1 files changed, 45 insertions, 0 deletions

diff --git a/debian/patches/CVE-2020-11984.patch b/debian/patches/CVE-2020-11984.patch
new file mode 100644
index 0000000..409f958
--- /dev/null
+++ b/debian/patches/CVE-2020-11984.patch
@@ -0,0 +1,45 @@
+Description: fix error out on HTTP header larger than 16K
+ The uwsgi protocol does not let us serialize more than 16K of HTTP header,
+ so fail early with 500 if it happens.
+Author: ylavic
+Origin: upstream, https://github.com/apache/httpd/commit/0c543e3f
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-11984
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-08-25
+
+--- a/modules/proxy/mod_proxy_uwsgi.c
++++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -136,7 +136,7 @@
+     int j;
+ 
+     apr_size_t headerlen = 4;
+-    apr_uint16_t pktsize, keylen, vallen;
++    apr_size_t pktsize, keylen, vallen;
+     const char *script_name;
+     const char *path_info;
+     const char *auth;
+@@ -177,6 +177,14 @@
+     for (j = 0; j < env_table->nelts; ++j) {
+         headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
+     }
++    pktsize = headerlen - 4;
++    if (pktsize > APR_UINT16_MAX) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10259)
++                      "can't send headers to %s:%u: packet size too "
++                      "large (%" APR_SIZE_T_FMT ")",
++                      conn->hostname, conn->port, pktsize);
++        return HTTP_INTERNAL_SERVER_ERROR;
++    }
+ 
+     ptr = buf = apr_palloc(r->pool, headerlen);
+ 
+@@ -196,8 +204,6 @@
+         ptr += vallen;
+     }
+ 
+-    pktsize = headerlen - 4;
+-
+     buf[0] = 0;
+     buf[1] = (apr_byte_t) (pktsize & 0xff);
+     buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);