demus/mod_security-rpm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'f18' into el6

Browse Source
This commit is contained in:
Athmane Madjoudj 2013-05-28 15:12:39 +01:00
commit 70208530c5
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch Normal file
View File

@ -0,0 +1,23 @@
diff -ru modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c modsecurity-apache_2.7.3/apache2/msc_reqbody.c
--- modsecurity-apache_2.7.3.orig/apache2/msc_reqbody.c 2013-03-24 08:12:29.000000000 +0100
+++ modsecurity-apache_2.7.3/apache2/msc_reqbody.c 2013-05-28 14:48:39.063673996 +0100
@@ -170,6 +170,7 @@
/* Would storing this chunk mean going over the limit? */
if ((msr->msc_reqbody_spilltodisk)
+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
&& (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
{
msc_data_chunk **chunks;
diff -ru modsecurity-apache_2.7.3.orig/apache2/re_operators.c modsecurity-apache_2.7.3/apache2/re_operators.c
--- modsecurity-apache_2.7.3.orig/apache2/re_operators.c 2013-03-24 08:12:29.000000000 +0100
+++ modsecurity-apache_2.7.3/apache2/re_operators.c 2013-05-28 14:49:30.448696404 +0100
@@ -369,7 +369,7 @@
/* rsub */
static char *param_remove_escape(msre_rule *rule, char *str, int len) {
- char *parm = apr_palloc(rule->ruleset->mp, len);
+ char *parm = apr_pcalloc(rule->ruleset->mp, len);
char *ret = parm;
for(;*str!='\0';str++) {

8
mod_security.spec
View File

@ -10,13 +10,14 @@
Summary: Security module for the Apache HTTP Server Summary: Security module for the Apache HTTP Server
Name: mod_security Name: mod_security
Version: 2.7.3 Version: 2.7.3
Release: 1%{?dist} Release: 2%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: http://www.modsecurity.org/ URL: http://www.modsecurity.org/
Group: System Environment/Daemons Group: System Environment/Daemons
Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf Source1: mod_security.conf
Source2: 10-mod_security.conf Source2: 10-mod_security.conf
Patch0: mod_security-2.7.3-fix-mem-leak-and-cve-2013-2765.patch
Requires: httpd httpd-mmn = %{_httpd_mmn} Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
@ -37,6 +38,7 @@ This package contains the ModSecurity Audit Log Collector.
%prep %prep
%setup -q -n modsecurity-apache_%{version} %setup -q -n modsecurity-apache_%{version}
%patch0 -p1
%build %build
%configure --enable-pcre-match-limit=1000000 \ %configure --enable-pcre-match-limit=1000000 \
@ -107,6 +109,10 @@ rm -rf %{buildroot}
%endif %endif
%changelog %changelog
* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-2
- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
- Fix a possible memory leak.
* Sat Mar 30 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-1 * Sat Mar 30 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.3-1
- Update to 2.7.3 - Update to 2.7.3