Accepting request 287376 from home:kstreitova:branches:Apache

- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug
  where a maliciously crafted websockets PING after a script calls
  r:wsupgrade() can cause a child process crash
  [CVE-2015-0228], [bnc#918352].

OBS-URL: https://build.opensuse.org/request/show/287376
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=432

apache2.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Feb 23 16:58:11 UTC 2015 - kstreitova@suse.com
+
+- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug
+  where a maliciously crafted websockets PING after a script calls
+  r:wsupgrade() can cause a child process crash
+  [CVE-2015-0228], [bnc#918352]. 
+
 -------------------------------------------------------------------
 Tue Feb  3 15:12:04 UTC 2015 - pgajdos@suse.com
 

apache2.spec

@@ -164,6 +164,8 @@ Patch70:        apache2-implicit-pointer-decl.patch
 # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration.
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
+# PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash
+Patch112:       httpd-2.4.x-mod_lua_websocket_DoS.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.4
@@ -342,6 +344,7 @@ to administrators of web servers in general.
 #%patch108 -p1
 %patch109 -p1
 %patch111 -p1
+%patch112 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{S:22})

httpd-2.4.x-mod_lua_websocket_DoS.patch

@@ -0,0 +1,50 @@
+From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 4 Feb 2015 14:44:23 +0000
+Subject: [PATCH]   *) SECURITY: CVE-2015-0228 (cve.mitre.org)      mod_lua: A
+ maliciously crafted websockets PING after a script      calls r:wsupgrade()
+ can cause a child process crash.      [Edward Lu <Chaosed0 gmail.com>]
+
+Discovered by Guido Vranken <guidovranken gmail.com>
+
+Submitted by: Edward Lu
+Committed by: covener
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
+---
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index dded599..1200c55 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
+ {
+     apr_socket_t *sock;
+     apr_status_t rv;
++    int do_read = 1;
+     int n = 0;
+     apr_size_t len = 1;
+     apr_size_t plen = 0;
+@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
+     mask_bytes = apr_pcalloc(r->pool, 4);
+     sock = ap_get_conn_socket(r->connection);
+ 
++    while (do_read) { 
++    do_read = 0;
+     /* Get opcode and FIN bit */
+     if (plaintext) {
+         rv = apr_socket_recv(sock, &byte, &len);
+@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
+                 frame[0] = 0x8A;
+                 frame[1] = 0;
+                 apr_socket_send(sock, frame, &plen); /* Pong! */
+-                lua_websocket_read(L); /* read the next frame instead */
++                do_read = 1;
+             }
+         }
+     }
++    }
+     return 0;
+ }
+