Bug#717272: apache2: Fix for CVE-2013-1896

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#717272: apache2: Fix for CVE-2013-1896
From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Thu, 18 Jul 2013 12:58:12 -0400
Message-id: <[🔎] 20130718165812.8906.16971.reportbug@mdlinux>
Reply-to: Marc Deslauriers <marc.deslauriers@ubuntu.com>, 717272@bugs.debian.org

Package: apache2
Version: 2.4.4-6
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu saucy ubuntu-patch



*** /tmp/tmp5THIhe/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: denial of service via MERGE request
    - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI
      in modules/dav/main/mod_dav.c.
    - CVE-2013-1896


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers raring-updates
  APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring'), (100, 'raring-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch
--- apache2-2.4.4/debian/patches/CVE-2013-1896.patch	1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch	2013-07-18 11:21:47.000000000 -0400
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c	2011-12-04 19:08:01.000000000 -0500
++++ apache2-2.4.4/modules/dav/main/mod_dav.c	2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2683,11 +2689,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series
--- apache2-2.4.4/debian/patches/series	2013-07-02 09:33:25.000000000 -0400
+++ apache2-2.4.4/debian/patches/series	2013-07-18 11:20:09.000000000 -0400
@@ -20,3 +20,4 @@
 itk-rerun-configure.patch
 upstream-fixes
 allow-strtoul.patch
+CVE-2013-1896.patch

Reply to:

Follow-Ups:
- Bug#717272: marked as done (apache2: Fix for CVE-2013-1896)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#717231: apr hard-codes -fstack-protector even on unsupported platforms
Next by Date: Bug#717299: apache2-dev: dh_apache2 ignores alternative httpd on conf files
Previous by thread: Bug#717231: apr hard-codes -fstack-protector even on unsupported platforms
Next by thread: Bug#717272: marked as done (apache2: Fix for CVE-2013-1896)
Index(es):
- Date
- Thread