On Mon, Aug 6, 2012 at 4:23 AM, Luciano Bello <[email protected]> wrote: > Sébastien Bocahu reported to the security team: >> patch that was applied by Debian exposes Apache to segfaults under specific >> crafted requests. >> >> The magick request is the following: >> curl -H "x-forwarded-for: 1'\"5000" -H "Host: a.vhost.example.com" >> reverseproxy >> >> Apache processes will segfault, hence a potential DOS issue. > > Please, prepare a minimal patch for stable and contact the security team to > update the package.
Attached updated 030_ipv6.patch.
PS: Updated package (maintainer info was changed too):
http://mentors.debian.net/debian/pool/main/liba/libapache2-mod-rpaf/libapache2-mod-rpaf_0.5-3+squeeze1.dsc
diff -ru mod_rpaf-0.5/mod_rpaf-2.0.c mod_rpaf-0.5.new/mod_rpaf-2.0.c
--- mod_rpaf-0.5/mod_rpaf-2.0.c 2007-10-30 14:36:51.000000000 +0100
+++ mod_rpaf-0.5.new/mod_rpaf-2.0.c 2007-10-30 14:37:47.000000000 +0100
@@ -72,6 +72,8 @@
#include "http_vhost.h"
#include "apr_strings.h"
+#include <arpa/inet.h>
+
module AP_MODULE_DECLARE_DATA rpaf_module;
typedef struct {
@@ -168,6 +170,10 @@
ap_register_cleanup(r->pool, (void *)r, rpaf_cleanup, ap_null_cleanup);
r->connection->remote_ip = apr_pstrdup(r->connection->pool, last_not_in_array(arr, cfg->proxy_ips));
r->connection->remote_addr->sa.sin.sin_addr.s_addr = inet_addr(r->connection->remote_ip);
+ apr_sockaddr_t *tmpsa;
+ int ret = apr_sockaddr_info_get(&tmpsa, r->connection->remote_ip, APR_UNSPEC, r->connection->remote_addr->port, 0, r->connection->remote_addr->pool);
+ if (ret == APR_SUCCESS)
+ memcpy(r->connection->remote_addr, tmpsa, sizeof(apr_sockaddr_t));
if (cfg->sethostname) {
const char *hostvalue;
if (hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) {
signature.asc
Description: Digital signature
