From e14ab0ad070b4eafa19fc1df81b7b5c3de1dc1b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Mon, 18 Sep 2017 15:41:03 +0200
Subject: [PATCH] gnu: httpd: Patch "options bleed" [fixes CVE-2017-9798].

* gnu/packages/patches/httpd-CVE-2017-9798.patch: New file.
* gnu/packages/web.scm (httpd)[source]: Use it.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                  |  1 +
 .../patches/httpd-CVE-2017-9798.patch         | 22 +++++++++++++++++++
 gnu/packages/web.scm                          |  3 ++-
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/httpd-CVE-2017-9798.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c6fc436633..bdd49c6182 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -725,6 +725,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/hmmer-remove-cpu-specificity.patch	\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
+  %D%/packages/patches/httpd-CVE-2017-9798.patch		\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
   %D%/packages/patches/hydra-disable-darcs-test.patch		\
diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch
new file mode 100644
index 0000000000..8391a3db4a
--- /dev/null
+++ b/gnu/packages/patches/httpd-CVE-2017-9798.patch
@@ -0,0 +1,22 @@
+Fixes "options bleed", aka. CVE-2017-9798:
+
+  https://nvd.nist.gov/vuln/detail/CVE-2017-9798
+  https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
+
+From <https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch>.
+
+--- a/server/core.c	2017/08/16 16:50:29	1805223
++++ b/server/core.c	2017/09/08 13:13:11	1807754
+@@ -2266,6 +2266,12 @@
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 72892ffe22..6c9316a401 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -107,7 +107,8 @@
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i"))))
+               "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i"))
+             (patches (search-patches "httpd-CVE-2017-9798.patch"))))
     (build-system gnu-build-system)
     (native-inputs `(("pcre" ,pcre "bin")))       ;for 'pcre-config'
     (inputs `(("apr" ,apr)