httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS modules/cache/cache_util.c
Date Tue, 14 Oct 2014 15:40:03 GMT
Hello Jim and Jan,

I am considering a proposal of backporting this fix to the 2.2 branch.
At first look, this fix doesn't apply to 2.2 code.
But I noticed that the pertinent code has been refactored between 2.2 
and 2.4.
The same problem exists in 2.2, but just in a different location.
In 2.2, the problem is in the store_headers function in 
modules/cache/mod_disk_cache.c.

Are either of you interested in working a patch for this?
Otherwise, I will look at it myself in a few days.

Thanks,

Mike Rumph

On 9/26/2014 4:00 AM, jim@apache.org wrote:
> Author: jim
> Date: Fri Sep 26 11:00:14 2014
> New Revision: 1627749
>
> URL: http://svn.apache.org/r1627749
> Log:
> Merge r1624234 from trunk:
>
> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
> in Content-Type handling.
>
> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
>
> Submitted By: Mark Montague <mark catseye.org>
> Reviewed By: Jan Kaluza
>
> Submitted by: jkaluza
> Reviewed/backported by: jim
>
> Modified:
>      httpd/httpd/branches/2.4.x/   (props changed)
>      httpd/httpd/branches/2.4.x/CHANGES
>      httpd/httpd/branches/2.4.x/STATUS
>      httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>
> Propchange: httpd/httpd/branches/2.4.x/
> ------------------------------------------------------------------------------
>    Merged /httpd/httpd/trunk:r1624234
>
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
> @@ -2,6 +2,10 @@
>   
>   Changes with Apache 2.4.11
>   
> +  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
> +     mod_cache: Avoid a crash when Content-Type has an empty value.
> +     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
> +
>     *) mod_cache: Avoid sending 304 responses during failed revalidations
>        PR56881. [Eric Covener]
>   
>
> Modified: httpd/httpd/branches/2.4.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/STATUS (original)
> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
>   PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>     [ start all new proposals below, under PATCHES PROPOSED. ]
>   
> -   * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has an empty
> -     value. PR56924.
> -     trunk patch: http://svn.apache.org/r1624234
> -     2.4.x patch: trunk works (modulo CHANGES)
> -     +1: jkaluza, jim, ylavic
>   
>   
>   PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>
> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26 11:00:14 2014
> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
>   
>       if (r->content_type
>               && !apr_table_get(headers_out, "Content-Type")) {
> -        apr_table_setn(headers_out, "Content-Type",
> -                       ap_make_content_type(r, r->content_type));
> +        const char *ctype = ap_make_content_type(r, r->content_type);
> +        if (ctype) {
> +            apr_table_setn(headers_out, "Content-Type", ctype);
> +        }
>       }
>   
>       if (r->content_encoding
>
>
>


Mime
View raw message