summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>2018-08-23 16:51:22 +0530
committerArmin Kuster <akuster808@gmail.com>2018-09-04 07:36:40 -0700
commit086be3c7ec949aa9d5059c0e00a34e42711d66af (patch)
tree205748843d0e5ac677a6337bd11bb6bf152f65f5
parent280157bc380ff98d24ac89674e332c48802574b1 (diff)
downloadmeta-openembedded-086be3c7ec949aa9d5059c0e00a34e42711d66af.tar.gz
apache2: CVE-2018-1333
* fixes a race condition where aborting streams triggers an unnecessary timeout. Affects apache2 2.4.18 to 2.4.30 and apache2 2.4.33 Fixed in apache2 2.4.34 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb1
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb1
-rw-r--r--meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch44
3 files changed, 46 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
index 4e893dbba..dcd397670 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
@@ -10,6 +10,7 @@ inherit autotools pkgconfig native
10 10
11SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ 11SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
12 file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ 12 file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
13 file://CVE-2018-1333.patch \
13 " 14 "
14 15
15S = "${WORKDIR}/httpd-${PV}" 16S = "${WORKDIR}/httpd-${PV}"
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
index 18808676a..280350006 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
@@ -21,6 +21,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
21 file://apache2-volatile.conf \ 21 file://apache2-volatile.conf \
22 file://apache2.service \ 22 file://apache2.service \
23 file://volatiles.04_apache2 \ 23 file://volatiles.04_apache2 \
24 file://CVE-2018-1333.patch \
24 " 25 "
25 26
26LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" 27LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
diff --git a/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
new file mode 100644
index 000000000..9cd207c04
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
@@ -0,0 +1,44 @@
1From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001
2From: Stefan Eissing <stefan.eissing@greenbytes.de>
3Date: Wed, 18 Apr 2018 11:55:17 +0200
4Subject: [PATCH] * fixes a race condition where aborting streams triggers an
5 unnecessary timeout.
6
7Note: Re-factored upstream fix
8https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81,
9so that it applies to httpd v2.4.27 code. Similarly done at
10http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879
11
12CVE: CVE-2018-1333
13Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81]
14
15Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
16
17diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c
18--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c 2017-04-21 06:52:05.000000000 -0700
19+++ httpd-2.4.27/modules/http2/h2_bucket_beam.c 2018-07-24 23:44:40.888330955 -0700
20@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke
21 apr_brigade_destroy(bb);
22 if (bl) enter_yellow(beam, bl);
23
24+ apr_thread_cond_broadcast(beam->change);
25 if (beam->cons_ev_cb) {
26 beam->cons_ev_cb(beam->cons_ctx, beam);
27 }
28@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
29 h2_beam_lock bl;
30
31 if (enter_yellow(beam, &bl) == APR_SUCCESS) {
32- if (!beam->aborted) {
33- beam->aborted = 1;
34- r_purge_sent(beam);
35- h2_blist_cleanup(&beam->send_list);
36- report_consumption(beam, &bl);
37- }
38+ beam->aborted = 1;
39+ r_purge_sent(beam);
40+ h2_blist_cleanup(&beam->send_list);
41+ report_consumption(beam, &bl);
42 if (beam->cond) {
43 apr_thread_cond_broadcast(beam->cond);
44 }