On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote:
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption.
Looks like the backport was incomplete, unfortunately; it breaks file uploads
(see #358689). I've made a fix (attached) which seems to fix the problem for
me; Gunnar, could you please test it on your side too?
/* Steinar */
--
Homepage: http://www.sesse.net/
diff -ur libapreq2-perl-2.04-dev/debian/changelog
libapreq2-perl-2.04-dev-fixupload/debian/changelog
--- libapreq2-perl-2.04-dev/debian/changelog2006-03-31 16:48:01.0
+0200
+++ libapreq2-perl-2.04-dev-fixupload/debian/changelog 2006-03-31
16:49:58.0 +0200
@@ -1,3 +1,10 @@
+libapreq2-perl (2.04-dev-1sarge2) stable-security; urgency=low
+
+ * Fix incomplete backport from -1sarge1, breaking file uploads.
+(Closes: #358689)
+
+ -- Steinar H. Gunderson [EMAIL PROTECTED] Fri, 31 Mar 2006 16:48:30 +0200
+
libapreq2-perl (2.04-dev-1sarge1) stable-security; urgency=high
* [CVE-2006-0042] Eliminate potential quadratic behavior in
diff -ur libapreq2-perl-2.04-dev/src/apreq_parsers.c
libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c
--- libapreq2-perl-2.04-dev/src/apreq_parsers.c 2006-03-31 16:48:01.0
+0200
+++ libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c 2006-03-31
16:50:05.0 +0200
@@ -397,7 +397,6 @@
APREQ_DECLARE_PARSER(apreq_parse_headers)
{
apr_pool_t *pool = apreq_env_pool(env);
-apr_ssize_t nlen, glen, vlen;
apr_bucket *e;
struct hdr_ctx *ctx;
@@ -531,14 +530,14 @@
case '\t':
ctx-status = HDR_CONTINUE;
++off;
-vlen += 2;
+ctx-vlen += 2;
break;
default:
/* can parse brigade now */
if (off 0)
apr_bucket_split(e, off);
-s = split_header(t, ctx-bb, ctx-nlen, glen, vlen);
+s = split_header(t, ctx-bb, ctx-nlen, ctx-glen,
ctx-vlen);
if (s != APR_SUCCESS) {
ctx-status = HDR_ERROR;
return s;