summaryrefslogtreecommitdiffstats
path: root/debian/patches/CVE-2020-1934.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2020-1934.patch')
-rw-r--r--debian/patches/CVE-2020-1934.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/CVE-2020-1934.patch b/debian/patches/CVE-2020-1934.patch
new file mode 100644
index 0000000..295ab45
--- /dev/null
+++ b/debian/patches/CVE-2020-1934.patch
@@ -0,0 +1,75 @@
+Description: fix uninitialized memory when proxying to a malicious FTP server
+Author: covener
+Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1873745
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-1934
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-08-25
+
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -218,7 +218,7 @@
+ * (EBCDIC) machines either.
+ */
+ static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb,
+- char *buff, apr_size_t bufflen, int *eos)
++ char *buff, apr_size_t bufflen, int *eos, apr_size_t *outlen)
+ {
+ apr_bucket *e;
+ apr_status_t rv;
+@@ -230,6 +230,7 @@
+ /* start with an empty string */
+ buff[0] = 0;
+ *eos = 0;
++ *outlen = 0;
+
+ /* loop through each brigade */
+ while (!found) {
+@@ -273,6 +274,7 @@
+ if (len > 0) {
+ memcpy(pos, response, len);
+ pos += len;
++ *outlen += len;
+ }
+ }
+ apr_bucket_delete(e);
+@@ -385,28 +387,35 @@
+ char buff[5];
+ char *mb = msgbuf, *me = &msgbuf[msglen];
+ apr_status_t rv;
++ apr_size_t nread;
++
+ int eos;
+
+- if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
++ if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
+ return -1;
+ }
+ /*
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL, APLOGNO(03233)
+ "<%s", response);
+ */
++ if (nread < 4) {
++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, APLOGNO(10229) "Malformed FTP response '%s'", response);
++ *mb = '\0';
++ return -1;
++ }
+ if (!apr_isdigit(response[0]) || !apr_isdigit(response[1]) ||
+- !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
++ !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
+ status = 0;
+ else
+ status = 100 * response[0] + 10 * response[1] + response[2] - 111 * '0';
+
+ mb = apr_cpystrn(mb, response + 4, me - mb);
+
+- if (response[3] == '-') {
++ if (response[3] == '-') { /* multi-line reply "123-foo\nbar\n123 baz" */
+ memcpy(buff, response, 3);
+ buff[3] = ' ';
+ do {
+- if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
++ if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
+ return -1;
+ }
+ mb = apr_cpystrn(mb, response + (' ' == response[0] ? 1 : 4), me - mb);