[apache2] 01/04: Fix CVE-2017-9798
Stefan Fritsch
sf at moszumanska.debian.org
Sat Sep 23 22:18:51 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 47ed49079f139be1383e2e132c9119481a97ac3b
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun Sep 24 00:01:45 2017 +0200
Fix CVE-2017-9798
Don't allow new methods in .htaccess
---
debian/changelog | 8 ++++++++
debian/patches/CVE-2017-9798.diff | 36 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c828695..776fb43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.27-6) UNRELEASED; urgency=medium
+
+ * CVE-2017-9798: Don't allow new methods to be registered in .htaccess files
+ which could result in HTTP OPTIONS method leaking Apache's server memory.
+ Closes: #876109
+
+ -- Stefan Fritsch <sf at debian.org> Sat, 23 Sep 2017 23:59:18 +0200
+
apache2 (2.4.27-5) unstable; urgency=medium
* Upload to unstable.
diff --git a/debian/patches/CVE-2017-9798.diff b/debian/patches/CVE-2017-9798.diff
new file mode 100644
index 0000000..dc37033
--- /dev/null
+++ b/debian/patches/CVE-2017-9798.diff
@@ -0,0 +1,36 @@
+#https://svn.apache.org/r1807754
+#
+#commit 40e03b310047418c1339823c981182eb36a60e85
+#Author: Yann Ylavic <ylavic at apache.org>
+#Date: Fri Sep 8 13:13:11 2017 +0000
+#
+# Merge r1807655 from trunk:
+#
+# core: Disallow Methods' registration at run time (.htaccess), they may be
+# used only if registered at init time (httpd.conf).
+#
+# Calling ap_method_register() in children processes is not the right scope
+# since it won't be shared for all requests.
+#
+# Reviewed by: ylavic, covener, icing
+#
+#
+# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1807754 13f79535-47bb-0310-9956-ffa450edef68
+#
+diff --git a/server/core.c b/server/core.c
+index de2400d92a..6516b09a05 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -2266,6 +2266,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
+ /* method has not been registered yet, but resource restriction
+ * is always checked before method handling, so register it.
+ */
++ if (cmd->pool == cmd->temp_pool) {
++ /* In .htaccess, we can't globally register new methods. */
++ return apr_psprintf(cmd->pool, "Could not register method '%s' "
++ "for %s from .htaccess configuration",
++ method, cmd->cmd->name);
++ }
+ methnum = ap_method_register(cmd->pool,
+ apr_pstrdup(cmd->pool, method));
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4a1b914..66e6239 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ reproducible_builds.diff
#suexec-custom.patch
fix_logresolve_segfault.patch
+CVE-2017-9798.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list