*) SECURITY: CVE-2012-0053 (cve.mitre.org) (40526674) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+5 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.0.65

		*) SECURITY: CVE-2012-0053 (cve.mitre.org)
		Fix an issue in error responses that could expose "httpOnly" cookies
		when no custom ErrorDocument is specified for status code 400.
		[Eric Covener]

		*) SECURITY: CVE-2012-0031 (cve.mitre.org)
		Fix scoreboard issue which could allow an unprivileged child process
		could cause the parent to crash at shutdown rather than terminate

STATUS

+0 −8

Original line number	Diff line number	Diff line
		@@ -171,14 +171,6 @@ RELEASE SHOWSTOPPERS:
		http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch
		+1: trawick

		*) SECURITY: CVE-2012-0053 (cve.mitre.org)
		Fix an issue in error responses that could expose "httpOnly" cookies
		when no custom ErrorDocument is specified for status code 400.
		[Eric Covener]

		r1234837 on 2.0.x:
		http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
		+1: trawick, rjung

		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

server/protocol.c

+34 −13

Original line number	Diff line number	Diff line
		@@ -677,6 +677,16 @@ static int read_request_line(request_rec r, apr_bucket_brigade bb)
		return 1;
		}

		/* get the length of the field name for logging, but no more than 80 bytes */
		#define LOG_NAME_MAX_LEN 80
		static int field_name_len(const char *field)
		{
		const char *end = ap_strchr_c(field, ':');
		if (end == NULL \|\| end - field > LOG_NAME_MAX_LEN)
		return LOG_NAME_MAX_LEN;
		return end - field;
		}

		AP_DECLARE(void) ap_get_mime_headers_core(request_rec r, apr_bucket_brigade bb)
		{
		char *last_field = NULL;
		@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec r, apr_bucket_brigade bb
		/* insure ap_escape_html will terminate correctly */
		field[len - 1] = '\0';
		apr_table_setn(r->notes, "error-notes",
		apr_pstrcat(r->pool,
		apr_psprintf(r->pool,
		"Size of a request header field "
		"exceeds server limit.<br />\n"
		"<pre>\n",
		ap_escape_html(r->pool, field),
		"</pre>\n", NULL));
		"<pre>\n%.*s\n</pre>/n",
		field_name_len(field),
		ap_escape_html(r->pool, field)));
		ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
		"Request header exceeds LimitRequestFieldSize: "
		"%.*s", field_name_len(field), field);
		return;
		}

		@@ -739,13 +752,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec r, apr_bucket_brigade bb
		* overflow (last_field) as the field with the problem
		*/
		apr_table_setn(r->notes, "error-notes",
		apr_pstrcat(r->pool,
		apr_psprintf(r->pool,
		"Size of a request header field "
		"after folding "
		"exceeds server limit.<br />\n"
		"<pre>\n",
		ap_escape_html(r->pool, last_field),
		"</pre>\n", NULL));
		"<pre>\n%.*s\n</pre>\n",
		field_name_len(last_field),
		ap_escape_html(r->pool, last_field)));
		ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
		"Request header exceeds LimitRequestFieldSize "
		"after folding: %.*s",
		field_name_len(last_field), last_field);
		return;
		}

		@@ -777,13 +794,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec r, apr_bucket_brigade bb
		if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
		r->status = HTTP_BAD_REQUEST; /* abort bad request */
		apr_table_setn(r->notes, "error-notes",
		apr_pstrcat(r->pool,
		apr_psprintf(r->pool,
		"Request header field is "
		"missing ':' separator.<br />\n"
		"<pre>\n",
		"<pre>\n%.*s</pre>\n",
		(int)LOG_NAME_MAX_LEN,
		ap_escape_html(r->pool,
		last_field),
		"</pre>\n", NULL));
		last_field)));
		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
		"Request header field is missing ':' "
		"separator: %.*s", (int)LOG_NAME_MAX_LEN,
		last_field);
		return;
		}