Version in base suite: 2.2.3-4+etch6 Version in overlay suite: (not present) Base version: apache2_2.2.3-4+etch6 Target version: apache2_2.2.3-4+etch8 Base file: /org/ftp.debian.org/ftp/pool/main/a/apache2/apache2_2.2.3-4+etch6.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/apache2_2.2.3-4+etch8.dsc apache2-2.2.3/debian/changelog | 16 + apache2-2.2.3/debian/patches/00list | 1 debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch | 159 +++++++++++++ 3 files changed, 176 insertions(+) diff -u apache2-2.2.3/debian/patches/00list apache2-2.2.3/debian/patches/00list --- apache2-2.2.3/debian/patches/00list +++ apache2-2.2.3/debian/patches/00list @@ -35,0 +36 @@ +070_CVE-2009-1195_mod_include_noexec.dpatch diff -u apache2-2.2.3/debian/changelog apache2-2.2.3/debian/changelog --- apache2-2.2.3/debian/changelog +++ apache2-2.2.3/debian/changelog @@ -1,3 +1,19 @@ +apache2 (2.2.3-4+etch8) oldstable-security; urgency=low + + * Security: Fix a bug similar to CVE-2009-1195 that allowed to override + more options than configured with AllowOverride (PR 44262). + + -- Stefan Fritsch Fri, 12 Jun 2009 17:09:06 +0200 + +apache2 (2.2.3-4+etch7) oldstable-security; urgency=low + + * Security: CVE-2009-1195: In configurations using the AllowOverride + directive with certain Options= arguments, local users were not restricted + from executing commands from a Server-Side-Include script as intended + (closes: #530834). + + -- Stefan Fritsch Thu, 11 Jun 2009 10:34:34 +0200 + apache2 (2.2.3-4+etch6) stable; urgency=low * Fix CVE-2007-6388: XSS in mod_status only in patch2: unchanged: --- apache2-2.2.3.orig/debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch +++ apache2-2.2.3/debian/patches/070_CVE-2009-1195_mod_include_noexec.dpatch @@ -0,0 +1,159 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 070_CVE-2009-1195_mod_include_noexec.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2009-1195 and PR 44262 + +@DPATCH@ +diff -urNad etch-apache2~/include/http_core.h etch-apache2/include/http_core.h +--- etch-apache2~/include/http_core.h 2006-07-12 05:38:44.000000000 +0200 ++++ etch-apache2/include/http_core.h 2009-06-12 17:06:57.967613032 +0200 +@@ -65,7 +65,7 @@ + #define OPT_NONE 0 + /** Indexes directive */ + #define OPT_INDEXES 1 +-/** Includes directive */ ++/** SSI is enabled without exec= permission */ + #define OPT_INCLUDES 2 + /** FollowSymLinks directive */ + #define OPT_SYM_LINKS 4 +@@ -80,9 +80,22 @@ + /** MultiViews directive */ + #define OPT_MULTI 128 + /** All directives */ +-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) ++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI) + /** @} */ + ++#ifdef CORE_PRIVATE ++/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is ++ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics ++ * of the two SSI-related bits are hence: ++ * ++ * OPT_INCLUDES => "enable SSI, without exec= permission" ++ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec=" ++ * ++ * The set of options exposed via ap_allow_options() retains the ++ * semantics of OPT_INCNOEXEC by flipping the bit. */ ++#define OPT_INC_WITH_EXEC OPT_INCNOEXEC ++#endif ++ + /** + * @defgroup get_remote_host Remote Host Resolution + * @ingroup APACHE_CORE_HTTPD +diff -urNad etch-apache2~/server/config.c etch-apache2/server/config.c +--- etch-apache2~/server/config.c 2009-06-12 17:06:57.235614758 +0200 ++++ etch-apache2/server/config.c 2009-06-12 17:06:57.967613032 +0200 +@@ -1493,7 +1493,7 @@ + parms.temp_pool = ptemp; + parms.server = s; + parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); +- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; ++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; + + parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", + &arr_parms, NULL, +@@ -1625,7 +1625,7 @@ + parms.temp_pool = ptemp; + parms.server = s; + parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); +- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; ++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; + + rv = ap_pcfg_openfile(&cfp, p, fname); + if (rv != APR_SUCCESS) { +@@ -1764,7 +1764,7 @@ + parms.temp_pool = ptemp; + parms.server = s; + parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); +- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; ++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; + parms.limited = -1; + + errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults); +diff -urNad etch-apache2~/server/core.c etch-apache2/server/core.c +--- etch-apache2~/server/core.c 2009-06-12 17:06:57.139611738 +0200 ++++ etch-apache2/server/core.c 2009-06-12 17:08:16.407990843 +0200 +@@ -108,8 +108,7 @@ + conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; + conf->opts_add = conf->opts_remove = OPT_NONE; + conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; +- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER +- | OPT_MULTI; ++ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; + + conf->content_md5 = 2; + conf->accept_path_info = 3; +@@ -243,8 +242,15 @@ + conf->opts_remove = (conf->opts_remove & ~new->opts_add) + | new->opts_remove; + conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; +- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { +- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; ++ ++ /* If Includes was enabled with exec in the base config, but ++ * was enabled without exec in the new config, then disable ++ * exec in the merged set. */ ++ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) ++ == (OPT_INCLUDES|OPT_INC_WITH_EXEC)) ++ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) ++ == OPT_INCLUDES)) { ++ conf->opts &= ~OPT_INC_WITH_EXEC; + } + } + else { +@@ -658,7 +664,16 @@ + core_dir_config *conf = + (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); + +- return conf->opts; ++ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is ++ * inverted, such that the exposed semantics match that of ++ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not* ++ * permitted. */ ++ if (conf->opts & OPT_INCLUDES) { ++ return conf->opts ^ OPT_INC_WITH_EXEC; ++ } ++ else { ++ return conf->opts; ++ } + } + + AP_DECLARE(int) ap_allow_overrides(request_rec *r) +@@ -1304,10 +1319,12 @@ + opt = OPT_INDEXES; + } + else if (!strcasecmp(w, "Includes")) { +- opt = OPT_INCLUDES; ++ /* If Includes is permitted, both Includes and ++ * IncludesNOEXEC may be changed. */ ++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); + } + else if (!strcasecmp(w, "IncludesNOEXEC")) { +- opt = (OPT_INCLUDES | OPT_INCNOEXEC); ++ opt = OPT_INCLUDES; + } + else if (!strcasecmp(w, "FollowSymLinks")) { + opt = OPT_SYM_LINKS; +@@ -1428,10 +1445,10 @@ + opt = OPT_INDEXES; + } + else if (!strcasecmp(w, "Includes")) { +- opt = OPT_INCLUDES; ++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); + } + else if (!strcasecmp(w, "IncludesNOEXEC")) { +- opt = (OPT_INCLUDES | OPT_INCNOEXEC); ++ opt = OPT_INCLUDES; + } + else if (!strcasecmp(w, "FollowSymLinks")) { + opt = OPT_SYM_LINKS; +@@ -1458,7 +1475,7 @@ + return apr_pstrcat(cmd->pool, "Illegal option ", w, NULL); + } + +- if (!(cmd->override_opts & opt) && opt != OPT_NONE) { ++ if ( (cmd->override_opts & opt) != opt ) { + return apr_pstrcat(cmd->pool, "Option ", w, " not allowed here", NULL); + } + else if (action == '-') {