1 files changed, 72 insertions, 0 deletions

diff --git a/debian/patches/CVE-2019-10097.patch b/debian/patches/CVE-2019-10097.patch
new file mode 100644
index 0000000..0be05f5
--- /dev/null
+++ b/debian/patches/CVE-2019-10097.patch
@@ -0,0 +1,72 @@
+Description: Fix for CVE-2019-10097
+Author: jorton
+Origin: upstream, https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864613
+Bug: https://security-tracker.debian.org/tracker/CVE-2019-10097
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-08-17
+
+--- a/modules/metadata/mod_remoteip.c
++++ b/modules/metadata/mod_remoteip.c
+@@ -987,15 +987,13 @@
+                     return HDR_ERROR;
+ #endif
+                 default:
+-                    /* unsupported protocol, keep local connection address */
+-                    return HDR_DONE;
++                    /* unsupported protocol */
++                    ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183)
++                                  "RemoteIPProxyProtocol: unsupported protocol %.2hx",
++                                  (unsigned short)hdr->v2.fam);
++                    return HDR_ERROR;
+             }
+             break;  /* we got a sockaddr now */
+-
+-        case 0x00: /* LOCAL command */
+-            /* keep local connection address for LOCAL */
+-            return HDR_DONE;
+-
+         default:
+             /* not a supported command */
+             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507)
+@@ -1087,11 +1085,24 @@
+     /* try to read a header's worth of data */
+     while (!ctx->done) {
+         if (APR_BRIGADE_EMPTY(ctx->bb)) {
+-            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block,
+-                                 ctx->need - ctx->rcvd);
++            apr_off_t got, want = ctx->need - ctx->rcvd;
++
++            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want);
+             if (ret != APR_SUCCESS) {
++                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184)
++                              "failed reading input");
+                 return ret;
+             }
++
++            ret = apr_brigade_length(ctx->bb, 1, &got);
++            if (ret || got > want) {
++                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185)
++                              "RemoteIPProxyProtocol header too long, "
++                              "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT,
++                              got, want);
++                f->c->aborted = 1;
++                return APR_ECONNABORTED;
++            }
+         }
+         if (APR_BRIGADE_EMPTY(ctx->bb)) {
+             return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF;
+@@ -1139,6 +1150,13 @@
+                 if (ctx->rcvd >= MIN_V2_HDR_LEN) {
+                     ctx->need = MIN_V2_HDR_LEN +
+                         remoteip_get_v2_len((proxy_header *) ctx->header);
++                    if (ctx->need > sizeof(proxy_v2)) {
++                        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186)
++                                      "RemoteIPProxyProtocol protocol header length too long");
++                        f->c->aborted = 1;
++                        apr_brigade_destroy(ctx->bb);
++                        return APR_ECONNABORTED;
++                    }
+                 }
+                 if (ctx->rcvd >= ctx->need) {
+                     psts = remoteip_process_v2_header(f->c, conn_conf,