From: Jeff Trawick Date: Mon, 6 Jul 2009 12:03:20 +0000 (+0000) Subject: SECURITY: CVE-2009-1891 (cve.mitre.org) X-Git-Tag: 2.2.12~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97c2b58380e66317cb5fc1c445009761c119b9a7;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2009-1891 (cve.mitre.org) Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. [Joe Orton, Ruediger Pluem] Submitted by: jorton, rpluem Reviewed by: jim, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@791454 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index b0b4d41488f..d12c9d7872d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@  -*- coding: utf-8 -*- Changes with Apache 2.2.12 + *) SECURITY: CVE-2009-1891 (cve.mitre.org) + Fix a potential Denial-of-Service attack against mod_deflate or other + modules, by forcing the server to consume CPU time in compressing a + large file after a client disconnects. [Joe Orton, Ruediger Pluem] + *) SECURITY: CVE-2009-1195 (cve.mitre.org) Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. diff --git a/STATUS b/STATUS index 3a1b57d05a7..20dc249f254 100644 --- a/STATUS +++ b/STATUS @@ -85,27 +85,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * SECURITY: CVE-2009-1891 (cve.mitre.org) - Fix a potential Denial-of-Service attack against mod_deflate or - other modules, by forcing the server to consume CPU time in - compressing a large file after a client disconnects. - 2.2.x patches: - http://people.apache.org/~jorton/CVE-2009-1891.1.diff - http://people.apache.org/~jorton/CVE-2009-1891.2.diff - Trunk version of patch: - #1 folded in during core output filter refactoring - #2 http://svn.apache.org/viewvc?view=rev&revision=521681 - +1: jorton, jim, rpluem - rpluem asks: Are we sure that b is never NULL? - Otherwise we would need to add - http://svn.apache.org/viewvc?view=rev&revision=568202 - as on trunk to avoid segfaults. - trawick responds: if b were NULL, we would have segfaulted earlier - when ap_pass_brigade "calls" APR_BRIGADE_LAST(bb) - rpluem: Ahh good point. Meanwhile I had a look at trunk and the - event MPM is calling the core output filter directly without - ap_pass_brigade. So I am +1. - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/server/core_filters.c b/server/core_filters.c index acbe1901105..c2ebe981c8f 100644 --- a/server/core_filters.c +++ b/server/core_filters.c @@ -542,6 +542,12 @@ apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b) apr_read_type_e eblock = APR_NONBLOCK_READ; apr_pool_t *input_pool = b->p; + /* Fail quickly if the connection has already been aborted. */ + if (c->aborted) { + apr_brigade_cleanup(b); + return APR_ECONNABORTED; + } + if (ctx == NULL) { ctx = apr_pcalloc(c->pool, sizeof(*ctx)); net->out_ctx = ctx; @@ -909,12 +915,9 @@ apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b) /* No need to check for SUCCESS, we did that above. */ if (!APR_STATUS_IS_EAGAIN(rv)) { c->aborted = 1; + return APR_ECONNABORTED; } - /* The client has aborted, but the request was successful. We - * will report success, and leave it to the access and error - * logs to note that the connection was aborted. - */ return APR_SUCCESS; }