From e14ab0ad070b4eafa19fc1df81b7b5c3de1dc1b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Mon, 18 Sep 2017 15:41:03 +0200 Subject: [PATCH] gnu: httpd: Patch "options bleed" [fixes CVE-2017-9798]. * gnu/packages/patches/httpd-CVE-2017-9798.patch: New file. * gnu/packages/web.scm (httpd)[source]: Use it. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/httpd-CVE-2017-9798.patch | 22 +++++++++++++++++++ gnu/packages/web.scm | 3 ++- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/httpd-CVE-2017-9798.patch diff --git a/gnu/local.mk b/gnu/local.mk index c6fc436633..bdd49c6182 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -725,6 +725,7 @@ dist_patch_DATA = \ %D%/packages/patches/heimdal-CVE-2017-11103.patch \ %D%/packages/patches/hmmer-remove-cpu-specificity.patch \ %D%/packages/patches/higan-remove-march-native-flag.patch \ + %D%/packages/patches/httpd-CVE-2017-9798.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch new file mode 100644 index 0000000000..8391a3db4a --- /dev/null +++ b/gnu/packages/patches/httpd-CVE-2017-9798.patch @@ -0,0 +1,22 @@ +Fixes "options bleed", aka. CVE-2017-9798: + + https://nvd.nist.gov/vuln/detail/CVE-2017-9798 + https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html + +From . + +--- a/server/core.c 2017/08/16 16:50:29 1805223 ++++ b/server/core.c 2017/09/08 13:13:11 1807754 +@@ -2266,6 +2266,12 @@ + /* method has not been registered yet, but resource restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); + } diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index 72892ffe22..6c9316a401 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -107,7 +107,8 @@ (define-public httpd version ".tar.bz2")) (sha256 (base32 - "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i")))) + "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i")) + (patches (search-patches "httpd-CVE-2017-9798.patch")))) (build-system gnu-build-system) (native-inputs `(("pcre" ,pcre "bin"))) ;for 'pcre-config' (inputs `(("apr" ,apr)