Hello Jim and Jan,
I am considering a proposal of backporting this fix to the 2.2 branch.
At first look, this fix doesn't apply to 2.2 code.
But I noticed that the pertinent code has been refactored between 2.2
and 2.4.
The same problem exists in 2.2, but just in a different location.
In 2.2, the problem is in the store_headers function in
modules/cache/mod_disk_cache.c.
Are either of you interested in working a patch for this?
Otherwise, I will look at it myself in a few days.
Thanks,
Mike Rumph
On 9/26/2014 4:00 AM, j...@apache.org wrote:
Author: jim
Date: Fri Sep 26 11:00:14 2014
New Revision: 1627749
URL: http://svn.apache.org/r1627749
Log:
Merge r1624234 from trunk:
SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference
in Content-Type handling.
mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
Submitted By: Mark Montague <mark catseye.org>
Reviewed By: Jan Kaluza
Submitted by: jkaluza
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1624234
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014
@@ -2,6 +2,10 @@
Changes with Apache 2.4.11
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+ mod_cache: Avoid a crash when Content-Type has an empty value.
+ PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+
*) mod_cache: Avoid sending 304 responses during failed revalidations
PR56881. [Eric Covener]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014
@@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has an empty
- value. PR56924.
- trunk patch: http://svn.apache.org/r1624234
- 2.4.x patch: trunk works (modulo CHANGES)
- +1: jkaluza, jim, ylavic
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original)
+++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26 11:00:14
2014
@@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
if (r->content_type
&& !apr_table_get(headers_out, "Content-Type")) {
- apr_table_setn(headers_out, "Content-Type",
- ap_make_content_type(r, r->content_type));
+ const char *ctype = ap_make_content_type(r, r->content_type);
+ if (ctype) {
+ apr_table_setn(headers_out, "Content-Type", ctype);
+ }
}
if (r->content_encoding
