apache2: CVE-2018-1333

* fixes a race condition where aborting streams triggers an unnecessary timeout. Affects apache2 2.4.18 to 2.4.30 and apache2 2.4.33 Fixed in apache2 2.4.34 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-12 03:24:08 +00:00 · 2018-08-23 16:51:22 +05:30
parent 280157bc38
commit 086be3c7ec
3 changed files with 46 additions and 0 deletions
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
@@ -10,6 +10,7 @@ inherit autotools pkgconfig native

 SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
           file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
+           file://CVE-2018-1333.patch \
          "

 S = "${WORKDIR}/httpd-${PV}"
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
@@ -21,6 +21,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
           file://apache2-volatile.conf \
           file://apache2.service \
           file://volatiles.04_apache2 \
+           file://CVE-2018-1333.patch \
          "

 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
--- a/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
+++ b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
@@ -0,0 +1,44 @@
+From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan.eissing@greenbytes.de>
+Date: Wed, 18 Apr 2018 11:55:17 +0200
+Subject: [PATCH]  * fixes a race condition where aborting streams triggers an
+ unnecessary timeout.
+
+Note: Re-factored upstream fix
+https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81,
+so that it applies to httpd v2.4.27 code. Similarly done at
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879
+
+CVE: CVE-2018-1333
+Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+
+diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c
+--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c	2017-04-21 06:52:05.000000000 -0700
+++ httpd-2.4.27/modules/http2/h2_bucket_beam.c	2018-07-24 23:44:40.888330955 -0700
+@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke
+         apr_brigade_destroy(bb);
+         if (bl) enter_yellow(beam, bl);
+         
+        apr_thread_cond_broadcast(beam->change);
+         if (beam->cons_ev_cb) { 
+             beam->cons_ev_cb(beam->cons_ctx, beam);
+         }
+@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
+     h2_beam_lock bl;
+     
+     if (enter_yellow(beam, &bl) == APR_SUCCESS) {
+-        if (!beam->aborted) {
+-            beam->aborted = 1;
+-            r_purge_sent(beam);
+-            h2_blist_cleanup(&beam->send_list);
+-            report_consumption(beam, &bl);
+-        }
+        beam->aborted = 1;
+        r_purge_sent(beam);
+        h2_blist_cleanup(&beam->send_list);
+        report_consumption(beam, &bl);
+         if (beam->cond) {
+             apr_thread_cond_broadcast(beam->cond);
+         }