Bug#734446: pu: package apache2/2.2.16-6+squeeze11a - CVE-2013-1862
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
CVE-2013-1862 is a low impact security bug. It should be fixed via pu.
Apache maintainers: Do you want to handle this yourself?
Bastian
diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog
--- apache2-2.2.22/debian/changelog 2013-03-04 22:21:05.000000000 +0100
+++ apache2-2.2.22/debian/changelog 2014-01-07 10:57:50.000000000 +0100
@@ -1,3 +1,11 @@
+apache2 (2.2.22-13.1) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Properly escape data written to rewrite log.
+ CVE-2013-1862
+
+ -- Bastian Blank <bastian.blank@credativ.de> Tue, 07 Jan 2014 09:57:36 +0000
+
apache2 (2.2.22-13) unstable; urgency=medium
[ Stefan Fritsch ]
diff -Nru apache2-2.2.22/debian/patches/CVE-2013-1862.patch apache2-2.2.22/debian/patches/CVE-2013-1862.patch
--- apache2-2.2.22/debian/patches/CVE-2013-1862.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.2.22/debian/patches/CVE-2013-1862.patch 2014-01-07 10:56:59.000000000 +0100
@@ -0,0 +1,33 @@
+Description:
+ mod_rewrite: Ensure that client data written to the RewriteLog is
+ escaped to prevent terminal escape sequences from entering the
+ log file. [Joe Orton]
+Origin: http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
+Id: CVE-2013-1862
+--- a(/odules/mappers/mod_rewrite.c (revision 1469310)
++++ b/modules/mappers/mod_rewrite.c (working copy)
+@@ -500,11 +500,11 @@
+
+ logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
+ "(%d) %s%s%s%s" APR_EOL_STR,
+- rhost ? rhost : "UNKNOWN-HOST",
+- rname ? rname : "-",
+- r->user ? (*r->user ? r->user : "\"\"") : "-",
++ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
++ rname ? ap_escape_logitem(r->pool, rname) : "-",
++ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
+ current_logtime(r),
+- ap_get_server_name(r),
++ ap_escape_logitem(r->pool, ap_get_server_name(r)),
+ (void *)(r->server),
+ (void *)r,
+ r->main ? "subreq" : "initial",
+@@ -514,7 +514,7 @@
+ perdir ? "[perdir " : "",
+ perdir ? perdir : "",
+ perdir ? "] ": "",
+- text);
++ ap_escape_logitem(r->pool, text));
+
+ nbytes = strlen(logline);
+ apr_file_write(conf->rewritelogfp, logline, &nbytes);
diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series
--- apache2-2.2.22/debian/patches/series 2013-03-04 22:00:37.000000000 +0100
+++ apache2-2.2.22/debian/patches/series 2014-01-07 10:57:11.000000000 +0100
@@ -35,3 +35,4 @@
disable-ssl-compression.patch
CVE-2012-3499_CVE-2012-4558_XSS.patch
mod_log_forensic_693292.patch
+CVE-2013-1862.patch
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: