httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <mike.ru...@oracle.com>
Subject Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS modules/cache/cache_util.c
Date Tue, 14 Oct 2014 17:01:50 GMT
In 2.2 code, this problem is actually in two places.
It is also in the store_headers function in modules/cache/mod_mem_cache.c.

On 10/14/2014 8:40 AM, Mike Rumph wrote:
> Hello Jim and Jan,
>
> I am considering a proposal of backporting this fix to the 2.2 branch.
> At first look, this fix doesn't apply to 2.2 code.
> But I noticed that the pertinent code has been refactored between 2.2 
> and 2.4.
> The same problem exists in 2.2, but just in a different location.
> In 2.2, the problem is in the store_headers function in 
> modules/cache/mod_disk_cache.c.
>
> Are either of you interested in working a patch for this?
> Otherwise, I will look at it myself in a few days.
>
> Thanks,
>
> Mike Rumph
>
> On 9/26/2014 4:00 AM, jim@apache.org wrote:
>> Author: jim
>> Date: Fri Sep 26 11:00:14 2014
>> New Revision: 1627749
>>
>> URL: http://svn.apache.org/r1627749
>> Log:
>> Merge r1624234 from trunk:
>>
>> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
>> in Content-Type handling.
>>
>> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
>>
>> Submitted By: Mark Montague <mark catseye.org>
>> Reviewed By: Jan Kaluza
>>
>> Submitted by: jkaluza
>> Reviewed/backported by: jim
>>
>> Modified:
>>      httpd/httpd/branches/2.4.x/   (props changed)
>>      httpd/httpd/branches/2.4.x/CHANGES
>>      httpd/httpd/branches/2.4.x/STATUS
>>      httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>>
>> Propchange: httpd/httpd/branches/2.4.x/
>> ------------------------------------------------------------------------------ 
>>
>>    Merged /httpd/httpd/trunk:r1624234
>>
>> Modified: httpd/httpd/branches/2.4.x/CHANGES
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ============================================================================== 
>>
>> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
>> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
>> @@ -2,6 +2,10 @@
>>     Changes with Apache 2.4.11
>>   +  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
>> +     mod_cache: Avoid a crash when Content-Type has an empty value.
>> +     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
>> +
>>     *) mod_cache: Avoid sending 304 responses during failed 
>> revalidations
>>        PR56881. [Eric Covener]
>>
>> Modified: httpd/httpd/branches/2.4.x/STATUS
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ============================================================================== 
>>
>> --- httpd/httpd/branches/2.4.x/STATUS (original)
>> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
>> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
>>   PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>>     [ start all new proposals below, under PATCHES PROPOSED. ]
>>   -   * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type 
>> has an empty
>> -     value. PR56924.
>> -     trunk patch: http://svn.apache.org/r1624234
>> -     2.4.x patch: trunk works (modulo CHANGES)
>> -     +1: jkaluza, jim, ylavic
>>       PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ============================================================================== 
>>
>> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26 
>> 11:00:14 2014
>> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
>>         if (r->content_type
>>               && !apr_table_get(headers_out, "Content-Type")) {
>> -        apr_table_setn(headers_out, "Content-Type",
>> -                       ap_make_content_type(r, r->content_type));
>> +        const char *ctype = ap_make_content_type(r, r->content_type);
>> +        if (ctype) {
>> +            apr_table_setn(headers_out, "Content-Type", ctype);
>> +        }
>>       }
>>         if (r->content_encoding
>>
>>
>>
>
>
>


Mime
View raw message