Hi Release Team,
please review apache2/2.2.16-6+squeeze12 for inclusion in the next
stable point release. Debdiff is attached. Changelog:
apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
* Security: CVE-2013-1862: mod_rewrite: Ensure that client data
written to
the RewriteLog is escaped to prevent terminal escape sequences
from
entering the log file. Closes: #722333
* Security: CVE-2013-1896: mod_dav: denial of service via MERGE
request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
Cheers,
Stefan
diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog
--- apache2-2.2.16/debian/changelog
+++ apache2-2.2.16/debian/changelog
@@ -1,3 +1,15 @@
+apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
+
+ * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
+ the RewriteLog is escaped to prevent terminal escape sequences from
+ entering the log file. Closes: #722333
+ * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
+ Closes: #717272
+ * mod_dav: Fix segfaults in certain error conditions.
+ https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
+
+ -- Stefan Fritsch <s...@debian.org> Tue, 28 Jan 2014 22:48:05 +0100
+
apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high
* CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list
--- apache2-2.2.16/debian/patches/00list
+++ apache2-2.2.16/debian/patches/00list
@@ -48,0 +49,3 @@
+303_mod_rewrite-CVE-2013-1862.dpatch
+304_CVE-2013-1896.dpatch
+305_mod_dav_crash_PR_52559.dpatch
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/303_mod_rewrite-CVE-2013-1862.dpatch
+++ apache2-2.2.16/debian/patches/303_mod_rewrite-CVE-2013-1862.dpatch
@@ -0,0 +1,39 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: http://svn.apache.org/viewvc?view=revision&revision=r1482349
+## DP: SECURITY: CVE-2013-1862 (cve.mitre.org)
+## DP: mod_rewrite: Ensure that client data written to the RewriteLog is
+## DP: escaped to prevent terminal escape sequences from entering the
+## DP: log file. [Joe Orton]
+#
+@DPATCH@
+Index: modules/mappers/mod_rewrite.c
+===================================================================
+--- a/modules/mappers/mod_rewrite.c (revision 1469310)
++++ b/modules/mappers/mod_rewrite.c (working copy)
+@@ -500,11 +500,11 @@
+
+ logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
+ "(%d) %s%s%s%s" APR_EOL_STR,
+- rhost ? rhost : "UNKNOWN-HOST",
+- rname ? rname : "-",
+- r->user ? (*r->user ? r->user : "\"\"") : "-",
++ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
++ rname ? ap_escape_logitem(r->pool, rname) : "-",
++ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
+ current_logtime(r),
+- ap_get_server_name(r),
++ ap_escape_logitem(r->pool, ap_get_server_name(r)),
+ (void *)(r->server),
+ (void *)r,
+ r->main ? "subreq" : "initial",
+@@ -514,7 +514,7 @@
+ perdir ? "[perdir " : "",
+ perdir ? perdir : "",
+ perdir ? "] ": "",
+- text);
++ ap_escape_logitem(r->pool, text));
+
+ nbytes = strlen(logline);
+ apr_file_write(conf->rewritelogfp, logline, &nbytes);
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/304_CVE-2013-1896.dpatch
+++ apache2-2.2.16/debian/patches/304_CVE-2013-1896.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+#
+## DP: http://svn.apache.org/r1497101
+## DP: http://svn.apache.org/r1497212
+#
+@DPATCH@
+Index: apache2/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2.orig/modules/dav/main/mod_dav.c
++++ apache2/modules/dav/main/mod_dav.c
+@@ -719,6 +719,12 @@
+
+ conf = ap_get_module_config(r->per_dir_config, &dav_module);
+ /* assert: conf->provider != NULL */
++ if (conf->provider == NULL) {
++ return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0,
++ apr_psprintf(r->pool,
++ "DAV not enabled for %s",
++ ap_escape_html(r->pool, r->uri)));
++ }
+
+ /* resolve the resource */
+ err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2655,11 +2661,6 @@
+ "Destination URI had an error.");
+ }
+
+- if (dav_get_provider(lookup.rnew) == NULL) {
+- return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+- "DAV not enabled for Destination URI.");
+- }
+-
+ /* Resolve destination resource */
+ err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+ 0 /* use_checked_in */, &resnew);
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/305_mod_dav_crash_PR_52559.dpatch
+++ apache2-2.2.16/debian/patches/305_mod_dav_crash_PR_52559.dpatch
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: http://svn.apache.org/r1497455
+## DP: mod_dav: When a PROPPATCH attempts to remove a non-existent dead
+## DP: property on a resource for which there is no dead property in the same
+## DP: namespace httpd segfaults.
+## DP:
+## DP: http://svn.apache.org/r1497457
+## DP: mod_dav: Do not fail PROPPATCH when prop namespace is not known.
+## DP:
+## DP: http://svn.apache.org/r1497463
+## DP: mod_dav: Do not segfault on PROPFIND with a zero length DBM.
+#
+@DPATCH@
+diff --git a/modules/dav/fs/dbm.c b/modules/dav/fs/dbm.c
+index 751a82b..ec42105 100644
+--- a/modules/dav/fs/dbm.c
++++ b/modules/dav/fs/dbm.c
+@@ -191,7 +191,15 @@ void dav_dbm_close(dav_db *db)
+
+ dav_error * dav_dbm_fetch(dav_db *db, apr_datum_t key, apr_datum_t *pvalue)
+ {
+- apr_status_t status = apr_dbm_fetch(db->file, key, pvalue);
++ apr_status_t status;
++
++ if (!key.dptr) {
++ /* no key could be created (namespace not known) => no value */
++ memset(pvalue, 0, sizeof(*pvalue));
++ status = APR_SUCCESS;
++ } else {
++ status = apr_dbm_fetch(db->file, key, pvalue);
++ }
+
+ return dav_fs_dbm_error(db, NULL, status);
+ }
+@@ -729,6 +737,10 @@ static dav_error * dav_propdb_get_rollback(dav_db *db,
+ static dav_error * dav_propdb_apply_rollback(dav_db *db,
+ dav_deadprop_rollback *rollback)
+ {
++ if (!rollback) {
++ return NULL; /* no rollback, nothing to do */
++ }
++
+ if (rollback->value.dptr == NULL) {
+ /* don't fail if the thing isn't really there. */
+ (void) dav_dbm_delete(db, rollback->key);
+diff --git a/modules/dav/main/props.c b/modules/dav/main/props.c
+index b9601d7..2796737 100644
+--- a/modules/dav/main/props.c
++++ b/modules/dav/main/props.c
+@@ -594,13 +594,14 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+ if (propdb->db != NULL) {
+ dav_xmlns_info *xi = dav_xmlns_create(propdb->p);
+ dav_prop_name name;
++ dav_error *err;
+
+ /* define (up front) any namespaces the db might need */
+ (void) (*db_hooks->define_namespaces)(propdb->db, xi);
+
+ /* get the first property name, beginning the scan */
+- (void) (*db_hooks->first_name)(propdb->db, &name);
+- while (name.ns != NULL) {
++ err = (*db_hooks->first_name)(propdb->db, &name);
++ while (!err && name.ns) {
+
+ /*
+ ** We also look for <DAV:getcontenttype> and
+@@ -619,7 +620,6 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+ }
+
+ if (what == DAV_PROP_INSERT_VALUE) {
+- dav_error *err;
+ int found;
+
+ if ((err = (*db_hooks->output_value)(propdb->db, &name,
+@@ -638,7 +638,7 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+ }
+
+ next_key:
+- (void) (*db_hooks->next_name)(propdb->db, &name);
++ err = (*db_hooks->next_name)(propdb->db, &name);
+ }
+
+ /* all namespaces have been entered into xi. generate them into
