From 02163d87570467de62d1a6916a3b23e3e9f1a0cf7f8bc752fc03fb26310f268c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Tue, 24 Feb 2015 01:47:47 +0000 Subject: [PATCH] Accepting request 287376 from home:kstreitova:branches:Apache - add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug where a maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash [CVE-2015-0228], [bnc#918352]. OBS-URL: https://build.opensuse.org/request/show/287376 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=432 --- apache2.changes | 8 ++++ apache2.spec | 3 ++ httpd-2.4.x-mod_lua_websocket_DoS.patch | 50 +++++++++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100644 httpd-2.4.x-mod_lua_websocket_DoS.patch diff --git a/apache2.changes b/apache2.changes index 89d261d..f51ed07 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Feb 23 16:58:11 UTC 2015 - kstreitova@suse.com + +- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug + where a maliciously crafted websockets PING after a script calls + r:wsupgrade() can cause a child process crash + [CVE-2015-0228], [bnc#918352]. + ------------------------------------------------------------------- Tue Feb 3 15:12:04 UTC 2015 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index 9038ea4..368ddfd 100644 --- a/apache2.spec +++ b/apache2.spec @@ -164,6 +164,8 @@ Patch70: apache2-implicit-pointer-decl.patch # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch +# PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash +Patch112: httpd-2.4.x-mod_lua_websocket_DoS.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.4 @@ -342,6 +344,7 @@ to administrators of web servers in general. #%patch108 -p1 %patch109 -p1 %patch111 -p1 +%patch112 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) diff --git a/httpd-2.4.x-mod_lua_websocket_DoS.patch b/httpd-2.4.x-mod_lua_websocket_DoS.patch new file mode 100644 index 0000000..4dc329f --- /dev/null +++ b/httpd-2.4.x-mod_lua_websocket_DoS.patch @@ -0,0 +1,50 @@ +From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Wed, 4 Feb 2015 14:44:23 +0000 +Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A + maliciously crafted websockets PING after a script calls r:wsupgrade() + can cause a child process crash. [Edward Lu ] + +Discovered by Guido Vranken + +Submitted by: Edward Lu +Committed by: covener + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68 +--- +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index dded599..1200c55 100644 +--- a/modules/lua/lua_request.c ++++ b/modules/lua/lua_request.c +@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L) + { + apr_socket_t *sock; + apr_status_t rv; ++ int do_read = 1; + int n = 0; + apr_size_t len = 1; + apr_size_t plen = 0; +@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L) + mask_bytes = apr_pcalloc(r->pool, 4); + sock = ap_get_conn_socket(r->connection); + ++ while (do_read) { ++ do_read = 0; + /* Get opcode and FIN bit */ + if (plaintext) { + rv = apr_socket_recv(sock, &byte, &len); +@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L) + frame[0] = 0x8A; + frame[1] = 0; + apr_socket_send(sock, frame, &plen); /* Pong! */ +- lua_websocket_read(L); /* read the next frame instead */ ++ do_read = 1; + } + } + } ++ } + return 0; + } +