[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#734447: opu: package apache2/2.2.16-6+squeeze11 - CVE-2013-1862

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu

CVE-2013-1862 is a low impact security bug. It should be fixed via opu.
Apache maintainers: Do you want to handle this yourself?

Bastian

diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog
--- apache2-2.2.16/debian/changelog
+++ apache2-2.2.16/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.2.16-6+squeeze11.1) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * Properly escape data written to rewrite log.
+    CVE-2013-1862
+
+ -- Bastian Blank <bastian.blank@credativ.de>  Tue, 07 Jan 2014 09:48:07 +0000
+
 apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high
 
   * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list
--- apache2-2.2.16/debian/patches/00list
+++ apache2-2.2.16/debian/patches/00list
@@ -48,0 +49 @@
+303_CVE-2013-1862.dpatch
only in patch2:
unchanged:
--- apache2-2.2.16.orig/debian/patches/303_CVE-2013-1862.dpatch
+++ apache2-2.2.16/debian/patches/303_CVE-2013-1862.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## DP: *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+## DP:    mod_rewrite: Ensure that client data written to the RewriteLog is
+## DP:    escaped to prevent terminal escape sequences from entering the
+## DP:    log file.  [Joe Orton]
+@DPATCH@
+--- a/modules/mappers/mod_rewrite.c	(revision 1469310)
++++ b/modules/mappers/mod_rewrite.c	(working copy)
+@@ -500,11 +500,11 @@
+ 
+     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
+                                     "(%d) %s%s%s%s" APR_EOL_STR,
+-                           rhost ? rhost : "UNKNOWN-HOST",
+-                           rname ? rname : "-",
+-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
++                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
++                           rname ? ap_escape_logitem(r->pool, rname) : "-",
++                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
+                            current_logtime(r),
+-                           ap_get_server_name(r),
++                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
+                            (void *)(r->server),
+                            (void *)r,
+                            r->main ? "subreq" : "initial",
+@@ -514,7 +514,7 @@
+                            perdir ? "[perdir " : "",
+                            perdir ? perdir : "",
+                            perdir ? "] ": "",
+-                           text);
++                           ap_escape_logitem(r->pool, text));
+ 
+     nbytes = strlen(logline);
+     apr_file_write(conf->rewritelogfp, logline, &nbytes);

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: