You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2009/07/03 15:48:25 UTC
svn commit: r790914 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS
docs/ docs/conf/mime.types modules/proxy/mod_proxy_http.c support/ab.c
support/suexec.c
Author: jorton
Date: Fri Jul 3 13:48:25 2009
New Revision: 790914
URL: http://svn.apache.org/viewvc?rev=790914&view=rev
Log:
Merge r790587 from trunk:
Security fix for CVE-2009-1890:
* modules/proxy/mod_proxy_http.c (stream_reqbody_cl): Specify the base
passed to apr_strtoff, and validate the Content-Length in the same
way the HTTP_IN filter does. If the number of bytes streamed
exceeds the expected body length, bail out of the loop.
Submitted by: niq, jorton
Reviewed by: rpluem, jim, jorton
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/docs/ (props changed)
httpd/httpd/branches/2.2.x/docs/conf/mime.types (props changed)
httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
httpd/httpd/branches/2.2.x/support/ab.c (props changed)
httpd/httpd/branches/2.2.x/support/suexec.c (props changed)
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 3 13:48:25 2009
@@ -1 +1 @@
-/httpd/httpd/trunk:395552,451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325
+/httpd/httpd/trunk:395552,451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,790587
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=790914&r1=790913&r2=790914&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Jul 3 13:48:25 2009
@@ -7,6 +7,11 @@
[Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
Ruediger Pluem, Jeff Trawick]
+ *) SECURITY: CVE-2009-1890 (cve.mitre.org)
+ Fix a potential Denial-of-Service attack against mod_proxy in a
+ reverse proxy configuration, where a remote attacker can force a
+ proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
+
*) SECURITY: CVE-2009-1191 (cve.mitre.org)
mod_proxy_ajp: Avoid delivering content from a previous request which
failed to send a request body. PR 46949 [Ruediger Pluem]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=790914&r1=790913&r2=790914&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Jul 3 13:48:25 2009
@@ -82,14 +82,6 @@
RELEASE SHOWSTOPPERS:
- * SECURITY: CVE-2009-1890 (cve.mitre.org)
- Fix a potential Denial-of-Service attack against mod_proxy in a
- reverse proxy configuration, where a remote attacker can force a
- proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
- Trunk version of patch works:
- http://svn.apache.org/viewvc?view=rev&revision=790587
- +1: rpluem, jim
-
* SECURITY: CVE-2009-1891 (cve.mitre.org)
Fix a potential Denial-of-Service attack against mod_deflate or
other modules, by forcing the server to consume CPU time in
Propchange: httpd/httpd/branches/2.2.x/docs/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 3 13:48:25 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/docs:395552,451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325
+/httpd/httpd/trunk/docs:395552,451572,611483,639005,639010,647395,657354,657459,660461,660566,664330,675610,678761,680082,681190,682369,683626,684351,685112,686549,686805,686809,687099,687754,692325,693120,693392,693727-693728,696006,697093,703441,703997,706318,707163,708902,711421,719357,720250,726109,728015,728020,728220,729316-729317,729586,732414,732421,732451,732504,732832,733127,733134,733218-733219,733465,733467,733695,734703,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,790587
Propchange: httpd/httpd/branches/2.2.x/docs/conf/mime.types
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 3 13:48:25 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/docs/conf/mime.types:83749-774546,776325
+/httpd/httpd/trunk/docs/conf/mime.types:83749-774546,776325,790587
Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c?rev=790914&r1=790913&r2=790914&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c Fri Jul 3 13:48:25 2009
@@ -422,10 +422,16 @@
apr_off_t bytes_streamed = 0;
if (old_cl_val) {
+ char *endstr;
+
add_cl(p, bucket_alloc, header_brigade, old_cl_val);
- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
- 0))) {
- return HTTP_INTERNAL_SERVER_ERROR;
+ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
+
+ if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "proxy: could not parse request Content-Length (%s)",
+ old_cl_val);
+ return HTTP_BAD_REQUEST;
}
}
terminate_headers(bucket_alloc, header_brigade);
@@ -453,8 +459,13 @@
*
* Prevents HTTP Response Splitting.
*/
- if (bytes_streamed > cl_val)
- continue;
+ if (bytes_streamed > cl_val) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "proxy: read more bytes of request body than expected "
+ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
+ bytes_streamed, cl_val);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
if (header_brigade) {
/* we never sent the header brigade, so go ahead and
Propchange: httpd/httpd/branches/2.2.x/support/ab.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 3 13:48:25 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325
+/httpd/httpd/trunk/support/ab.c:83751-655654,657354,657433,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,790587
Propchange: httpd/httpd/branches/2.2.x/support/suexec.c
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 3 13:48:25 2009
@@ -1 +1 @@
-/httpd/httpd/trunk/support/suexec.c:395552,451572,611483,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325
+/httpd/httpd/trunk/support/suexec.c:395552,451572,611483,639005,639010,647395,655711,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,719357,720250,729316-729317,729586,732414,732504,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,790587