diff options
Diffstat (limited to 'debian/patches/CVE-2020-1934.patch')
-rw-r--r-- | debian/patches/CVE-2020-1934.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/debian/patches/CVE-2020-1934.patch b/debian/patches/CVE-2020-1934.patch deleted file mode 100644 index 295ab45..0000000 --- a/debian/patches/CVE-2020-1934.patch +++ /dev/null @@ -1,75 +0,0 @@ -Description: fix uninitialized memory when proxying to a malicious FTP server -Author: covener -Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1873745 -Bug: https://security-tracker.debian.org/tracker/CVE-2020-1934 -Forwarded: not-needed -Reviewed-By: Xavier Guimard <yadd@debian.org> -Last-Update: 2020-08-25 - ---- a/modules/proxy/mod_proxy_ftp.c -+++ b/modules/proxy/mod_proxy_ftp.c -@@ -218,7 +218,7 @@ - * (EBCDIC) machines either. - */ - static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb, -- char *buff, apr_size_t bufflen, int *eos) -+ char *buff, apr_size_t bufflen, int *eos, apr_size_t *outlen) - { - apr_bucket *e; - apr_status_t rv; -@@ -230,6 +230,7 @@ - /* start with an empty string */ - buff[0] = 0; - *eos = 0; -+ *outlen = 0; - - /* loop through each brigade */ - while (!found) { -@@ -273,6 +274,7 @@ - if (len > 0) { - memcpy(pos, response, len); - pos += len; -+ *outlen += len; - } - } - apr_bucket_delete(e); -@@ -385,28 +387,35 @@ - char buff[5]; - char *mb = msgbuf, *me = &msgbuf[msglen]; - apr_status_t rv; -+ apr_size_t nread; -+ - int eos; - -- if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) { -+ if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) { - return -1; - } - /* - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, APLOGNO(03233) - "<%s", response); - */ -+ if (nread < 4) { -+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, APLOGNO(10229) "Malformed FTP response '%s'", response); -+ *mb = '\0'; -+ return -1; -+ } - if (!apr_isdigit(response[0]) || !apr_isdigit(response[1]) || -- !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-')) -+ !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-')) - status = 0; - else - status = 100 * response[0] + 10 * response[1] + response[2] - 111 * '0'; - - mb = apr_cpystrn(mb, response + 4, me - mb); - -- if (response[3] == '-') { -+ if (response[3] == '-') { /* multi-line reply "123-foo\nbar\n123 baz" */ - memcpy(buff, response, 3); - buff[3] = ' '; - do { -- if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) { -+ if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) { - return -1; - } - mb = apr_cpystrn(mb, response + (' ' == response[0] ? 1 : 4), me - mb); |