From 086be3c7ec949aa9d5059c0e00a34e42711d66af Mon Sep 17 00:00:00 2001 From: Jagadeesh Krishnanjanappa Date: Thu, 23 Aug 2018 16:51:22 +0530 Subject: apache2: CVE-2018-1333 * fixes a race condition where aborting streams triggers an unnecessary timeout. Affects apache2 2.4.18 to 2.4.30 and apache2 2.4.33 Fixed in apache2 2.4.34 Signed-off-by: Jagadeesh Krishnanjanappa Signed-off-by: Armin Kuster --- .../recipes-httpd/apache2/apache2-native_2.4.27.bb | 1 + .../recipes-httpd/apache2/apache2_2.4.27.bb | 1 + .../apache2/files/CVE-2018-1333.patch | 44 ++++++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb index 4e893dbba1..dcd397670b 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb @@ -10,6 +10,7 @@ inherit autotools pkgconfig native SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + file://CVE-2018-1333.patch \ " S = "${WORKDIR}/httpd-${PV}" diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb index 18808676a4..280350006d 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb @@ -21,6 +21,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://apache2-volatile.conf \ file://apache2.service \ file://volatiles.04_apache2 \ + file://CVE-2018-1333.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" diff --git a/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch new file mode 100644 index 0000000000..9cd207c041 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch @@ -0,0 +1,44 @@ +From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 18 Apr 2018 11:55:17 +0200 +Subject: [PATCH] * fixes a race condition where aborting streams triggers an + unnecessary timeout. + +Note: Re-factored upstream fix +https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81, +so that it applies to httpd v2.4.27 code. Similarly done at +http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879 + +CVE: CVE-2018-1333 +Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81] + +Signed-off-by: Jagadeesh Krishnanjanappa + +diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c +--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c 2017-04-21 06:52:05.000000000 -0700 ++++ httpd-2.4.27/modules/http2/h2_bucket_beam.c 2018-07-24 23:44:40.888330955 -0700 +@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke + apr_brigade_destroy(bb); + if (bl) enter_yellow(beam, bl); + ++ apr_thread_cond_broadcast(beam->change); + if (beam->cons_ev_cb) { + beam->cons_ev_cb(beam->cons_ctx, beam); + } +@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam) + h2_beam_lock bl; + + if (enter_yellow(beam, &bl) == APR_SUCCESS) { +- if (!beam->aborted) { +- beam->aborted = 1; +- r_purge_sent(beam); +- h2_blist_cleanup(&beam->send_list); +- report_consumption(beam, &bl); +- } ++ beam->aborted = 1; ++ r_purge_sent(beam); ++ h2_blist_cleanup(&beam->send_list); ++ report_consumption(beam, &bl); + if (beam->cond) { + apr_thread_cond_broadcast(beam->cond); + } -- cgit 1.2.3-korg