Resolves: #1401530 - CVE-2016-8740 httpd: Incomplete handling of

LimitRequestFields directive in mod_http2
2016-12-05 17:21:33 +01:00 · 2016-12-05 17:21:33 +01:00 · 92e639b8c0
commit 92e639b8c0
parent 0d708eba11
2 changed files with 39 additions and 1 deletions
--- a/httpd-2.4.23-CVE-2016-8740.patch
+++ b/httpd-2.4.23-CVE-2016-8740.patch
@ -0,0 +1,32 @@
+--- a/modules/http2/h2_stream.c (revision 1771866)
+++ b/modules/http2/h2_stream.c (working copy)
+@@ -322,18 +322,18 @@ 
+                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
+             }
+         }
+-    }
+-    
+-    if (h2_stream_is_scheduled(stream)) {
+-        return h2_request_add_trailer(stream->request, stream->pool,
+-                                      name, nlen, value, vlen);
+-    }
+-    else {
+-        if (!input_open(stream)) {
+-            return APR_ECONNRESET;
+        
+        if (h2_stream_is_scheduled(stream)) {
+            return h2_request_add_trailer(stream->request, stream->pool,
+                                          name, nlen, value, vlen);
+         }
+-        return h2_request_add_header(stream->request, stream->pool,
+-                                     name, nlen, value, vlen);
+        else {
+            if (!input_open(stream)) {
+                return APR_ECONNRESET;
+            }
+            return h2_request_add_header(stream->request, stream->pool,
+                                         name, nlen, value, vlen);
+        }
+     }
+ }
+ 
--- a/httpd.spec
+++ b/httpd.spec
@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.23
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -68,6 +68,7 @@ Patch56: httpd-2.4.4-mod_unique_id.patch
 Patch57: httpd-2.4.10-sigint.patch
 # Security fixes
 Patch100: httpd-2.4.18-CVE-2016-5387.patch
+Patch101: httpd-2.4.23-CVE-2016-8740.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -214,6 +215,7 @@ interface for storing and accessing per-user session data.
 %patch57 -p1 -b .sigint

 %patch100 -p1 -b .cve5387
+%patch101 -p1 -b .cve8740

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -684,6 +686,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Mon Dec 05 2016 Luboš Uhliarik <luhliari@redhat.com> - 2.4.23-7
+- Resolves: #1401530 - CVE-2016-8740 httpd: Incomplete handling of
+  LimitRequestFields directive in mod_http2
+
 * Mon Nov 14 2016 Joe Orton <jorton@redhat.com> - 2.4.23-6
 - fix build with OpenSSL 1.1 (#1392900)
 - fix typos in ssl.conf (josef randinger, #1379407)