[apache2] 02/07: CVE-2017-15715: <FilesMatch> bypass with a trailing newline
Stefan Fritsch
sf at moszumanska.debian.org
Sat Mar 31 09:46:39 UTC 2018
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch jessie
in repository apache2.
commit ca202964795313a2abd7b036606d9b1e9a7f59d2
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Fri Mar 30 16:07:39 2018 +0200
CVE-2017-15715: <FilesMatch> bypass with a trailing newline
---
debian/changelog | 6 +
.../patches/CVE-2017-15715-regex-line-endings.diff | 197 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 204 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 73c5da6..fcb9b27 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ apache2 (2.4.10-10+deb8u12) UNRELEASED; urgency=medium
* CVE-2017-15710: mod_authnz_ldap: Out of bound write in mod_authnz_ldap
when using too small Accept-Language values.
+ * CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file
+ name.
+ Configure the regular expression engine to match '$' to the end of
+ the input string only, excluding matching the end of any embedded
+ newline characters. Behavior can be changed with new directive
+ 'RegexDefaultOptions'.
-- Stefan Fritsch <sf at debian.org> Sat, 31 Mar 2018 11:24:46 +0200
diff --git a/debian/patches/CVE-2017-15715-regex-line-endings.diff b/debian/patches/CVE-2017-15715-regex-line-endings.diff
new file mode 100644
index 0000000..3684574
--- /dev/null
+++ b/debian/patches/CVE-2017-15715-regex-line-endings.diff
@@ -0,0 +1,197 @@
+# https://svn.apache.org/r1824472
+# CVE-2017-15715
+--- apache2.orig/include/ap_mmn.h
++++ apache2/include/ap_mmn.h
+@@ -437,6 +437,9 @@
+ * Deprecate broken ap_some_auth_required.
+ * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate
+ * ap_get_basic_auth_pw()
++ * 20120211.74 (2.4.30-dev) Add AP_REG_DOLLAR_ENDONLY, ap_regcomp_get_default_cflags
++ * ap_regcomp_set_default_cflags and
++ * ap_regcomp_default_cflag_by_name
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
+--- apache2.orig/include/ap_regex.h
++++ apache2/include/ap_regex.h
+@@ -77,6 +77,8 @@ extern "C" {
+ #define AP_REG_NOMEM 0x20 /* nomem in our code */
+ #define AP_REG_DOTALL 0x40 /* perl's /s flag */
+
++#define AP_REG_DOLLAR_ENDONLY 0x200 /* '$' matches at end of subject string only */
++
+ #define AP_REG_MATCH "MATCH_" /** suggested prefix for ap_regname */
+
+ /* Error values: */
+@@ -103,6 +105,26 @@ typedef struct {
+ /* The functions */
+
+ /**
++ * Get default compile flags
++ * @return Bitwise OR of AP_REG_* flags
++ */
++AP_DECLARE(int) ap_regcomp_get_default_cflags(void);
++
++/**
++ * Set default compile flags
++ * @param cflags Bitwise OR of AP_REG_* flags
++ */
++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags);
++
++/**
++ * Get the AP_REG_* corresponding to the string.
++ * @param name The name (i.e. AP_REG_<name>)
++ * @return The AP_REG_*, or zero if the string is unknown
++ *
++ */
++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name);
++
++/**
+ * Compile a regular expression.
+ * @param preg Returned compiled regex
+ * @param regex The regular expression string
+--- apache2.orig/server/core.c
++++ apache2/server/core.c
+@@ -48,6 +48,7 @@
+ #include "mod_core.h"
+ #include "mod_proxy.h"
+ #include "ap_listen.h"
++#include "ap_regex.h"
+
+ #include "mod_so.h" /* for ap_find_loaded_module_symbol */
+
+@@ -2646,6 +2647,58 @@ static const char *virtualhost_section(c
+ return errmsg;
+ }
+
++static const char *set_regex_default_options(cmd_parms *cmd,
++ void *dummy,
++ const char *arg)
++{
++ const command_rec *thiscmd = cmd->cmd;
++ int cflags, cflag;
++
++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++ if (err != NULL) {
++ return err;
++ }
++
++ cflags = ap_regcomp_get_default_cflags();
++ while (*arg) {
++ const char *name = ap_getword_conf(cmd->pool, &arg);
++ int how = 0;
++
++ if (strcasecmp(name, "none") == 0) {
++ cflags = 0;
++ continue;
++ }
++
++ if (*name == '+') {
++ name++;
++ how = +1;
++ }
++ else if (*name == '-') {
++ name++;
++ how = -1;
++ }
++
++ cflag = ap_regcomp_default_cflag_by_name(name);
++ if (!cflag) {
++ return apr_psprintf(cmd->pool, "%s: option '%s' unknown",
++ thiscmd->name, name);
++ }
++
++ if (how > 0) {
++ cflags |= cflag;
++ }
++ else if (how < 0) {
++ cflags &= ~cflag;
++ }
++ else {
++ cflags = cflag;
++ }
++ }
++ ap_regcomp_set_default_cflags(cflags);
++
++ return NULL;
++}
++
+ static const char *set_server_alias(cmd_parms *cmd, void *dummy,
+ const char *arg)
+ {
+@@ -4157,6 +4210,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_lim
+ OR_ALL, "soft/hard limits for max number of processes per uid"),
+ #endif
+
++AP_INIT_RAW_ARGS("RegexDefaultOptions", set_regex_default_options, NULL, RSRC_CONF,
++ "default options for regexes (prefixed by '+' to add, '-' to del)"),
++
+ /* internal recursion stopper */
+ AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
+ "maximum recursion depth of internal redirects and subrequests"),
+@@ -4557,6 +4613,8 @@ static int core_pre_config(apr_pool_t *p
+ apr_pool_cleanup_register(pconf, NULL, reset_config_defines,
+ apr_pool_cleanup_null);
+
++ ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY);
++
+ mpm_common_pre_config(pconf);
+
+ return OK;
+--- apache2.orig/server/util_pcre.c
++++ apache2/server/util_pcre.c
+@@ -111,6 +111,38 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *
+ * Compile a regular expression *
+ *************************************************/
+
++static int default_cflags = AP_REG_DOLLAR_ENDONLY;
++
++AP_DECLARE(int) ap_regcomp_get_default_cflags(void)
++{
++ return default_cflags;
++}
++
++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags)
++{
++ default_cflags = cflags;
++}
++
++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name)
++{
++ int cflag = 0;
++
++ if (strcasecmp(name, "ICASE") == 0) {
++ cflag = AP_REG_ICASE;
++ }
++ else if (strcasecmp(name, "DOTALL") == 0) {
++ cflag = AP_REG_DOTALL;
++ }
++ else if (strcasecmp(name, "DOLLAR_ENDONLY") == 0) {
++ cflag = AP_REG_DOLLAR_ENDONLY;
++ }
++ else if (strcasecmp(name, "EXTENDED") == 0) {
++ cflag = AP_REG_EXTENDED;
++ }
++
++ return cflag;
++}
++
+ /*
+ * Arguments:
+ * preg points to a structure for recording the compiled expression
+@@ -127,12 +159,15 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *
+ int errcode = 0;
+ int options = PCRE_DUPNAMES;
+
++ cflags |= default_cflags;
+ if ((cflags & AP_REG_ICASE) != 0)
+ options |= PCRE_CASELESS;
+ if ((cflags & AP_REG_NEWLINE) != 0)
+ options |= PCRE_MULTILINE;
+ if ((cflags & AP_REG_DOTALL) != 0)
+ options |= PCRE_DOTALL;
++ if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0)
++ options |= PCRE_DOLLAR_ENDONLY;
+
+ preg->re_pcre =
+ pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL);
diff --git a/debian/patches/series b/debian/patches/series
index 48b9dd2..762abe2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,4 @@ CVE-2017-9788-mod_auth_digest.diff
core-Disallow-Methods-registration-at-run-time-.htac.patch
CVE-2017-15710-mod_authnz_ldap.diff
+CVE-2017-15715-regex-line-endings.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list