[libhtp/f20] Backport an upstream patch to fix a security issue
Mathieu Bridon
bochecha at fedoraproject.org
Tue Feb 17 02:55:56 UTC 2015
commit fae73e709ff18e0da02328d0ddbbf207418ac286
Author: Mathieu Bridon <bochecha at daitauha.fr>
Date: Fri Dec 12 17:24:47 2014 +0100
Backport an upstream patch to fix a security issue
https://bugzilla.redhat.com/show_bug.cgi?id=1190866
...connp_close-handle-streams-in-error-state.patch | 4 +-
...den-decompress-code-against-memory-stress.patch | 29 ++++++++++++++++++++
libhtp.spec | 11 +++++++-
3 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/0001-htp_connp_close-handle-streams-in-error-state.patch b/0001-htp_connp_close-handle-streams-in-error-state.patch
index 71cbb82..b5beca6 100644
--- a/0001-htp_connp_close-handle-streams-in-error-state.patch
+++ b/0001-htp_connp_close-handle-streams-in-error-state.patch
@@ -1,4 +1,4 @@
-From 4acebf251bb6c8343dd5f37f1b48cb38fec4fed4 Mon Sep 17 00:00:00 2001
+From 1832a99290437a291d5734af247a24616d1693af Mon Sep 17 00:00:00 2001
From: Victor Julien <victor at inliniac.net>
Date: Wed, 29 Oct 2014 14:02:23 +0100
Subject: [PATCH] htp_connp_close: handle streams in error state
@@ -22,7 +22,7 @@ to deal with an error state properly.
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/htp/htp_connection_parser.c b/htp/htp_connection_parser.c
-index 2758f65..9abc866 100644
+index 66e175a..3b89687 100644
--- a/htp/htp_connection_parser.c
+++ b/htp/htp_connection_parser.c
@@ -49,8 +49,10 @@ void htp_connp_close(htp_connp_t *connp, const htp_time_t *timestamp) {
diff --git a/0002-Harden-decompress-code-against-memory-stress.patch b/0002-Harden-decompress-code-against-memory-stress.patch
new file mode 100644
index 0000000..60fe4dc
--- /dev/null
+++ b/0002-Harden-decompress-code-against-memory-stress.patch
@@ -0,0 +1,29 @@
+From e74dafaddcb559a7ea3b09207509aa3de7f9ca49 Mon Sep 17 00:00:00 2001
+From: Victor Julien <victor at inliniac.net>
+Date: Thu, 4 Dec 2014 13:33:03 +0100
+Subject: [PATCH] Harden decompress code against memory stress
+
+Under severe memory pressure the decompress code can fail to setup
+properly. Add checks before dereferencing pointers.
+---
+ htp/htp_transaction.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/htp/htp_transaction.c b/htp/htp_transaction.c
+index 6593d87..5d2dad6 100644
+--- a/htp/htp_transaction.c
++++ b/htp/htp_transaction.c
+@@ -784,6 +784,10 @@ htp_status_t htp_tx_res_process_body_data_ex(htp_tx_t *tx, const void *data, siz
+ switch (tx->response_content_encoding_processing) {
+ case HTP_COMPRESSION_GZIP:
+ case HTP_COMPRESSION_DEFLATE:
++ // In severe memory stress these could be NULL
++ if (tx->connp->out_decompressor == NULL || tx->connp->out_decompressor->decompress == NULL)
++ return HTP_ERROR;
++
+ // Send data buffer to the decompressor.
+ tx->connp->out_decompressor->decompress(tx->connp->out_decompressor, &d);
+
+--
+2.1.0
+
diff --git a/libhtp.spec b/libhtp.spec
index 4f3e51a..ca2e92b 100644
--- a/libhtp.spec
+++ b/libhtp.spec
@@ -1,6 +1,6 @@
Name: libhtp
Version: 0.5.6
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Security-aware parser for the HTTP protocol and the related bits and pieces
License: BSD
@@ -15,6 +15,10 @@ Source0: %{name}-%{version}.tar.xz
# https://github.com/OISF/libhtp/pull/82
Patch0: 0001-htp_connp_close-handle-streams-in-error-state.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1190866
+# https://github.com/OISF/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828
+Patch1: 0002-Harden-decompress-code-against-memory-stress.patch
+
# Upstream doesn't publish release tarballs yet, so we need the autotools stuff
BuildRequires: autoconf automake libtool
@@ -52,6 +56,7 @@ Documentation (in HTML, Latex and PDF formats) for %{name}.
%setup -q
%patch0 -p1
+%patch1 -p1
%build
@@ -95,6 +100,10 @@ find %{buildroot} -name '*.la' -exec rm -f '{}' \;
%changelog
+* Tue Feb 17 2015 Mathieu Bridon <bochecha at daitauha.fr> - 0.5.6-3
+- Backport an upstream patch to fix a security issue
+ https://bugzilla.redhat.com/show_bug.cgi?id=1190866
+
* Fri Dec 12 2014 Mathieu Bridon <bochecha at daitauha.fr> - 0.5.6-2
- Backport an upstream patch to fix a security issue
https://bugzilla.redhat.com/show_bug.cgi?id=1173605
More information about the scm-commits
mailing list