On Fri, Jun 21, 2013 at 2:43 PM, William A. Rowe Jr. <[email protected]>wrote:
> On Fri, 21 Jun 2013 13:19:36 -0400 > Jeff Trawick <[email protected]> wrote: > > > Even with the CVE-2011-3607 it is still possible to DOS the server by > > consuming huge amounts of memory with mod_setenvif using a specially > > crafted configuration. > > > > Here's a backport of an existing fix in 2.4.x which resolves the > > issue I reproduced. Note that unlike in 2.4.x we need ap_pregsub to > > handle somewhat arbitrary string lengths. I picked 64MB, which can > > be overridden at compile time. > > > > http://people.apache.org/~trawick/ap_pregsub_ex_22x.txt > > > > This is essentially a grab of ap_pregsub/ap_pregsub_ex from 2.4.x > > HEAD with the minimal required changes plus > > http://svn.apache.org/viewvc?view=revision&revision=1198966 > > > > See the XXX notes in the patch for apparent semantic changes which I > > probably need to back out. (I haven't researched that yet.) > > > > Normally we use STATUS to track this but I don't think it is as > > polished as we normally expect. Still to do (tomorrow?): Investigate > > the XXX's, run the regression suite. > > > > Concerns with the patch? > > > > Interested in any of this in the final 2.0.x release? > > I am happy to hold up a short while to adopt this patch. I'm neutral > on adding it to 2.0.x but will certainly pause for it to be committed > if others agree and will review the 2.0.x backport. > > I'm not motivated to put it in 2.0.x either, but if anyone has time to play I will assist if I can. I have a new patch -- http://people.apache.org/~trawick/ap_pregsub_ex_22x-2.txt -- which resolves the XXX's by removing Stefan's semantic changes for 2.4.x, revisions 904765 and 1307067. The previous patch has been renamed to http://people.apache.org/~trawick/ap_pregsub_ex_22x-bad.txt. The code looks good to me now, but I need to spend a little time getting more tests to run on 2.2.x and compare the failures I'm seeing with unmodified 2.2.x HEAD, and verify that ap_pregsub_ex() is working*. At that point I will move it to 2.2.x/STATUS. *2.4.x's mod_substitute uses ap_pregsub_ex(), but that is wrapped up in a lot of other changes. -- Born in Roswell... married an alien... http://emptyhammock.com/
