reverted: --- libapache-mod-security-2.5.11/debian/mod-security-mlogc.debhelper.log +++ libapache-mod-security-2.5.11.orig/debian/mod-security-mlogc.debhelper.log @@ -1,11 +0,0 @@ -dh_installdirs -dh_install -dh_link -dh_strip -dh_compress -dh_fixperms -dh_installdeb -dh_shlibdeps -dh_gencontrol -dh_md5sums -dh_builddeb diff -u libapache-mod-security-2.5.11/debian/changelog libapache-mod-security-2.5.11/debian/changelog --- libapache-mod-security-2.5.11/debian/changelog +++ libapache-mod-security-2.5.11/debian/changelog @@ -1,3 +1,22 @@ +libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low + + * SECURITY UPDATE: bypass multipart filtering using invalid quoting (LP: + #1016909) + - debian/patches/CVE-2012-2751: Fix detection of invalid + quotes. Thanks to Alberto Gonzalez Iniesta for the backported patch + - Patch taken from Oneiric package + - CVE-2012-2751 + * SECURITY UPDATE: disclosure of local files or denial of service by + resource exhaustion via XML External Entity (XEE) attacks (LP: + #1169030) + - debian/patches/CVE-2013-1915.patch: Add an option to allow loading + external entities (disabled by default). Backported from upstream + patch + - d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe + - CVE-2013-1915 + + -- Evan Broder Tue, 16 Apr 2013 09:05:37 -0700 + libapache-mod-security (2.5.11-1) unstable; urgency=low * New upstream release only in patch2: unchanged: --- libapache-mod-security-2.5.11.orig/apache2/msc_xml.c +++ libapache-mod-security-2.5.11/apache2/msc_xml.c @@ -18,17 +18,28 @@ */ #include "msc_xml.h" +static xmlParserInputBufferPtr +xml_unload_external_entity(const char *URI, xmlCharEncoding enc) { + return NULL; +} + /** * Initialise XML parser. */ int xml_init(modsec_rec *msr, char **error_msg) { + xmlParserInputBufferCreateFilenameFunc entity; + if (error_msg == NULL) return -1; *error_msg = NULL; msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data)); if (msr->xml == NULL) return -1; + if(msr->txcfg->xml_external_entity == 0) { + entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity); + } + return 1; } only in patch2: unchanged: --- libapache-mod-security-2.5.11.orig/apache2/apache2_config.c +++ libapache-mod-security-2.5.11/apache2/apache2_config.c @@ -123,6 +123,9 @@ dcfg->request_encoding = NOT_SET_P; + /* xml external entity */ + dcfg->xml_external_entity = NOT_SET; + return dcfg; } @@ -475,6 +478,10 @@ merged->request_encoding = (child->request_encoding == NOT_SET_P ? parent->request_encoding : child->request_encoding); + /* xml external entity */ + merged->xml_external_entity = (child->xml_external_entity == NOT_SET + ? parent->xml_external_entity : child->xml_external_entity); + return merged; } @@ -562,6 +569,10 @@ if (dcfg->cache_trans_maxitems == (apr_size_t)NOT_SET) dcfg->cache_trans_maxitems = 512; if (dcfg->request_encoding == NOT_SET_P) dcfg->request_encoding = NULL; + + /* xml external entity */ + if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0; + } /** @@ -1629,6 +1640,33 @@ return NULL; } +/** +* \brief Add SecXmlExternalEntity configuration option +* +* \param cmd Pointer to configuration data +* \param _dcfg Pointer to directory configuration +* \param p1 Pointer to configuration option +* +* \retval NULL On failure +* \retval apr_psprintf On Success +*/ +static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1) +{ + directory_config *dcfg = (directory_config *)_dcfg; + if (dcfg == NULL) return NULL; + + if (strcasecmp(p1, "on") == 0) { + dcfg->xml_external_entity = 1; + } + else if (strcasecmp(p1, "off") == 0) { + dcfg->xml_external_entity = 0; + } + else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1); + + return NULL; +} + + /* -- PDF Protection configuration -- */ static const char *cmd_pdf_protect(cmd_parms *cmd, void *_dcfg, int flag) { @@ -2158,6 +2196,14 @@ NULL, CMD_SCOPE_ANY, "On or Off" + ), + + AP_INIT_TAKE1 ( + "SecXmlExternalEntity", + cmd_xml_external_entity, + NULL, + CMD_SCOPE_ANY, + "On or Off" ), AP_INIT_FLAG ( only in patch2: unchanged: --- libapache-mod-security-2.5.11.orig/apache2/msc_multipart.c +++ libapache-mod-security-2.5.11/apache2/msc_multipart.c @@ -24,6 +24,32 @@ #include "msc_util.h" #include "msc_parsers.h" +void validate_quotes(modsec_rec *msr, unsigned char *data) { + int i, len; + + if(msr == NULL) + return; + + if(msr->mpd == NULL) + return; + + if(data == NULL) + return; + + len = strlen(data); + + for(i = 0; i < len; i++) { + + if(data[i] == '\'') { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes", + log_escape_nq(msr->mp, data), len); + } + msr->mpd->flag_invalid_quoting = 1; + } + } +} + #if 0 static char *multipart_construct_filename(modsec_rec *msr) { @@ -159,6 +185,9 @@ /* evaluate part */ if (strcmp(name, "name") == 0) { + + validate_quotes(msr, value); + if (msr->mpd->mpp->name != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition name: %s", log_escape_nq(msr->mp, value)); @@ -173,6 +202,9 @@ } else if (strcmp(name, "filename") == 0) { + + validate_quotes(msr, value); + if (msr->mpd->mpp->filename != NULL) { msr_log(msr, 4, "Multipart: Warning: Duplicate Content-Disposition filename: %s", log_escape_nq(msr->mp, value)); @@ -191,7 +223,18 @@ while((*p == '\t') || (*p == ' ')) p++; /* the next character must be a zero or a semi-colon */ if (*p == '\0') return 1; /* this is OK */ - if (*p != ';') return -12; + if (*p != ';') { + p--; + if(*p == '\'' || *p == '\"') { + if (msr->txcfg->debuglog_level >= 9) { + msr_log(msr, 9, "Multipart: Invalid quoting detected: %s length %d bytes", + log_escape_nq(msr->mp, p), strlen(p)); + } + msr->mpd->flag_invalid_quoting = 1; + } + p++; + return -12; + } p++; /* move over the semi-colon */ } only in patch2: unchanged: --- libapache-mod-security-2.5.11.orig/apache2/modsecurity.h +++ libapache-mod-security-2.5.11/apache2/modsecurity.h @@ -471,6 +471,9 @@ /* Request character encoding. */ const char *request_encoding; + + /* xml */ + int xml_external_entity; }; struct error_message {