You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Mike Rumph <mi...@oracle.com> on 2014/10/14 17:40:03 UTC
Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS modules/cache/cache_util.c
Hello Jim and Jan,
I am considering a proposal of backporting this fix to the 2.2 branch.
At first look, this fix doesn't apply to 2.2 code.
But I noticed that the pertinent code has been refactored between 2.2
and 2.4.
The same problem exists in 2.2, but just in a different location.
In 2.2, the problem is in the store_headers function in
modules/cache/mod_disk_cache.c.
Are either of you interested in working a patch for this?
Otherwise, I will look at it myself in a few days.
Thanks,
Mike Rumph
On 9/26/2014 4:00 AM, jim@apache.org wrote:
> Author: jim
> Date: Fri Sep 26 11:00:14 2014
> New Revision: 1627749
>
> URL: http://svn.apache.org/r1627749
> Log:
> Merge r1624234 from trunk:
>
> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
> in Content-Type handling.
>
> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
>
> Submitted By: Mark Montague <mark catseye.org>
> Reviewed By: Jan Kaluza
>
> Submitted by: jkaluza
> Reviewed/backported by: jim
>
> Modified:
> httpd/httpd/branches/2.4.x/ (props changed)
> httpd/httpd/branches/2.4.x/CHANGES
> httpd/httpd/branches/2.4.x/STATUS
> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>
> Propchange: httpd/httpd/branches/2.4.x/
> ------------------------------------------------------------------------------
> Merged /httpd/httpd/trunk:r1624234
>
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
> @@ -2,6 +2,10 @@
>
> Changes with Apache 2.4.11
>
> + *) SECURITY: CVE-2014-3581 (cve.mitre.org)
> + mod_cache: Avoid a crash when Content-Type has an empty value.
> + PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
> +
> *) mod_cache: Avoid sending 304 responses during failed revalidations
> PR56881. [Eric Covener]
>
>
> Modified: httpd/httpd/branches/2.4.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/STATUS (original)
> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
> [ start all new proposals below, under PATCHES PROPOSED. ]
>
> - * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has an empty
> - value. PR56924.
> - trunk patch: http://svn.apache.org/r1624234
> - 2.4.x patch: trunk works (modulo CHANGES)
> - +1: jkaluza, jim, ylavic
>
>
> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>
> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26 11:00:14 2014
> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
>
> if (r->content_type
> && !apr_table_get(headers_out, "Content-Type")) {
> - apr_table_setn(headers_out, "Content-Type",
> - ap_make_content_type(r, r->content_type));
> + const char *ctype = ap_make_content_type(r, r->content_type);
> + if (ctype) {
> + apr_table_setn(headers_out, "Content-Type", ctype);
> + }
> }
>
> if (r->content_encoding
>
>
>
Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS modules/cache/cache_util.c
Posted by Mike Rumph <mi...@oracle.com>.
Hello Eric,
Okay. Thanks.
I must have missed that discussion.
I just now compared ap_make_content_type in both 2.2 and 2.4.
It looks like you are correct.
Some code to return NULL was added in 2.4.
So there is no need to check the return from ap_make_content_type for NULL.
Sorry for the noise.
Take care,
Mike
On 10/14/2014 10:03 AM, Eric Covener wrote:
> I thought at the time, the discussion was that ap_make_content_type
> in those releases never returned NULL.
>
> On Tue, Oct 14, 2014 at 1:01 PM, Mike Rumph <mike.rumph@oracle.com
> <ma...@oracle.com>> wrote:
>
> In 2.2 code, this problem is actually in two places.
> It is also in the store_headers function in
> modules/cache/mod_mem_cache.c.
>
>
> On 10/14/2014 8:40 AM, Mike Rumph wrote:
>
> Hello Jim and Jan,
>
> I am considering a proposal of backporting this fix to the 2.2
> branch.
> At first look, this fix doesn't apply to 2.2 code.
> But I noticed that the pertinent code has been refactored
> between 2.2 and 2.4.
> The same problem exists in 2.2, but just in a different location.
> In 2.2, the problem is in the store_headers function in
> modules/cache/mod_disk_cache.c.
>
> Are either of you interested in working a patch for this?
> Otherwise, I will look at it myself in a few days.
>
> Thanks,
>
> Mike Rumph
>
> On 9/26/2014 4:00 AM, jim@apache.org <ma...@apache.org>
> wrote:
>
> Author: jim
> Date: Fri Sep 26 11:00:14 2014
> New Revision: 1627749
>
> URL: http://svn.apache.org/r1627749
> Log:
> Merge r1624234 from trunk:
>
> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer
> deference
> in Content-Type handling.
>
> mod_cache: Avoid a crash when Content-Type has an empty
> value. PR56924.
>
> Submitted By: Mark Montague <mark catseye.org
> <http://catseye.org>>
> Reviewed By: Jan Kaluza
>
> Submitted by: jkaluza
> Reviewed/backported by: jim
>
> Modified:
> httpd/httpd/branches/2.4.x/ (props changed)
> httpd/httpd/branches/2.4.x/CHANGES
> httpd/httpd/branches/2.4.x/STATUS
> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>
> Propchange: httpd/httpd/branches/2.4.x/
> ------------------------------------------------------------------------------
>
> Merged /httpd/httpd/trunk:r1624234
>
> Modified: httpd/httpd/branches/2.4.x/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
>
> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26
> 11:00:14 2014
> @@ -2,6 +2,10 @@
> Changes with Apache 2.4.11
> + *) SECURITY: CVE-2014-3581 (cve.mitre.org
> <http://cve.mitre.org>)
> + mod_cache: Avoid a crash when Content-Type has an
> empty value.
> + PR 56924. [Mark Montague <mark catseye.org
> <http://catseye.org>>, Jan Kaluza]
> +
> *) mod_cache: Avoid sending 304 responses during
> failed revalidations
> PR56881. [Eric Covener]
>
> Modified: httpd/httpd/branches/2.4.x/STATUS
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
>
> --- httpd/httpd/branches/2.4.x/STATUS (original)
> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
> [ start all new proposals below, under PATCHES PROPOSED. ]
> - * mod_cache: CVE-2014-3581 - Avoid a crash when
> Content-Type has an empty
> - value. PR56924.
> - trunk patch: http://svn.apache.org/r1624234
> - 2.4.x patch: trunk works (modulo CHANGES)
> - +1: jkaluza, jim, ylavic
> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>
> Modified:
> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
> ==============================================================================
>
> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
> (original)
> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
> Fri Sep 26 11:00:14 2014
> @@ -1258,8 +1258,10 @@ apr_table_t
> *cache_merge_headers_out(req
> if (r->content_type
> && !apr_table_get(headers_out,
> "Content-Type")) {
> - apr_table_setn(headers_out, "Content-Type",
> - ap_make_content_type(r,
> r->content_type));
> + const char *ctype = ap_make_content_type(r,
> r->content_type);
> + if (ctype) {
> + apr_table_setn(headers_out, "Content-Type",
> ctype);
> + }
> }
> if (r->content_encoding
>
>
>
>
>
>
>
>
>
>
> --
> Eric Covener
> covener@gmail.com <ma...@gmail.com>
Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS modules/cache/cache_util.c
Posted by Eric Covener <co...@gmail.com>.
I thought at the time, the discussion was that ap_make_content_type in
those releases never returned NULL.
On Tue, Oct 14, 2014 at 1:01 PM, Mike Rumph <mi...@oracle.com> wrote:
> In 2.2 code, this problem is actually in two places.
> It is also in the store_headers function in modules/cache/mod_mem_cache.c.
>
>
> On 10/14/2014 8:40 AM, Mike Rumph wrote:
>
>> Hello Jim and Jan,
>>
>> I am considering a proposal of backporting this fix to the 2.2 branch.
>> At first look, this fix doesn't apply to 2.2 code.
>> But I noticed that the pertinent code has been refactored between 2.2 and
>> 2.4.
>> The same problem exists in 2.2, but just in a different location.
>> In 2.2, the problem is in the store_headers function in
>> modules/cache/mod_disk_cache.c.
>>
>> Are either of you interested in working a patch for this?
>> Otherwise, I will look at it myself in a few days.
>>
>> Thanks,
>>
>> Mike Rumph
>>
>> On 9/26/2014 4:00 AM, jim@apache.org wrote:
>>
>>> Author: jim
>>> Date: Fri Sep 26 11:00:14 2014
>>> New Revision: 1627749
>>>
>>> URL: http://svn.apache.org/r1627749
>>> Log:
>>> Merge r1624234 from trunk:
>>>
>>> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
>>> in Content-Type handling.
>>>
>>> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
>>>
>>> Submitted By: Mark Montague <mark catseye.org>
>>> Reviewed By: Jan Kaluza
>>>
>>> Submitted by: jkaluza
>>> Reviewed/backported by: jim
>>>
>>> Modified:
>>> httpd/httpd/branches/2.4.x/ (props changed)
>>> httpd/httpd/branches/2.4.x/CHANGES
>>> httpd/httpd/branches/2.4.x/STATUS
>>> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>>>
>>> Propchange: httpd/httpd/branches/2.4.x/
>>> ------------------------------------------------------------------------------
>>>
>>> Merged /httpd/httpd/trunk:r1624234
>>>
>>> Modified: httpd/httpd/branches/2.4.x/CHANGES
>>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
>>> CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
>>> ==============================================================================
>>>
>>> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
>>> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
>>> @@ -2,6 +2,10 @@
>>> Changes with Apache 2.4.11
>>> + *) SECURITY: CVE-2014-3581 (cve.mitre.org)
>>> + mod_cache: Avoid a crash when Content-Type has an empty value.
>>> + PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
>>> +
>>> *) mod_cache: Avoid sending 304 responses during failed revalidations
>>> PR56881. [Eric Covener]
>>>
>>> Modified: httpd/httpd/branches/2.4.x/STATUS
>>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
>>> STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
>>> ==============================================================================
>>>
>>> --- httpd/httpd/branches/2.4.x/STATUS (original)
>>> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
>>> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
>>> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>>> [ start all new proposals below, under PATCHES PROPOSED. ]
>>> - * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has
>>> an empty
>>> - value. PR56924.
>>> - trunk patch: http://svn.apache.org/r1624234
>>> - 2.4.x patch: trunk works (modulo CHANGES)
>>> - +1: jkaluza, jim, ylavic
>>> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>>>
>>> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
>>> modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
>>> ==============================================================================
>>>
>>> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
>>> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26
>>> 11:00:14 2014
>>> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
>>> if (r->content_type
>>> && !apr_table_get(headers_out, "Content-Type")) {
>>> - apr_table_setn(headers_out, "Content-Type",
>>> - ap_make_content_type(r, r->content_type));
>>> + const char *ctype = ap_make_content_type(r, r->content_type);
>>> + if (ctype) {
>>> + apr_table_setn(headers_out, "Content-Type", ctype);
>>> + }
>>> }
>>> if (r->content_encoding
>>>
>>>
>>>
>>>
>>
>>
>>
>
--
Eric Covener
covener@gmail.com
Re: svn commit: r1627749 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
STATUS modules/cache/cache_util.c
Posted by Mike Rumph <mi...@oracle.com>.
In 2.2 code, this problem is actually in two places.
It is also in the store_headers function in modules/cache/mod_mem_cache.c.
On 10/14/2014 8:40 AM, Mike Rumph wrote:
> Hello Jim and Jan,
>
> I am considering a proposal of backporting this fix to the 2.2 branch.
> At first look, this fix doesn't apply to 2.2 code.
> But I noticed that the pertinent code has been refactored between 2.2
> and 2.4.
> The same problem exists in 2.2, but just in a different location.
> In 2.2, the problem is in the store_headers function in
> modules/cache/mod_disk_cache.c.
>
> Are either of you interested in working a patch for this?
> Otherwise, I will look at it myself in a few days.
>
> Thanks,
>
> Mike Rumph
>
> On 9/26/2014 4:00 AM, jim@apache.org wrote:
>> Author: jim
>> Date: Fri Sep 26 11:00:14 2014
>> New Revision: 1627749
>>
>> URL: http://svn.apache.org/r1627749
>> Log:
>> Merge r1624234 from trunk:
>>
>> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
>> in Content-Type handling.
>>
>> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
>>
>> Submitted By: Mark Montague <mark catseye.org>
>> Reviewed By: Jan Kaluza
>>
>> Submitted by: jkaluza
>> Reviewed/backported by: jim
>>
>> Modified:
>> httpd/httpd/branches/2.4.x/ (props changed)
>> httpd/httpd/branches/2.4.x/CHANGES
>> httpd/httpd/branches/2.4.x/STATUS
>> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>>
>> Propchange: httpd/httpd/branches/2.4.x/
>> ------------------------------------------------------------------------------
>>
>> Merged /httpd/httpd/trunk:r1624234
>>
>> Modified: httpd/httpd/branches/2.4.x/CHANGES
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ==============================================================================
>>
>> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
>> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
>> @@ -2,6 +2,10 @@
>> Changes with Apache 2.4.11
>> + *) SECURITY: CVE-2014-3581 (cve.mitre.org)
>> + mod_cache: Avoid a crash when Content-Type has an empty value.
>> + PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
>> +
>> *) mod_cache: Avoid sending 304 responses during failed
>> revalidations
>> PR56881. [Eric Covener]
>>
>> Modified: httpd/httpd/branches/2.4.x/STATUS
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ==============================================================================
>>
>> --- httpd/httpd/branches/2.4.x/STATUS (original)
>> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
>> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
>> PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>> [ start all new proposals below, under PATCHES PROPOSED. ]
>> - * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type
>> has an empty
>> - value. PR56924.
>> - trunk patch: http://svn.apache.org/r1624234
>> - 2.4.x patch: trunk works (modulo CHANGES)
>> - +1: jkaluza, jim, ylavic
>> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>>
>> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
>> ==============================================================================
>>
>> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
>> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26
>> 11:00:14 2014
>> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
>> if (r->content_type
>> && !apr_table_get(headers_out, "Content-Type")) {
>> - apr_table_setn(headers_out, "Content-Type",
>> - ap_make_content_type(r, r->content_type));
>> + const char *ctype = ap_make_content_type(r, r->content_type);
>> + if (ctype) {
>> + apr_table_setn(headers_out, "Content-Type", ctype);
>> + }
>> }
>> if (r->content_encoding
>>
>>
>>
>
>
>