CVE-2009-309[45]

git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/branches/lenny-apache2@1060 01b336ce-410b-0410-9a02-a0e7f243c266

4 files changed, 155 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 3b81c393..4587deed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
 apache2 (2.2.9-10+lenny5) UNRELEASED; urgency=low
 
+  * Minor security fixes in mod_proxy_ftp (closes: #545951):
+    - DoS by malicious ftp server (CVE-2009-3094)
+    - missing input sanitization: a user could execute arbitrary ftp commands
+      on the backend ftp server (CVE-2009-3095)
   * Take care to not override existing index.shtml files when upgrading from
     before 2.2.8-1 (closes: #517089).
   * mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip
diff --git a/debian/patches/00list b/debian/patches/00list
index eb20c164..6547edab 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -32,6 +32,8 @@
 071_CVE-2009-1891.dpatch
 072_CVE-2009-1890.dpatch
 073_no_deflate_for_HEAD.dpatch
+074_CVE-2009-3094.dpatch
+075_CVE-2009-3095.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch
diff --git a/debian/patches/074_CVE-2009-3094.dpatch b/debian/patches/074_CVE-2009-3094.dpatch
new file mode 100644
index 00000000..46817db0
--- /dev/null
+++ b/debian/patches/074_CVE-2009-3094.dpatch
@@ -0,0 +1,116 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+
+@DPATCH@
+commit 239d6a38f8fba2a2e03ee632985706a0a77d60dd
+Author: Graham Leggett <minfrin@apache.org>
+Date:   Mon Sep 14 20:51:49 2009 +0000
+
+    Backport 814652, 814785
+    CVE-2009-3094: mod_proxy_ftp NULL pointer dereference on error paths.
+    Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814844 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index 639f9f8..fdcfc6a 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -604,6 +604,31 @@ static apr_status_t proxy_send_dir_filter(ap_filter_t *f,
+     return APR_SUCCESS;
+ }
+ 
++/* Parse EPSV reply and return port, or zero on error. */
++static apr_port_t parse_epsv_reply(const char *reply)
++{
++    const char *p;
++    char *ep;
++    long port;
++
++    /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
++     * can be any character in ASCII from 33-126, obscurely.  Verify
++     * the syntax. */
++    p = ap_strchr_c(reply, '(');
++    if (p == NULL || !p[1] || p[1] != p[2] || p[1] != p[3]
++        || p[4] == p[1]) {
++        return 0;
++    }
++
++    errno = 0;
++    port = strtol(p + 4, &ep, 10);
++    if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
++        return 0;
++    }
++
++    return (apr_port_t)port;
++}
++
+ /*
+  * Generic "send FTP command to server" routine, using the control socket.
+  * Returns the FTP returncode (3 digit code)
+@@ -1210,26 +1235,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+             return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage);
+         }
+         else if (rc == 229) {
+-            char *pstr;
+-            char *tok_cntx;
++            /* Parse the port out of the EPSV reply. */
++            data_port = parse_epsv_reply(ftpmessage);
+ 
+-            pstr = ftpmessage;
+-            pstr = apr_strtok(pstr, " ", &tok_cntx);    /* separate result code */
+-            if (pstr != NULL) {
+-                if (*(pstr + strlen(pstr) + 1) == '=') {
+-                    pstr += strlen(pstr) + 2;
+-                }
+-                else {
+-                    pstr = apr_strtok(NULL, "(", &tok_cntx);    /* separate address &
+-                                                                 * port params */
+-                    if (pstr != NULL)
+-                        pstr = apr_strtok(NULL, ")", &tok_cntx);
+-                }
+-            }
+-
+-            if (pstr) {
++            if (data_port) {
+                 apr_sockaddr_t *epsv_addr;
+-                data_port = atoi(pstr + 3);
+ 
+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                        "proxy: FTP: EPSV contacting remote host on port %d",
+@@ -1272,10 +1282,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+                     connect = 1;
+                 }
+             }
+-            else {
+-                /* and try the regular way */
+-                apr_socket_close(data_sock);
+-            }
+         }
+     }
+ 
+@@ -1364,10 +1370,6 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+                     connect = 1;
+                 }
+             }
+-            else {
+-                /* and try the regular way */
+-                apr_socket_close(data_sock);
+-            }
+         }
+     }
+ /*bypass:*/
+@@ -1851,7 +1853,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+                  * for a slow client to eat these bytes
+                  */
+                 ap_flush_conn(data);
+-                apr_socket_close(data_sock);
++                if (data_sock) {
++                    apr_socket_close(data_sock);
++                }
+                 data_sock = NULL;
+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                              "proxy: FTP: data connection closed");
diff --git a/debian/patches/075_CVE-2009-3095.dpatch b/debian/patches/075_CVE-2009-3095.dpatch
new file mode 100644
index 00000000..55efe1c4
--- /dev/null
+++ b/debian/patches/075_CVE-2009-3095.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+
+@DPATCH@
+commit 5e9bca418ec4087e398053dac44348b977b219e8
+Author: Graham Leggett <minfrin@apache.org>
+Date:   Mon Sep 14 20:53:28 2009 +0000
+
+    Backport 814045
+    CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.
+    Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton
+    
+    
+    git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@814847 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index fdcfc6a..924ac31 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -912,6 +912,11 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker,
+     if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
+         && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
+         && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
++        /* Check the decoded string for special characters. */
++        if (!ftp_check_string(password)) {
++            return ap_proxyerror(r, HTTP_BAD_REQUEST, 
++                                 "user credentials contained invalid character");
++        } 
+         /*
+          * Note that this allocation has to be made from r->connection->pool
+          * because it has the lifetime of the connection.  The other