[packages/apache/APACHE_2_2] apply_to_2.2.32 patches; fixes CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679

glen glen at pld-linux.org
Tue Jul 11 10:55:13 CEST 2017


commit 28183218fec545992510005bcc9b1ca1e07868bf
Author: Elan Ruusamäe <glen at pld-linux.org>
Date:   Tue Jul 11 11:50:03 2017 +0300

    apply_to_2.2.32 patches; fixes CVE-2017-3167 CVE-2017-3169 CVE-2017-7668 CVE-2017-7679

 CVE-2017-3167.patch | 163 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 CVE-2017-3169.patch |  76 ++++++++++++++++++++++++
 CVE-2017-7668.patch |  30 ++++++++++
 CVE-2017-7679.patch |  25 ++++++++
 apache.spec         |  29 ++++++----
 5 files changed, 313 insertions(+), 10 deletions(-)
---
diff --git a/apache.spec b/apache.spec
index a280dd7..5608b6a 100644
--- a/apache.spec
+++ b/apache.spec
@@ -44,7 +44,7 @@ Summary(ru.UTF-8):	Самый популярный веб-сервер
 Summary(tr.UTF-8):	Lider WWW tarayıcı
 Name:		apache
 Version:	2.2.32
-Release:	1
+Release:	2
 License:	Apache v2.0
 Group:		Networking/Daemons/HTTP
 Source0:	http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
@@ -85,16 +85,16 @@ Patch1:		%{name}-layout.patch
 Patch2:		%{name}-suexec.patch
 Patch3:		%{name}-branding.patch
 Patch4:		%{name}-apr.patch
-Patch5:		apache-bug-49058.patch
+Patch5:		%{name}-bug-49058.patch
 # what about this? it isn't applied...
 Patch6:		httpd-2.0.40-xfsz.patch
 Patch7:		%{name}-syslibs.patch
 Patch8:		httpd-2.0.45-encode.patch
 Patch9:		%{name}-paths.patch
 Patch10:	httpd-2.0.46-dav401dest.patch
-Patch11:	apache-bug-39311-preforkonly.patch
+Patch11:	%{name}-bug-39311-preforkonly.patch
 Patch12:	httpd-2.0.46-sslmutex.patch
-Patch13:	apache-bug-50002.patch
+Patch13:	%{name}-bug-50002.patch
 Patch14:	httpd-2.0.48-corelimit.patch
 Patch15:	httpd-2.0.48-debuglog.patch
 Patch18:	%{name}-v6only-ENOPROTOOPT.patch
@@ -104,12 +104,17 @@ Patch23:	%{name}-suexec_fcgi.patch
 Patch24:	%{name}-bug-48094.patch
 # http://scripts.mit.edu/trac/browser/trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch?rev=1348
 Patch25:	httpd-2.2.x-mod_ssl-sessioncaching.patch
-Patch26:	apache-mod_vhost_alias_docroot.patch
+Patch26:	%{name}-mod_vhost_alias_docroot.patch
 # http://mpm-itk.sesse.net/
-Patch28:	apache-mpm-itk.patch
+Patch28:	%{name}-mpm-itk.patch
 Patch29:	libtool-tag.patch
-Patch30:	apache-bug-39653.patch
+Patch30:	%{name}-bug-39653.patch
 Patch31:	httpd-dummy-connection-result.patch
+# https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/
+Patch32:	CVE-2017-3167.patch
+Patch33:	CVE-2017-3169.patch
+Patch34:	CVE-2017-7668.patch
+Patch35:	CVE-2017-7679.patch
 URL:		http://httpd.apache.org/
 BuildRequires:	apr-devel >= %{apr_ver}
 BuildRequires:	apr-util-devel >= 1:1.3.10-2
@@ -1808,6 +1813,10 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env.
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
+%patch32 -p0
+%patch33 -p0
+%patch34 -p0
+%patch35 -p0
 
 # using system apr, apr-util and pcre
 %{__rm} -r srclib/{apr,apr-util,pcre}
@@ -1939,7 +1948,7 @@ install -d $RPM_BUILD_ROOT/etc/{logrotate.d,rc.d/init.d,sysconfig,systemd/system
 	$RPM_BUILD_ROOT%{_var}/{log/{httpd,archive/httpd},{run,cache}/httpd,lock/mod_dav} \
 	$RPM_BUILD_ROOT%{_sysconfdir}/{webapps.d,conf.d,vhosts.d} \
 	$RPM_BUILD_ROOT%{_datadir}/{cgi-bin,vhosts} \
-	$RPM_BUILD_ROOT/usr/lib/tmpfiles.d \
+	$RPM_BUILD_ROOT%{systemdtmpfilesdir} \
 	$RPM_BUILD_ROOT%{systemdunitdir}
 
 # prefork is default one
@@ -2003,7 +2012,7 @@ cp -a %{SOURCE21} $CFG/10_mpm.conf
 cp -a %{SOURCE22} $CFG/20_languages.conf
 cp -a %{SOURCE29} $RPM_BUILD_ROOT%{_sysconfdir}/vhosts.d/example.net.conf
 
-install %{SOURCE30} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/%{name}.conf
+cp -p %{SOURCE30} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
 
 echo "LoadModule alias_module modules/mod_alias.so" > $CFG/00_mod_alias.conf
 echo "LoadModule authn_file_module	modules/mod_authn_file.so" > $CFG/00_mod_authn_file.conf
@@ -2401,7 +2410,7 @@ fi
 %dir %attr(770,root,http) /var/run/httpd
 %dir %attr(770,root,http) /var/cache/httpd
 
-/usr/lib/tmpfiles.d/%{name}.conf
+%{systemdtmpfilesdir}/%{name}.conf
 %{systemdunitdir}/httpd-*.service
 %config(noreplace) %verify(not md5 mtime size) /etc/systemd/system/httpd.service
 
diff --git a/CVE-2017-3167.patch b/CVE-2017-3167.patch
new file mode 100644
index 0000000..b6d139d
--- /dev/null
+++ b/CVE-2017-3167.patch
@@ -0,0 +1,163 @@
+
+    Merge https://svn.apache.org/r1796348 from trunk:
+    
+      *) SECURITY: CVE-2017-3167 (cve.mitre.org)
+         Use of the ap_get_basic_auth_pw() by third-party modules outside of the
+         authentication phase may lead to authentication requirements being
+         bypassed.
+         [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+    
+    
+    Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
+    Reviewed By: covener, ylavic, wrowe
+
+diff --git include/ap_mmn.h include/ap_mmn.h
+index ce330a5..fcbce6f 100644
+--- include/ap_mmn.h
++++ include/ap_mmn.h
+@@ -167,6 +167,8 @@
+  *                      and ap_scan_vchar_obstext()
+  *                      Replaced fold boolean with with multiple bit flags
+  *                      to ap_[r]getline()
++ * 20051115.43 (2.2.33)  Add ap_get_basic_auth_components() and deprecate
++ *                       ap_get_basic_auth_pw()
+  */
+ 
+ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
+@@ -174,7 +176,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20051115
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 42                    /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 43                    /* 0...n */
+ 
+ /**
+  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+diff --git include/http_protocol.h include/http_protocol.h
+index 1fed3b5..3fed9b2 100644
+--- include/http_protocol.h
++++ include/http_protocol.h
+@@ -486,7 +486,11 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r);
+ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
+ 
+ /**
+- * Get the password from the request headers
++ * Get the password from the request headers. This function has multiple side
++ * effects due to its prior use in the old authentication framework.
++ * ap_get_basic_auth_components() should be preferred.
++ *
++ * @deprecated @see ap_get_basic_auth_components
+  * @param r The current request
+  * @param pw The password as set in the headers
+  * @return 0 (OK) if it set the 'pw' argument (and assured
+@@ -499,6 +503,25 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
+  */
+ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
+ 
++#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
++
++/**
++ * Get the username and/or password from the request's Basic authentication
++ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
++ * effects on the passed request_rec.
++ *
++ * @param r The current request
++ * @param username If not NULL, set to the username sent by the client
++ * @param password If not NULL, set to the password sent by the client
++ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
++ *         APR_EINVAL if there was no authentication header sent or if the
++ *         client was not using the Basic authentication scheme. username and
++ *         password are unchanged on failure.
++ */
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++                                                      const char **username,
++                                                      const char **password);
++
+ /**
+  * parse_uri: break apart the uri
+  * @warning Side Effects: 
+diff --git server/protocol.c server/protocol.c
+index bd75766..2705bba 100644
+--- server/protocol.c
++++ server/protocol.c
+@@ -1594,6 +1594,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+ 
+     t = ap_pbase64decode(r->pool, auth_line);
+     r->user = ap_getword_nulls (r->pool, &t, ':');
++    apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
+     r->ap_auth_type = "Basic";
+ 
+     *pw = t;
+@@ -1601,6 +1602,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
+     return OK;
+ }
+ 
++AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
++                                                      const char **username,
++                                                      const char **password)
++{
++    const char *auth_header;
++    const char *credentials;
++    const char *decoded;
++    const char *user;
++
++    auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
++                                                  : "Authorization";
++    credentials = apr_table_get(r->headers_in, auth_header);
++
++    if (!credentials) {
++        /* No auth header. */
++        return APR_EINVAL;
++    }
++
++    if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
++        /* These aren't Basic credentials. */
++        return APR_EINVAL;
++    }
++
++    while (*credentials == ' ' || *credentials == '\t') {
++        credentials++;
++    }
++
++    /* XXX Our base64 decoding functions don't actually error out if the string
++     * we give it isn't base64; they'll just silently stop and hand us whatever
++     * they've parsed up to that point.
++     *
++     * Since this function is supposed to be a drop-in replacement for the
++     * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
++     */
++    decoded = ap_pbase64decode(r->pool, credentials);
++    user = ap_getword_nulls(r->pool, &decoded, ':');
++
++    if (username) {
++        *username = user;
++    }
++    if (password) {
++        *password = decoded;
++    }
++
++    return APR_SUCCESS;
++}
++
+ struct content_length_ctx {
+     int data_sent;  /* true if the C-L filter has already sent at
+                      * least one bucket on to the next output filter
+diff --git server/request.c server/request.c
+index 7005ca9..f81bbe0 100644
+--- server/request.c
++++ server/request.c
+@@ -179,6 +179,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
+         r->ap_auth_type = r->prev->ap_auth_type;
+     }
+     else {
++        /* A module using a confusing API (ap_get_basic_auth_pw) caused
++        ** r->user to be filled out prior to check_authn hook. We treat
++        ** it is inadvertent.
++        */
++        if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { 
++            r->user = NULL;
++        }
++
+         switch (ap_satisfies(r)) {
+         case SATISFY_ALL:
+         case SATISFY_NOSPEC:
diff --git a/CVE-2017-3169.patch b/CVE-2017-3169.patch
new file mode 100644
index 0000000..c423b4c
--- /dev/null
+++ b/CVE-2017-3169.patch
@@ -0,0 +1,76 @@
+
+    Merge https://svn.apache.org/r1796343  from trunk:
+    
+      *) SECURITY: CVE-2017-3169 (cve.mitre.org)
+         mod_ssl may dereference a NULL pointer when third-party modules call
+         ap_hook_process_connection() during an HTTP request to an HTTPS port.
+         [Yann Ylavic]
+    
+    
+    Submitted By: ylavic
+    Reviewed By: covener, ylavic, wrowe
+
+diff --git modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_io.c
+index d6016d3..c633be1 100644
+--- modules/ssl/ssl_engine_io.c
++++ modules/ssl/ssl_engine_io.c
+@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
+                                sizeof(HTTP_ON_HTTPS_PORT) - 1, \
+                                alloc)
+ 
+-static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
++static void ssl_io_filter_disable(SSLConnRec *sslconn,
++                                  bio_filter_in_ctx_t *inctx)
+ {
+-    bio_filter_in_ctx_t *inctx = f->ctx;
+     SSL_free(inctx->ssl);
+     sslconn->ssl = NULL;
+     inctx->ssl = NULL;
+     inctx->filter_ctx->pssl = NULL;
+ }
+ 
+-static apr_status_t ssl_io_filter_error(ap_filter_t *f,
++static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
+                                         apr_bucket_brigade *bb,
+                                         apr_status_t status)
+ {
++    ap_filter_t *f = inctx->f;
+     SSLConnRec *sslconn = myConnConfig(f->c);
+     apr_bucket *bucket;
+     int send_eos = 1;
+@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
+             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
+ 
+             sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
+-            ssl_io_filter_disable(sslconn, f);
++            ssl_io_filter_disable(sslconn, inctx);
+ 
+             /* fake the request line */
+             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
+@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+      * rather than have SSLEngine On configured.
+      */
+     if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     if (is_init) {
+@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ 
+     /* Handle custom errors. */
+     if (status != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     /* Create a transient bucket out of the decrypted data. */
+@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
+     inctx->block = APR_BLOCK_READ;
+ 
+     if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
+-        return ssl_io_filter_error(f, bb, status);
++        return ssl_io_filter_error(inctx, bb, status);
+     }
+ 
+     while (!APR_BRIGADE_EMPTY(bb)) {
diff --git a/CVE-2017-7668.patch b/CVE-2017-7668.patch
new file mode 100644
index 0000000..4470475
--- /dev/null
+++ b/CVE-2017-7668.patch
@@ -0,0 +1,30 @@
+
+    Merge r1796350 from trunk:
+
+      *) SECURITY: CVE-2017-7668 (cve.mitre.org)
+         The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
+         bug in token list parsing, which allows ap_find_token() to search past
+         the end of its input string. By maliciously crafting a sequence of
+         request headers, an attacker may be able to cause a segmentation fault,
+         or to force ap_find_token() to return an incorrect value.
+    
+    Submitted By: jchampion
+    Reviewed By: jchampion, wrowe, ylavic
+    
+diff --git server/util.c server/util.c
+index 054cc17..9a805b6 100644
+--- server/util.c
++++ server/util.c
+@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
+ 
+     s = (const unsigned char *)line;
+     for (;;) {
+-        /* find start of token, skip all stop characters, note NUL
+-         * isn't a token stop, so we don't need to test for it
+-         */
+-        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
++        /* find start of token, skip all stop characters */
++        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
+             ++s;
+         }
+         if (!*s) {
diff --git a/CVE-2017-7679.patch b/CVE-2017-7679.patch
new file mode 100644
index 0000000..adcd541
--- /dev/null
+++ b/CVE-2017-7679.patch
@@ -0,0 +1,25 @@
+
+    Merge r1797550 from trunk:
+
+      *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+         mod_mime can read one byte past the end of a buffer when sending a
+         malicious Content-Type response header.  [Yann Ylavic]
+    
+    Submitted By: ylavic
+    
+diff --git modules/http/mod_mime.c modules/http/mod_mime.c
+index eed6ebd..f3c643c 100644
+--- modules/http/mod_mime.c
++++ modules/http/mod_mime.c
+@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
+     int res = -1;
+     int c;
+ 
+-    if (((s + 1) != NULL) && (*s == '\\')) {
++    if (*s == '\\') {
+         c = (int) *(s + 1);
+-        if (apr_isascii(c)) {
++        if (c && apr_isascii(c)) {
+             res = 1;
+         }
+     }
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/apache.git/commitdiff/28183218fec545992510005bcc9b1ca1e07868bf



More information about the pld-cvs-commit mailing list