demus/mod_security-rpm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615).

Browse Source
This commit is contained in:
Athmane Madjoudj 2013-05-28 16:28:51 +01:00
parent 74bb5ef6ac
commit fcffe49bdb
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mod_security-2.6.8_fix_cve-2013-2765.patch Normal file
View File

@ -0,0 +1,11 @@
diff -ru modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c modsecurity-apache_2.6.8/apache2/msc_reqbody.c
--- modsecurity-apache_2.6.8.orig/apache2/msc_reqbody.c 2012-09-25 14:05:00.000000000 +0100
+++ modsecurity-apache_2.6.8/apache2/msc_reqbody.c 2013-05-28 15:18:49.000000000 +0100
@@ -170,6 +170,7 @@
/* Would storing this chunk mean going over the limit? */
if ((msr->msc_reqbody_spilltodisk)
+ && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON)
&& (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit))
{
msc_data_chunk **chunks;

6
mod_security.spec
View File

@ -8,7 +8,7 @@
Summary: Security module for the Apache HTTP Server
Name: mod_security
Version: 2.6.8
Release: 3%{?dist}
Release: 4%{?dist}
License: ASL 2.0
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
@ -16,6 +16,7 @@ Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf
Patch0: mod_security-fix-cve-2012-4528.patch
Patch1: mod_security-2.6.8-rhbz947842.patch
Patch2: mod_security-2.6.8_fix_cve-2013-2765.patch
Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -37,6 +38,7 @@ This package contains the ModSecurity Audit Log Collector.
%setup -q -n modsecurity-apache_%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%configure --enable-pcre-match-limit=1000000 \
@ -104,6 +106,8 @@ rm -rf %{buildroot}
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
%changelog
* Tue May 28 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-4
- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
* Wed Apr 3 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-3
- Backport security patch from 2.7.3 (RHBZ #947842)