diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2013-02-23 12:54:53 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2013-02-23 12:54:53 +0100 |
| commit | 18fff7f12457886d6cf27cafe42b34e2f39f880f (patch) | |
| tree | 1c80920ef16fa9d782e796ecf6eb014188f19981 | |
| parent | 705113418bab5b7c5d9d66a436ffde83b7691ac0 (diff) | |
| download | apache2-18fff7f12457886d6cf27cafe42b34e2f39f880f.tar.gz | |
CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/patches/00list | 1 | ||||
| -rwxr-xr-x | debian/patches/302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch | 208 |
3 files changed, 215 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index babe2963..5b90c91e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apache2 (2.2.16-6+squeeze11) UNRELEASED; urgency=high + + * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules. + + -- Stefan Fritsch <sf@debian.org> Sat, 23 Feb 2013 12:52:40 +0100 + apache2 (2.2.16-6+squeeze10) squeeze-security; urgency=low [ Arno Töll ] diff --git a/debian/patches/00list b/debian/patches/00list index c989d877..05e037e9 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -45,3 +45,4 @@ 202_suexec-custom.dpatch 300_disable-ssl-compression.dpatch 301_CVE-2012-4557_proxy_ajp.dpatch +302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch diff --git a/debian/patches/302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch b/debian/patches/302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch new file mode 100755 index 00000000..d39682e9 --- /dev/null +++ b/debian/patches/302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch @@ -0,0 +1,208 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: http://svn.apache.org/viewvc?view=revision&revision=r1447390 +## DP: +## DP: *) SECURITY: CVE-2012-3499 (cve.mitre.org) +## DP: Various XSS flaws due to unescaped hostnames and URIs HTML output in +## DP: mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. +## DP: [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] +## DP: +## DP: *) SECURITY: CVE-2012-4558 (cve.mitre.org) +## DP: XSS in mod_proxy_balancer manager interface. [Jim Jagielski, +## DP: Niels Heinen <heinenn google com>] +@DPATCH@ +Index: apache2/modules/ldap/util_ldap_cache_mgr.c +=================================================================== +--- apache2.orig/modules/ldap/util_ldap_cache_mgr.c ++++ apache2/modules/ldap/util_ldap_cache_mgr.c +@@ -541,7 +541,7 @@ + if (id) { + buf2 = apr_psprintf(p, + "<a href=\"%s?%s\">%s</a>", +- r->uri, ++ ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)), + id, + name); + } +Index: apache2/modules/proxy/mod_proxy_balancer.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_balancer.c ++++ apache2/modules/proxy/mod_proxy_balancer.c +@@ -818,7 +818,8 @@ + ap_rputs(DOCTYPE_HTML_3_2 + "<html><head><title>Balancer Manager</title></head>\n", r); + ap_rputs("<body><h1>Load Balancer Manager for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +@@ -853,7 +854,8 @@ + worker = (proxy_worker *)balancer->workers->elts; + for (n = 0; n < balancer->workers->nelts; n++) { + char fbuf[50]; +- ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=", ++ ap_rvputs(r, "<tr>\n<td><a href=\"", ++ ap_escape_uri(r->pool, r->uri), "?b=", + balancer->name + sizeof("balancer://") - 1, "&w=", + ap_escape_uri(r->pool, worker->name), + "&nonce=", balancer_nonce, +@@ -894,7 +896,7 @@ + ap_rputs("<h3>Edit worker settings for ", r); + ap_rvputs(r, wsel->name, "</h3>\n", NULL); + ap_rvputs(r, "<form method=\"GET\" action=\"", NULL); +- ap_rvputs(r, r->uri, "\">\n<dl>", NULL); ++ ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL); + ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r); + ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor); + ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r); +Index: apache2/modules/proxy/mod_proxy_ftp.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_ftp.c ++++ apache2/modules/proxy/mod_proxy_ftp.c +@@ -365,7 +365,9 @@ + " </head>\n" + " <body>\n <h2>Directory of " + "<a href=\"/\">%s</a>/%s", +- site, basedir, escpath, site, basedir, escpath, site, str); ++ ap_escape_html(p, site), basedir, escpath, ++ ap_escape_uri(p, site), basedir, escpath, ++ ap_escape_uri(p, site), str); + + APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str), + p, c->bucket_alloc)); +Index: apache2/modules/mappers/mod_imagemap.c +=================================================================== +--- apache2.orig/modules/mappers/mod_imagemap.c ++++ apache2/modules/mappers/mod_imagemap.c +@@ -320,7 +320,7 @@ + /* + * returns the mapped URL or NULL. + */ +-static char *imap_url(request_rec *r, const char *base, const char *value) ++static const char *imap_url(request_rec *r, const char *base, const char *value) + { + /* translates a value into a URL. */ + int slen, clen; +@@ -342,7 +342,7 @@ + if (!strcasecmp(value, "referer")) { + referer = apr_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return ap_escape_html(r->pool, referer); ++ return referer; + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus +@@ -459,7 +459,7 @@ + return my_base; + } + +-static int imap_reply(request_rec *r, char *redirect) ++static int imap_reply(request_rec *r, const char *redirect) + { + if (!strcasecmp(redirect, "error")) { + /* they actually requested an error! */ +@@ -523,42 +523,52 @@ + 'formatted' form */ + } + +-static void menu_default(request_rec *r, char *menu, char *href, char *text) ++static void menu_default(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, these aren't + really href's */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } + +-static void menu_directive(request_rec *r, char *menu, char *href, char *text) ++static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, as this isn't + really an href */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } +@@ -574,9 +584,9 @@ + char *directive; + char *value; + char *href_text; +- char *base; +- char *redirect; +- char *mapdflt; ++ const char *base; ++ const char *redirect; ++ const char *mapdflt; + char *closest = NULL; + double closest_yet = -1; + apr_status_t status; +Index: apache2/modules/generators/mod_status.c +=================================================================== +--- apache2.orig/modules/generators/mod_status.c ++++ apache2/modules/generators/mod_status.c +@@ -409,7 +409,8 @@ + "<html><head>\n<title>Apache Status</title>\n</head><body>\n", + r); + ap_rputs("<h1>Apache Server Status for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +Index: apache2/modules/generators/mod_info.c +=================================================================== +--- apache2.orig/modules/generators/mod_info.c ++++ apache2/modules/generators/mod_info.c +@@ -371,7 +371,8 @@ + MODULE_MAGIC_NUMBER_MINOR); + ap_rprintf(r, + "<dt><strong>Hostname/port:</strong> " +- "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r), ++ "<tt>%s:%u</tt></dt>\n", ++ ap_escape_html(r->pool, ap_get_server_name(r)), + ap_get_server_port(r)); + ap_rprintf(r, + "<dt><strong>Timeouts:</strong> " |