httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jchamp...@apache.org
Subject svn commit: r20085 - in /release/httpd/patches/apply_to_2.2.32: ./ CVE-2017-3167.patch CVE-2017-3169.patch CVE-2017-7668.patch CVE-2017-7679.patch
Date Mon, 19 Jun 2017 17:28:14 GMT
Author: jchampion
Date: Mon Jun 19 17:28:14 2017
New Revision: 20085

Log:
2.2.32: add CVE patches to dist

Added:
    release/httpd/patches/apply_to_2.2.32/
    release/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch   (with props)
    release/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch   (with props)
    release/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch   (with props)
    release/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch   (with props)

Added: release/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch (added)
+++ release/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch Mon Jun 19 17:28:14 2017
@@ -0,0 +1,163 @@
+
+    Merge https://svn.apache.org/r1796348 from trunk:
+    
+      *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+         Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+         authentication phase may lead to authentication requirements being
+         bypassed.
+         [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+    
+    
+    Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
+    Reviewed By: covener, ylavic, wrowe
+
+diff --git include/ap_mmn.h include/ap_mmn.h
+index ce330a5..fcbce6f 100644
+--- include/ap_mmn.h
++++ include/ap_mmn.h
+@@ -167,6 +167,8 @@
+  *                      and ap_scan_vchar_obstext()
+  *                      Replaced fold boolean with with multiple bit flags
+  *                      to ap_[r]getline()
++ * 20051115.43 (2.2.33)  Add ap_get_basic_auth_components() and deprecate
++ *                       ap_get_basic_auth_pw()
+  */
+ 
+ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
+@@ -174,7 +176,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20051115
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 42                    /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 43                    /* 0...n */
+ 
+ /**
+  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+diff --git include/http_protocol.h include/http_protocol.h
+index 1fed3b5..3fed9b2 100644
+--- include/http_protocol.h
++++ include/http_protocol.h
+@@ -486,7 +486,11 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r);
+ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
+ 
+ /**
+- * Get the password from the request headers
++ * Get the password from the request headers. This function has multiple side
++ * effects due to its prior use in the old authentication framework.
++ * ap_get_basic_auth_components() should be preferred.
++ *
++ * @deprecated @see ap_get_basic_auth_components
+  * @param r The current request
+  * @param pw The password as set in the headers
+  * @return 0 (OK) if it set the 'pw' argument (and assured
+@@ -499,6 +503,25 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
+  */
+ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
+ 
++#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
++
++/**
++ * Get the username and/or password from the request's Basic authentication
++ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
++ * effects on the passed request_rec.
++ *
++ * @param r The current request
++ * @param username If not NULL, set to the username sent by the client
++ * @param password If not NULL, set to the password sent by the client
++ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
++ *         APR_EINVAL if there was no authentication header sent or if the
++ *         client was not using the Basic authentication scheme. username and
++ *         password are unchanged on failure.
++ */
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++                                                      const char **username,
++                                                      const char **password);
++
+ /**
+  * parse_uri: break apart the uri
+  * @warning Side Effects: 
+diff --git server/protocol.c server/protocol.c
+index bd75766..2705bba 100644
+--- server/protocol.c
++++ server/protocol.c
+@@ -1594,6 +1594,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+ 
+     t = ap_pbase64decode(r->pool, auth_line);
+     r->user = ap_getword_nulls (r->pool, &t, ':');
++    apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
+     r->ap_auth_type = "Basic";
+ 
+     *pw = t;
+@@ -1601,6 +1602,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+     return OK;
+ }
+ 
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++                                                      const char **username,
++                                                      const char **password)
++{
++    const char *auth_header;
++    const char *credentials;
++    const char *decoded;
++    const char *user;
++
++    auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
++                                                  : "Authorization";
++    credentials = apr_table_get(r->headers_in, auth_header);
++
++    if (!credentials) {
++        /* No auth header. */
++        return APR_EINVAL;
++    }
++
++    if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
++        /* These aren't Basic credentials. */
++        return APR_EINVAL;
++    }
++
++    while (*credentials == ' ' || *credentials == '\t') {
++        credentials++;
++    }
++
++    /* XXX Our base64 decoding functions don't actually error out if the string
++     * we give it isn't base64; they'll just silently stop and hand us whatever
++     * they've parsed up to that point.
++     *
++     * Since this function is supposed to be a drop-in replacement for the
++     * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
++     */
++    decoded = ap_pbase64decode(r->pool, credentials);
++    user = ap_getword_nulls(r->pool, &decoded, ':');
++
++    if (username) {
++        *username = user;
++    }
++    if (password) {
++        *password = decoded;
++    }
++
++    return APR_SUCCESS;
++}
++
+ struct content_length_ctx {
+     int data_sent;  /* true if the C-L filter has already sent at
+                      * least one bucket on to the next output filter
+diff --git server/request.c server/request.c
+index 7005ca9..f81bbe0 100644
+--- server/request.c
++++ server/request.c
+@@ -179,6 +179,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+         r->ap_auth_type = r->prev->ap_auth_type;
+     }
+     else {
++        /* A module using a confusing API (ap_get_basic_auth_pw) caused
++        ** r->user to be filled out prior to check_authn hook. We treat
++        ** it is inadvertent.
++        */
++        if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE))
{ 
++            r->user = NULL;
++        }
++
+         switch (ap_satisfies(r)) {
+         case SATISFY_ALL:
+         case SATISFY_NOSPEC:

Propchange: release/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch (added)
+++ release/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch Mon Jun 19 17:28:14 2017
@@ -0,0 +1,76 @@
+
+    Merge https://svn.apache.org/r1796343  from trunk:
+    
+      *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+         mod_ssl may dereference a NULL pointer when third-party modules call
+         ap_hook_process_connection() during an HTTP request to an HTTPS port.
+         [Yann Ylavic]
+    
+    
+    Submitted By: ylavic
+    Reviewed By: covener, ylavic, wrowe
+
+diff --git modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_io.c
+index d6016d3..c633be1 100644
+--- modules/ssl/ssl_engine_io.c
++++ modules/ssl/ssl_engine_io.c
+@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+                                sizeof(HTTP_ON_HTTPS_PORT) - 1, \
+                                alloc)
+ 
+-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
++static void ssl_io_filter_disable(SSLConnRec *sslconn,
++                                  bio_filter_in_ctx_t *inctx)
+ {
+-    bio_filter_in_ctx_t *inctx = f->ctx;
+     SSL_free(inctx->ssl);
+     sslconn->ssl = NULL;
+     inctx->ssl = NULL;
+     inctx->filter_ctx->pssl = NULL;
+ }
+ 
+-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
++static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
+                                         apr_bucket_brigade *bb,
+                                         apr_status_t status)
+ {
++    ap_filter_t *f = inctx->f;
+     SSLConnRec *sslconn = myConnConfig(f->c);
+     apr_bucket *bucket;
+     int send_eos = 1;
+@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
+ 
+             sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
+-            ssl_io_filter_disable(sslconn, f);
++            ssl_io_filter_disable(sslconn, inctx);
+ 
+             /* fake the request line */
+             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+      * rather than have SSLEngine On configured.
+      */
+     if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     if (is_init) {
+@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ 
+     /* Handle custom errors. */
+     if (status != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     /* Create a transient bucket out of the decrypted data. */
+@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+     inctx->block = APR_BLOCK_READ;
+ 
+     if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     while (!APR_BRIGADE_EMPTY(bb)) {

Propchange: release/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch (added)
+++ release/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch Mon Jun 19 17:28:14 2017
@@ -0,0 +1,30 @@
+
+    Merge r1796350 from trunk:
+
+      *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+         The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+         bug in token list parsing, which allows ap_find_token() to search past
+         the end of its input string. By maliciously crafting a sequence of
+         request headers, an attacker may be able to cause a segmentation fault,
+         or to force ap_find_token() to return an incorrect value.
+    
+    Submitted By: jchampion
+    Reviewed By: jchampion, wrowe, ylavic
+    
+diff --git server/util.c server/util.c
+index 054cc17..9a805b6 100644
+--- server/util.c
++++ server/util.c
+@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const
char *tok)
+ 
+     s = (const unsigned char *)line;
+     for (;;) {
+-        /* find start of token, skip all stop characters, note NUL
+-         * isn't a token stop, so we don't need to test for it
+-         */
+-        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
++        /* find start of token, skip all stop characters */
++        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+             ++s;
+         }
+         if (!*s) {

Propchange: release/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: release/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch
==============================================================================
--- release/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch (added)
+++ release/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch Mon Jun 19 17:28:14 2017
@@ -0,0 +1,25 @@
+
+    Merge r1797550 from trunk:
+
+      *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+         mod_mime can read one byte past the end of a buffer when sending a
+         malicious Content-Type response header.  [Yann Ylavic]
+    
+    Submitted By: ylavic
+    
+diff --git modules/http/mod_mime.c modules/http/mod_mime.c
+index eed6ebd..f3c643c 100644
+--- modules/http/mod_mime.c
++++ modules/http/mod_mime.c
+@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
+     int res = -1;
+     int c;
+ 
+-    if (((s + 1) != NULL) && (*s == '\\')) {
++    if (*s == '\\') {
+         c = (int) *(s + 1);
+-        if (apr_isascii(c)) {
++        if (c && apr_isascii(c)) {
+             res = 1;
+         }
+     }

Propchange: release/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message