_eos = 1;
+@@ -871,7 +872,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+             ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
+ 
+             sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
+-            ssl_io_filter_disable(sslconn, f);
++            ssl_io_filter_disable(sslconn, inctx);
+ 
+             /* fake the request line */
+             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+@@ -1348,7 +1349,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+      * rather than have SSLEngine On configured.
+      */
+     if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     if (is_init) {
+@@ -1402,7 +1403,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ 
+     /* Handle custom errors. */
+     if (status != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     /* Create a transient bucket out of the decrypted data. */
+@@ -1588,7 +1589,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+     inctx->block = APR_BLOCK_READ;
+ 
+     if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     while (!APR_BRIGADE_EMPTY(bb)) {
diff --git a/debian/patches/series b/debian/patches/series
index 00a6572..69d7283 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ CVE-2016-0736-mod_session_crypto-padding-oracle.diff
 CVE-2016-8743-enforce_http.diff
 hostnames_with_underscores.diff
 CVE-2017-3167.diff
+CVE-2017-3169.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list