[libhtp/f20] Backport an upstream patch to fix a security issue

Mathieu Bridon bochecha at fedoraproject.org
Tue Feb 17 02:55:56 UTC 2015 

commit fae73e709ff18e0da02328d0ddbbf207418ac286
Author: Mathieu Bridon <bochecha at daitauha.fr>
Date:   Fri Dec 12 17:24:47 2014 +0100

    Backport an upstream patch to fix a security issue
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1190866

 ...connp_close-handle-streams-in-error-state.patch |    4 +-
 ...den-decompress-code-against-memory-stress.patch |   29 ++++++++++++++++++++
 libhtp.spec                                        |   11 +++++++-
 3 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/0001-htp_connp_close-handle-streams-in-error-state.patch b/0001-htp_connp_close-handle-streams-in-error-state.patch
index 71cbb82..b5beca6 100644
--- a/0001-htp_connp_close-handle-streams-in-error-state.patch
+++ b/0001-htp_connp_close-handle-streams-in-error-state.patch
@@ -1,4 +1,4 @@
-From 4acebf251bb6c8343dd5f37f1b48cb38fec4fed4 Mon Sep 17 00:00:00 2001
+From 1832a99290437a291d5734af247a24616d1693af Mon Sep 17 00:00:00 2001
 From: Victor Julien <victor at inliniac.net>
 Date: Wed, 29 Oct 2014 14:02:23 +0100
 Subject: [PATCH] htp_connp_close: handle streams in error state
@@ -22,7 +22,7 @@ to deal with an error state properly.
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/htp/htp_connection_parser.c b/htp/htp_connection_parser.c
-index 2758f65..9abc866 100644
+index 66e175a..3b89687 100644
 --- a/htp/htp_connection_parser.c
 +++ b/htp/htp_connection_parser.c
 @@ -49,8 +49,10 @@ void htp_connp_close(htp_connp_t *connp, const htp_time_t *timestamp) {
diff --git a/0002-Harden-decompress-code-against-memory-stress.patch b/0002-Harden-decompress-code-against-memory-stress.patch
new file mode 100644
index 0000000..60fe4dc
--- /dev/null
+++ b/0002-Harden-decompress-code-against-memory-stress.patch
@@ -0,0 +1,29 @@
+From e74dafaddcb559a7ea3b09207509aa3de7f9ca49 Mon Sep 17 00:00:00 2001
+From: Victor Julien <victor at inliniac.net>
+Date: Thu, 4 Dec 2014 13:33:03 +0100
+Subject: [PATCH] Harden decompress code against memory stress
+
+Under severe memory pressure the decompress code can fail to setup
+properly. Add checks before dereferencing pointers.
+---
+ htp/htp_transaction.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/htp/htp_transaction.c b/htp/htp_transaction.c
+index 6593d87..5d2dad6 100644
+--- a/htp/htp_transaction.c
++++ b/htp/htp_transaction.c
+@@ -784,6 +784,10 @@ htp_status_t htp_tx_res_process_body_data_ex(htp_tx_t *tx, const void *data, siz
+     switch (tx->response_content_encoding_processing) {
+         case HTP_COMPRESSION_GZIP:
+         case HTP_COMPRESSION_DEFLATE:
++            // In severe memory stress these could be NULL
++            if (tx->connp->out_decompressor == NULL || tx->connp->out_decompressor->decompress == NULL)
++                return HTP_ERROR;
++
+             // Send data buffer to the decompressor.
+             tx->connp->out_decompressor->decompress(tx->connp->out_decompressor, &d);
+ 
+-- 
+2.1.0
+
diff --git a/libhtp.spec b/libhtp.spec
index 4f3e51a..ca2e92b 100644
--- a/libhtp.spec
+++ b/libhtp.spec
@@ -1,6 +1,6 @@
 Name:          libhtp
 Version:       0.5.6
-Release:       2%{?dist}
+Release:       3%{?dist}
 
 Summary:       Security-aware parser for the HTTP protocol and the related bits and pieces
 License:       BSD
@@ -15,6 +15,10 @@ Source0:       %{name}-%{version}.tar.xz
 # https://github.com/OISF/libhtp/pull/82
 Patch0:        0001-htp_connp_close-handle-streams-in-error-state.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1190866
+# https://github.com/OISF/libhtp/commit/c7c03843cd6b1cbf44eb435d160ba53aec948828
+Patch1:        0002-Harden-decompress-code-against-memory-stress.patch
+
 # Upstream doesn't publish release tarballs yet, so we need the autotools stuff
 BuildRequires: autoconf automake libtool
 
@@ -52,6 +56,7 @@ Documentation (in HTML, Latex and PDF formats) for %{name}.
 %setup -q
 
 %patch0 -p1
+%patch1 -p1
 
 
 %build
@@ -95,6 +100,10 @@ find %{buildroot} -name '*.la' -exec rm -f '{}' \;
 
 
 %changelog
+* Tue Feb 17 2015 Mathieu Bridon <bochecha at daitauha.fr> - 0.5.6-3
+- Backport an upstream patch to fix a security issue
+  https://bugzilla.redhat.com/show_bug.cgi?id=1190866
+
 * Fri Dec 12 2014 Mathieu Bridon <bochecha at daitauha.fr> - 0.5.6-2
 - Backport an upstream patch to fix a security issue
   https://bugzilla.redhat.com/show_bug.cgi?id=1173605

More information about the scm-commits mailing list