Accepting request 306357 from home:guohouzuo:freeipa

CVE-2015-0253 OBS-URL: https://build.opensuse.org/request/show/306357 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=444
2015-05-15 13:11:40 +00:00 · 2015-05-15 13:11:40 +00:00 · d3e2121d30
commit d3e2121d30
parent c1c669e98d
3 changed files with 34 additions and 0 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon May 11 13:34:40 UTC 2015 - hguo@suse.com
+
+- SECURITY: CVE-2015-0253 (cve.mitre.org)
+  core: Fix a crash introduced in with ErrorDocument 400 pointing
+  to a local URL-path with the INCLUDES filter active, introduced
+  in 2.4.11. PR 57531. [Yann Ylavic]
+
 -------------------------------------------------------------------
 Tue May  5 12:36:10 UTC 2015 - kstreitova@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@ -126,6 +126,7 @@ Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
 # PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash
 Patch112:       httpd-2.4.x-mod_lua_websocket_DoS.patch
+Patch113:       httpd-2.4.12-CVE-2015-0253.patch
 BuildRequires:  automake
 BuildRequires:  db-devel
 BuildRequires:  ed
@ -309,6 +310,7 @@ to administrators of web servers in general.
 %endif
 %patch111 -p1
 %patch112 -p1
+%patch113 -p3
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{SOURCE22})
--- a/httpd-2.4.12-CVE-2015-0253.patch
+++ b/httpd-2.4.12-CVE-2015-0253.patch
@ -0,0 +1,24 @@
+SECURITY: CVE-2015-0253 (cve.mitre.org)
+core: Fix a crash introduced in with ErrorDocument 400 pointing
+to a local URL-path with the INCLUDES filter active, introduced
+in 2.4.11. PR 57531. [Yann Ylavic]
+--- httpd/httpd/trunk/server/protocol.c	2015/03/05 02:31:42	1664204
+++ httpd/httpd/trunk/server/protocol.c	2015/03/05 02:33:16	1664205
+@@ -606,8 +606,6 @@
+              */
+             if (APR_STATUS_IS_ENOSPC(rv)) {
+                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
+-                r->proto_num = HTTP_VERSION(1,0);
+-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
+             }
+             else if (APR_STATUS_IS_TIMEUP(rv)) {
+                 r->status = HTTP_REQUEST_TIME_OUT;
+@@ -615,6 +613,8 @@
+             else if (APR_STATUS_IS_EINVAL(rv)) {
+                 r->status = HTTP_BAD_REQUEST;
+             }
+            r->proto_num = HTTP_VERSION(1,0);
+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
+             return 0;
+         }
+     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));