Patch for CVE-3499 and CVE-2012-4558

Support for security such as Firewalls and securing linux
Post Reply
grizzletooth
Posts: 2
Joined: 2010/10/26 22:43:28

Patch for CVE-3499 and CVE-2012-4558

Post by grizzletooth » 2013/04/23 00:23:37

Here is a source patch to Apache for anyone who needs to self-mitigate these CVEs. I just applied the changes that the Apache folks made to 2.2.24-dev to the 2.2.3-76 packages.

[url=http://pastebin.com/C1hQ8Vhx]httpd-2.2.3-xsshostname.patch[/url]

[code]
diff -ru httpd-2.2.3/modules/generators/mod_info.c httpd-2.2.3.xsshostname/modules/generators/mod_info.c
--- httpd-2.2.3/modules/generators/mod_info.c 2006-07-11 20:38:44.000000000 -0700
+++ httpd-2.2.3.xsshostname/modules/generators/mod_info.c 2013-04-22 16:25:21.000000000 -0700
@@ -357,7 +357,7 @@
MODULE_MAGIC_NUMBER_MINOR);
ap_rprintf(r,
"<dt><strong>Hostname/port:</strong> "
- "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
+ "<tt>%s:%u</tt></dt>\n", ap_escape_html(r->pool, ap_get_server_name(r)),
ap_get_server_port(r));
ap_rprintf(r,
"<dt><strong>Timeouts:</strong> "
diff -ru httpd-2.2.3/modules/generators/mod_status.c httpd-2.2.3.xsshostname/modules/generators/mod_status.c
--- httpd-2.2.3/modules/generators/mod_status.c 2013-04-22 16:23:09.000000000 -0700
+++ httpd-2.2.3.xsshostname/modules/generators/mod_status.c 2013-04-22 16:28:45.000000000 -0700
@@ -395,7 +395,7 @@
"<html><head>\n<title>Apache Status</title>\n</head><body>\n",
r);
ap_rputs("<h1>Apache Server Status for ", r);
- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
+ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ")</h1>\n\n", NULL);
ap_rvputs(r, "<dl><dt>Server Version: ",
ap_get_server_version(), "</dt>\n", NULL);
ap_rvputs(r, "<dt>Server Built: ",
diff -ru httpd-2.2.3/modules/ldap/util_ldap_cache_mgr.c httpd-2.2.3.xsshostname/modules/ldap/util_ldap_cache_mgr.c
--- httpd-2.2.3/modules/ldap/util_ldap_cache_mgr.c 2013-04-22 16:23:09.000000000 -0700
+++ httpd-2.2.3.xsshostname/modules/ldap/util_ldap_cache_mgr.c 2013-04-22 16:30:01.000000000 -0700
@@ -493,7 +493,7 @@
if (id) {
buf2 = apr_psprintf(p,
"<a href=\"%s?%s\">%s</a>",
- r->uri,
+ ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)),
id,
name);
}
diff -ru httpd-2.2.3/modules/mappers/mod_imagemap.c httpd-2.2.3.xsshostname/modules/mappers/mod_imagemap.c
--- httpd-2.2.3/modules/mappers/mod_imagemap.c 2013-04-22 16:23:09.000000000 -0700
+++ httpd-2.2.3.xsshostname/modules/mappers/mod_imagemap.c 2013-04-22 16:34:12.000000000 -0700
@@ -342,7 +342,7 @@
if (!strcasecmp(value, "referer")) {
referer = apr_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return ap_escape_html(r->pool, referer);
+ return referer;
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus
@@ -525,40 +525,52 @@

static void menu_default(request_rec *r, char *menu, char *href, char *text)
{
+ char *ehref, *etext;
+
if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
return; /* don't print such lines, these aren't
really href's */
}
+
+ ehref = ap_escape_uri(r->pool, href);
+ etext = ap_escape_html(r->pool, text);
+
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
"</a></pre>\n", NULL);
}
if (!strcasecmp(menu, "semiformatted")) {
- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
+ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
"</a></pre>\n", NULL);
}
if (!strcasecmp(menu, "unformatted")) {
- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
}
return;
}

static void menu_directive(request_rec *r, char *menu, char *href, char *text)
{
+ char *ehref, *etext;
+
if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
return; /* don't print such lines, as this isn't
really an href */
}
+
+ ehref = ap_escape_uri(r->pool, href);
+ etext = ap_escape_html(r->pool, text);
+
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text,
+ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext,
"</a></pre>\n", NULL);
}
if (!strcasecmp(menu, "semiformatted")) {
- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text,
+ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext,
"</a></pre>\n", NULL);
}
if (!strcasecmp(menu, "unformatted")) {
- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
+ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
}
return;
}
diff -ru httpd-2.2.3/modules/proxy/mod_proxy_ftp.c httpd-2.2.3.xsshostname/modules/proxy/mod_proxy_ftp.c
--- httpd-2.2.3/modules/proxy/mod_proxy_ftp.c 2013-04-22 16:23:10.000000000 -0700
+++ httpd-2.2.3.xsshostname/modules/proxy/mod_proxy_ftp.c 2013-04-22 16:35:25.000000000 -0700
@@ -358,7 +358,7 @@
" </head>\n"
" <body>\n <h2>Directory of "
"<a href=\"/\">%s</a>/%s",
- site, basedir, escpath, site, basedir, escpath, site, str);
+ ap_escape_html(p, site), basedir, escpath, ap_escape_html(p, site), basedir, escpath, ap_escape_html(p, site), str);

APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
p, c->bucket_alloc));
[/code]

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Patch for CVE-3499 and CVE-2012-4558

Post by toracat » 2013/04/23 00:37:09

Thanks for the post. Below is the upstream's bugzilla entries for the two CVEs:

[url=https://bugzilla.redhat.com/show_bug.cgi?id=915883]3499[/url] and [url=https://bugzilla.redhat.com/show_bug.cgi?id=915884]4588[/url].

The patched version has been pushed to Fedora. Hopefully it does not take long for RHEL.

weslowsk
Posts: 53
Joined: 2008/04/09 04:45:34
Location: Canada

Re: Patch for CVE-3499 and CVE-2012-4558

Post by weslowsk » 2013/05/29 16:38:22

It looks like RHEL is fixed:

https://rhn.redhat.com/errata/RHSA-2013-0815.html

When do you expect this will reach CentOS?

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: Patch for CVE-3499 and CVE-2012-4558

Post by toracat » 2013/05/29 17:40:41

The CentOS updates were released on May 13:

http://lists.centos.org/pipermail/centos-announce/2013-May/019720.html (C5)
http://lists.centos.org/pipermail/centos-announce/2013-May/019722.html (C6)

Post Reply