Bug#774289: unblock: apache2/2.4.10-9

[Stefan Fritsch <sf@sfritsch.de>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package apache2

It fixes a low-impact security issue, improves working with systemd (though
that's not quite perfect, yet) and fixes a build-dep. 

Thanks,
Stefan

Changelog:

apache2 (2.4.10-9) unstable; urgency=medium

  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
    LuaAuthzProvider is used in multiple Require directives with different
    arguments.
  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
    fixes asking for certificate passphrases if started via systemd.
    Closes: #773405
  * Fix init script to not wait 20s if passphrase was wrong.
  * Also bump debhelper build-depends to get dh_installdeb with support for
    symlink_to_dir. Closes: #770421


Diffstat (full diff is attached):

 apache2.init                       |    8 ++
 apache2.install                    |    1 
 ask-for-passphrase                 |   48 +++++++++++++++
 changelog                          |   14 ++++
 config-dir/mods-available/ssl.conf |    2 
 control                            |    2 
 patches/CVE-2014-8109_mod_lua.diff |  118 +++++++++++++++++++++++++++++++++++++
 patches/series                     |    1 
 8 files changed, 192 insertions(+), 2 deletions(-)


unblock apache2/2.4.10-9

diff -Nru apache2-2.4.10/debian/apache2.init apache2-2.4.10/debian/apache2.init
--- apache2-2.4.10/debian/apache2.init	2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.init	2014-12-22 21:43:54.000000000 +0100
@@ -116,6 +116,10 @@
 apache_wait_start() {
 	local STATUS=$1
 	local i=0
+
+	if [ $STATUS != 0 ] ; then
+	        return $STATUS
+	fi
 	while : ; do
 	        PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
 	        if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
@@ -136,6 +140,10 @@
 apache_wait_stop() {
 	local STATUS=$1
 
+	if [ $STATUS != 0 ] ; then
+	        return $STATUS
+	fi
+
 	PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
 	if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
 	        local i=0
diff -Nru apache2-2.4.10/debian/apache2.install apache2-2.4.10/debian/apache2.install
--- apache2-2.4.10/debian/apache2.install	2014-11-08 23:16:55.000000000 +0100
+++ apache2-2.4.10/debian/apache2.install	2014-12-22 20:14:39.000000000 +0100
@@ -3,4 +3,5 @@
 debian/a2enmod					/usr/sbin
 debian/apache2ctl				/usr/sbin
 debian/a2query					/usr/sbin
+debian/ask-for-passphrase			/usr/share/apache2/
 debian/debhelper/apache2-maintscript-helper	/usr/share/apache2/
diff -Nru apache2-2.4.10/debian/ask-for-passphrase apache2-2.4.10/debian/ask-for-passphrase
--- apache2-2.4.10/debian/ask-for-passphrase	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/ask-for-passphrase	2014-12-22 21:44:47.000000000 +0100
@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+#    ask-for-passphrase - designed to be used by SSLPassPhraseDialog exec:
+#
+#    Copyright Canonical, Ltd. 2010, All Rights Reserved
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+sitename=$1
+keytype=$2
+
+log="logger -p daemon.err -t apache2"
+
+prompt="Enter passphrase for SSL/TLS keys for $sitename ($keytype):"
+
+# Apache gives us a pipe for stdin, but we want to
+# talk to apache's terminal.
+tty=`tty < /proc/${PPID}/fd/0`
+if [ "$tty" = "not a tty" ] ; then
+	if [ -x /bin/systemd-ask-password ] ; then
+		exec /bin/systemd-ask-password --timeout=0 "$prompt"
+	elif [ -x /bin/plymouth ] && plymouth --ping ; then
+		echo $prompt | logger
+		exec plymouth ask-for-password --prompt="$prompt"
+	else
+		$log "No way to ask user for passphrase"
+		exit 1
+	fi
+	$log "Passphrase prompt failed"
+	exit 1
+fi
+
+# We must not print anything on stdout except the passphrase
+read -s -p "$prompt" passphrase > $tty 2>&1 < $tty
+echo > $tty
+echo "$passphrase"
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog	2014-11-18 15:18:18.000000000 +0100
+++ apache2-2.4.10/debian/changelog	2014-12-22 21:46:14.000000000 +0100
@@ -1,3 +1,17 @@
+apache2 (2.4.10-9) unstable; urgency=medium
+
+  * CVE-2014-8109: mod_lua: Fix handling of the Require line when a
+    LuaAuthzProvider is used in multiple Require directives with different
+    arguments.
+  * Include ask-for-passphrase script from Ubuntu with some tweaks. This
+    fixes asking for certificate passphrases if started via systemd.
+    Closes: #773405
+  * Fix init script to not wait 20s if passphrase was wrong.
+  * Also bump debhelper build-depends to get dh_installdeb with support for
+    symlink_to_dir. Closes: #770421
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 22 Dec 2014 20:24:36 +0100
+
 apache2 (2.4.10-8) unstable; urgency=medium
 
   * Bump dpkg Pre-Depends to version that supports relative symlinks in
diff -Nru apache2-2.4.10/debian/config-dir/mods-available/ssl.conf apache2-2.4.10/debian/config-dir/mods-available/ssl.conf
--- apache2-2.4.10/debian/config-dir/mods-available/ssl.conf	2014-11-08 23:16:56.000000000 +0100
+++ apache2-2.4.10/debian/config-dir/mods-available/ssl.conf	2014-12-22 20:15:07.000000000 +0100
@@ -33,7 +33,7 @@
 	#   Configure the pass phrase gathering process.
 	#   The filtering dialog program (`builtin' is a internal
 	#   terminal dialog) has to provide the pass phrase on stdout.
-	SSLPassPhraseDialog  builtin
+	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
 
 	#   Inter-Process Session Cache:
 	#   Configure the SSL Session Cache: First the mechanism 
diff -Nru apache2-2.4.10/debian/control apache2-2.4.10/debian/control
--- apache2-2.4.10/debian/control	2014-11-17 00:37:59.000000000 +0100
+++ apache2-2.4.10/debian/control	2014-11-22 00:55:05.000000000 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
 Uploaders: Stefan Fritsch <sf@debian.org>, Arno Töll <arno@debian.org>
-Build-Depends: debhelper (>= 8.9.7~), lsb-release, dpkg-dev (>= 1.16.1~),
+Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>= 1.16.1~),
  libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev, zlib1g-dev,
  libssl-dev (>= 0.9.8m), perl,
  liblua5.1-0-dev, libxml2-dev, autotools-dev, gawk | awk
diff -Nru apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff
--- apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/CVE-2014-8109_mod_lua.diff	2014-12-22 19:53:32.000000000 +0100
@@ -0,0 +1,118 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1642861
+#
+#commit 3f1693d558d0758f829c8b53993f1749ddf6ffcb
+#Author: Jim Jagielski <jim@apache.org>
+#Date:   Tue Dec 2 12:50:59 2014 +0000
+#
+#    Merge r1642499 from trunk:
+#    
+#      *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+#         mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+#         used in multiple Require directives with different arguments.
+#         PR57204 [Edward Lu <Chaosed0 gmail.com>]
+#    
+#    Submitted By: Edward Lu
+#    Committed By: covener
+#    
+#    
+#    Submitted by: covener
+#    Reviewed/backported by: jim
+#    
+#    
+#    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1642861 13f79535-47bb-0310-9956-ffa450edef68
+#
+--- apache2.orig/CHANGES
++++ apache2/CHANGES
+@@ -6,6 +6,11 @@ Changes with Apache 2.4.11
+      mod_cache: Avoid a crash when Content-Type has an empty value.
+      PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
+ 
++  *) SECURITY: CVE-2014-8109 (cve.mitre.org)
++     mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
++     used in multiple Require directives with different arguments.
++     PR57204 [Edward Lu <Chaosed0 gmail.com>]
++
+   *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+      core: HTTP trailers could be used to replace HTTP headers
+      late during request processing, potentially undoing or
+--- apache2.orig/modules/lua/mod_lua.c
++++ apache2/modules/lua/mod_lua.c
+@@ -66,9 +66,13 @@ typedef struct {
+     const char *file_name;
+     const char *function_name;
+     ap_lua_vm_spec *spec;
+-    apr_array_header_t *args;
+ } lua_authz_provider_spec;
+ 
++typedef struct {
++    lua_authz_provider_spec *spec;
++    apr_array_header_t *args;
++} lua_authz_provider_func;
++
+ apr_hash_t *lua_authz_providers;
+ 
+ typedef struct
+@@ -1692,6 +1696,7 @@ static const char *lua_authz_parse(cmd_p
+ {
+     const char *provider_name;
+     lua_authz_provider_spec *spec;
++    lua_authz_provider_func *func = apr_pcalloc(cmd->pool, sizeof(lua_authz_provider_func));
+ 
+     apr_pool_userdata_get((void**)&provider_name, AUTHZ_PROVIDER_NAME_NOTE,
+                           cmd->temp_pool);
+@@ -1699,16 +1704,17 @@ static const char *lua_authz_parse(cmd_p
+ 
+     spec = apr_hash_get(lua_authz_providers, provider_name, APR_HASH_KEY_STRING);
+     ap_assert(spec != NULL);
++    func->spec = spec;
+ 
+     if (require_line && *require_line) {
+         const char *arg;
+-        spec->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
++        func->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
+         while ((arg = ap_getword_conf(cmd->pool, &require_line)) && *arg) {
+-            APR_ARRAY_PUSH(spec->args, const char *) = arg;
++            APR_ARRAY_PUSH(func->args, const char *) = arg;
+         }
+     }
+ 
+-    *parsed_require_line = spec;
++    *parsed_require_line = func;
+     return NULL;
+ }
+ 
+@@ -1722,7 +1728,8 @@ static authz_status lua_authz_check(requ
+                                                          &lua_module);
+     const ap_lua_dir_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                                      &lua_module);
+-    const lua_authz_provider_spec *prov_spec = parsed_require_line;
++    const lua_authz_provider_func *prov_func = parsed_require_line;
++    const lua_authz_provider_spec *prov_spec = prov_func->spec;
+     int result;
+     int nargs = 0;
+ 
+@@ -1744,19 +1751,19 @@ static authz_status lua_authz_check(requ
+         return AUTHZ_GENERAL_ERROR;
+     }
+     ap_lua_run_lua_request(L, r);
+-    if (prov_spec->args) {
++    if (prov_func->args) {
+         int i;
+-        if (!lua_checkstack(L, prov_spec->args->nelts)) {
++        if (!lua_checkstack(L, prov_func->args->nelts)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02315)
+                           "Error: authz provider %s: too many arguments", prov_spec->name);
+             ap_lua_release_state(L, spec, r);
+             return AUTHZ_GENERAL_ERROR;
+         }
+-        for (i = 0; i < prov_spec->args->nelts; i++) {
+-            const char *arg = APR_ARRAY_IDX(prov_spec->args, i, const char *);
++        for (i = 0; i < prov_func->args->nelts; i++) {
++            const char *arg = APR_ARRAY_IDX(prov_func->args, i, const char *);
+             lua_pushstring(L, arg);
+         }
+-        nargs = prov_spec->args->nelts;
++        nargs = prov_func->args->nelts;
+     }
+     if (lua_pcall(L, 1 + nargs, 1, 0)) {
+         const char *err = lua_tostring(L, -1);
diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series	2014-11-18 14:57:02.000000000 +0100
+++ apache2-2.4.10/debian/patches/series	2014-12-22 19:53:05.000000000 +0100
@@ -10,3 +10,4 @@
 mpm_event_use_after_free.diff
 mod_ssl_memleak.diff
 mod_ssl-oscp_stapling_crash.diff
+CVE-2014-8109_mod_lua.diff