Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 81459 invoked from network); 7 Jul 2009 17:15:07 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 7 Jul 2009 17:15:07 -0000 Received: (qmail 62069 invoked by uid 500); 7 Jul 2009 17:15:17 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 61990 invoked by uid 500); 7 Jul 2009 17:15:16 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 61981 invoked by uid 99); 7 Jul 2009 17:15:16 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jul 2009 17:15:16 +0000 X-ASF-Spam-Status: No, hits=-2.8 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 32.97.110.150 is neither permitted nor denied by domain of poirier@pobox.com) Received: from [32.97.110.150] (HELO e32.co.us.ibm.com) (32.97.110.150) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Jul 2009 17:15:04 +0000 Received: from d03relay04.boulder.ibm.com (d03relay04.boulder.ibm.com [9.17.195.106]) by e32.co.us.ibm.com (8.13.1/8.13.1) with ESMTP id n67HAd94018103 for ; Tue, 7 Jul 2009 11:10:39 -0600 Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168]) by d03relay04.boulder.ibm.com (8.13.8/8.13.8/NCO v9.2) with ESMTP id n67HEdNb196840 for ; Tue, 7 Jul 2009 11:14:39 -0600 Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1]) by d03av02.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id n67HEctS007128 for ; Tue, 7 Jul 2009 11:14:38 -0600 Received: from poir9.raleigh.ibm.com (poir9.raleigh.ibm.com [9.37.243.67]) by d03av02.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id n67HEb26006547; Tue, 7 Jul 2009 11:14:37 -0600 From: Dan Poirier To: dev@httpd.apache.org Subject: Re: svn commit: r791454 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS server/core_filters.c In-Reply-To: <20090706120321.30EAA2388866@eris.apache.org> (trawick@apache.org's message of "Mon, 06 Jul 2009 12:03:20 -0000") References: <20090706120321.30EAA2388866@eris.apache.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) Date: Tue, 07 Jul 2009 13:14:28 -0400 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Virus-Checked: Checked by ClamAV on apache.org --=-=-= trawick@apache.org writes: > Author: trawick > Date: Mon Jul 6 12:03:20 2009 > New Revision: 791454 > > URL: http://svn.apache.org/viewvc?rev=791454&view=rev > Log: > SECURITY: CVE-2009-1891 (cve.mitre.org) > Fix a potential Denial-of-Service attack against mod_deflate or other > modules, by forcing the server to consume CPU time in compressing a > large file after a client disconnects. [Joe Orton, Ruediger Pluem] > > Submitted by: jorton, rpluem > Reviewed by: jim, trawick > > > Modified: > httpd/httpd/branches/2.2.x/CHANGES > httpd/httpd/branches/2.2.x/STATUS > httpd/httpd/branches/2.2.x/server/core_filters.c Would anyone care to backport this to 2.0.x? The changes appear to apply trivially to the core_output_filter() in server/core.c. I'll attach the patch: --=-=-= Content-Disposition: attachment; filename=CVE_2009_1891_2.0.x.patch.txt Content-Description: Patch for CVE-2009-1891 for 2.0.x Index: CHANGES =================================================================== --- CHANGES (revision 791478) +++ CHANGES (working copy) @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.64 + *) SECURITY: CVE-2009-1891 (cve.mitre.org) + Fix a potential Denial-of-Service attack against mod_deflate or other + modules, by forcing the server to consume CPU time in compressing a + large file after a client disconnects. PR 39605. + [Joe Orton, Ruediger Pluem] + *) SECURITY: CVE-2008-2939 (cve.mitre.org) mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] Index: server/core.c =================================================================== --- server/core.c (revision 791906) +++ server/core.c (working copy) @@ -3969,6 +3969,12 @@ apr_read_type_e eblock = APR_NONBLOCK_READ; apr_pool_t *input_pool = b->p; + /* Fail quickly if the connection has already been aborted. */ + if (c->aborted) { + apr_brigade_cleanup(b); + return APR_ECONNABORTED; + } + if (ctx == NULL) { ctx = apr_pcalloc(c->pool, sizeof(*ctx)); net->out_ctx = ctx; @@ -4336,12 +4342,9 @@ /* No need to check for SUCCESS, we did that above. */ if (!APR_STATUS_IS_EAGAIN(rv)) { c->aborted = 1; + return APR_ECONNABORTED; } - /* The client has aborted, but the request was successful. We - * will report success, and leave it to the access and error - * logs to note that the connection was aborted. - */ return APR_SUCCESS; } --=-=-= -- Dan Poirier --=-=-=--