I thought at the time, the discussion was that ap_make_content_type in those releases never returned NULL.
On Tue, Oct 14, 2014 at 1:01 PM, Mike Rumph <mike.ru...@oracle.com> wrote: > In 2.2 code, this problem is actually in two places. > It is also in the store_headers function in modules/cache/mod_mem_cache.c. > > > On 10/14/2014 8:40 AM, Mike Rumph wrote: > >> Hello Jim and Jan, >> >> I am considering a proposal of backporting this fix to the 2.2 branch. >> At first look, this fix doesn't apply to 2.2 code. >> But I noticed that the pertinent code has been refactored between 2.2 and >> 2.4. >> The same problem exists in 2.2, but just in a different location. >> In 2.2, the problem is in the store_headers function in >> modules/cache/mod_disk_cache.c. >> >> Are either of you interested in working a patch for this? >> Otherwise, I will look at it myself in a few days. >> >> Thanks, >> >> Mike Rumph >> >> On 9/26/2014 4:00 AM, j...@apache.org wrote: >> >>> Author: jim >>> Date: Fri Sep 26 11:00:14 2014 >>> New Revision: 1627749 >>> >>> URL: http://svn.apache.org/r1627749 >>> Log: >>> Merge r1624234 from trunk: >>> >>> SECURITY (CVE-2014-3581): Fix a mod_cache NULL pointer deference >>> in Content-Type handling. >>> >>> mod_cache: Avoid a crash when Content-Type has an empty value. PR56924. >>> >>> Submitted By: Mark Montague <mark catseye.org> >>> Reviewed By: Jan Kaluza >>> >>> Submitted by: jkaluza >>> Reviewed/backported by: jim >>> >>> Modified: >>> httpd/httpd/branches/2.4.x/ (props changed) >>> httpd/httpd/branches/2.4.x/CHANGES >>> httpd/httpd/branches/2.4.x/STATUS >>> httpd/httpd/branches/2.4.x/modules/cache/cache_util.c >>> >>> Propchange: httpd/httpd/branches/2.4.x/ >>> ------------------------------------------------------------------------------ >>> >>> Merged /httpd/httpd/trunk:r1624234 >>> >>> Modified: httpd/httpd/branches/2.4.x/CHANGES >>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/ >>> CHANGES?rev=1627749&r1=1627748&r2=1627749&view=diff >>> ============================================================================== >>> >>> --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original) >>> +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 26 11:00:14 2014 >>> @@ -2,6 +2,10 @@ >>> Changes with Apache 2.4.11 >>> + *) SECURITY: CVE-2014-3581 (cve.mitre.org) >>> + mod_cache: Avoid a crash when Content-Type has an empty value. >>> + PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza] >>> + >>> *) mod_cache: Avoid sending 304 responses during failed revalidations >>> PR56881. [Eric Covener] >>> >>> Modified: httpd/httpd/branches/2.4.x/STATUS >>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/ >>> STATUS?rev=1627749&r1=1627748&r2=1627749&view=diff >>> ============================================================================== >>> >>> --- httpd/httpd/branches/2.4.x/STATUS (original) >>> +++ httpd/httpd/branches/2.4.x/STATUS Fri Sep 26 11:00:14 2014 >>> @@ -102,11 +102,6 @@ RELEASE SHOWSTOPPERS: >>> PATCHES ACCEPTED TO BACKPORT FROM TRUNK: >>> [ start all new proposals below, under PATCHES PROPOSED. ] >>> - * mod_cache: CVE-2014-3581 - Avoid a crash when Content-Type has >>> an empty >>> - value. PR56924. >>> - trunk patch: http://svn.apache.org/r1624234 >>> - 2.4.x patch: trunk works (modulo CHANGES) >>> - +1: jkaluza, jim, ylavic >>> PATCHES PROPOSED TO BACKPORT FROM TRUNK: >>> >>> Modified: httpd/httpd/branches/2.4.x/modules/cache/cache_util.c >>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/ >>> modules/cache/cache_util.c?rev=1627749&r1=1627748&r2=1627749&view=diff >>> ============================================================================== >>> >>> --- httpd/httpd/branches/2.4.x/modules/cache/cache_util.c (original) >>> +++ httpd/httpd/branches/2.4.x/modules/cache/cache_util.c Fri Sep 26 >>> 11:00:14 2014 >>> @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req >>> if (r->content_type >>> && !apr_table_get(headers_out, "Content-Type")) { >>> - apr_table_setn(headers_out, "Content-Type", >>> - ap_make_content_type(r, r->content_type)); >>> + const char *ctype = ap_make_content_type(r, r->content_type); >>> + if (ctype) { >>> + apr_table_setn(headers_out, "Content-Type", ctype); >>> + } >>> } >>> if (r->content_encoding >>> >>> >>> >>> >> >> >> > -- Eric Covener cove...@gmail.com
