diff options
| author |   Benedikt Boehm <hollow@gentoo.org> | 2007-07-31 22:27:59 +0000 |
|---|---|---|
| committer | Benedikt Boehm <hollow@gentoo.org> | 2007-07-31 22:27:59 +0000 |
| commit | 992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3 (patch) | |
| tree | de6af3474753fb43d1f569123e25a252115aff5c /2.2/patches | |
| parent | fix typos (diff) | |
| download | apache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.tar.gz apache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.tar.bz2 apache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.zip | |
add various CVE patches backported from 2.2.5-dev; fix mpm-itk patch
Diffstat (limited to '2.2/patches')
| -rw-r--r-- | 2.2/patches/10_all_CVE-2006-5752.patch | 40 | ||||
| -rw-r--r-- | 2.2/patches/11_all_CVE-2007-1862.patch | 51 | ||||
| -rw-r--r-- | 2.2/patches/12_all_CVE-2007-1863.patch | 74 | ||||
| -rw-r--r-- | 2.2/patches/13_all_CVE-2007-3304.patch | 110 | ||||
| -rw-r--r-- | 2.2/patches/21_all_itk_20070425-00.patch | 54 |
5 files changed, 305 insertions, 24 deletions
diff --git a/2.2/patches/10_all_CVE-2006-5752.patch b/2.2/patches/10_all_CVE-2006-5752.patch new file mode 100644 index 0000000..cbf3297 --- /dev/null +++ b/2.2/patches/10_all_CVE-2006-5752.patch @@ -0,0 +1,40 @@ +--- httpd-2.2.3/modules/generators/mod_status.c.cve5752 ++++ httpd-2.2.3/modules/generators/mod_status.c +@@ -270,7 +270,7 @@ + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -299,7 +299,7 @@ + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + short_report = 1; + break; + } +@@ -673,7 +673,8 @@ + ap_escape_html(r->pool, + ws_record->client), + ap_escape_html(r->pool, +- ws_record->request), ++ ap_escape_logitem(r->pool, ++ ws_record->request)), + ap_escape_html(r->pool, + ws_record->vhost)); + } +@@ -763,7 +764,8 @@ + ap_escape_html(r->pool, + ws_record->vhost), + ap_escape_html(r->pool, +- ws_record->request)); ++ ap_escape_logitem(r->pool, ++ ws_record->request))); + } /* no_table_report */ + } /* for (j...) */ + } /* for (i...) */ diff --git a/2.2/patches/11_all_CVE-2007-1862.patch b/2.2/patches/11_all_CVE-2007-1862.patch new file mode 100644 index 0000000..17e6cc5 --- /dev/null +++ b/2.2/patches/11_all_CVE-2007-1862.patch @@ -0,0 +1,51 @@ +--- httpd-2.2.4/modules/cache/mod_mem_cache.c.cve1862 ++++ httpd-2.2.4/modules/cache/mod_mem_cache.c +@@ -539,12 +539,28 @@ + return OK; + } + ++static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table) ++{ ++ const apr_array_header_t *array = apr_table_elts(table); ++ apr_table_entry_t *elts = (apr_table_entry_t *) array->elts; ++ apr_table_t *copy = apr_table_make(p, array->nelts); ++ int i; ++ ++ for (i = 0; i < array->nelts; i++) { ++ if (elts[i].key) { ++ apr_table_add(copy, elts[i].key, elts[i].val); ++ } ++ } ++ ++ return copy; ++} ++ + static apr_status_t recall_headers(cache_handle_t *h, request_rec *r) + { + mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj; + +- h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs); +- h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out); ++ h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs); ++ h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out); + + return OK; + } +@@ -585,7 +601,7 @@ + * - The original response headers (for returning with a cached response) + * - The body of the message + */ +- mobj->req_hdrs = apr_table_copy(mobj->pool, r->headers_in); ++ mobj->req_hdrs = deep_table_copy(mobj->pool, r->headers_in); + + /* Precompute how much storage we need to hold the headers */ + headers_out = ap_cache_cacheable_hdrs_out(r->pool, r->headers_out, +@@ -599,7 +615,7 @@ + } + + headers_out = apr_table_overlay(r->pool, headers_out, r->err_headers_out); +- mobj->header_out = apr_table_copy(mobj->pool, headers_out); ++ mobj->header_out = deep_table_copy(mobj->pool, headers_out); + + /* Init the info struct */ + obj->info.status = info->status; diff --git a/2.2/patches/12_all_CVE-2007-1863.patch b/2.2/patches/12_all_CVE-2007-1863.patch new file mode 100644 index 0000000..41c3ba7 --- /dev/null +++ b/2.2/patches/12_all_CVE-2007-1863.patch @@ -0,0 +1,74 @@ +--- httpd-2.2.3/modules/cache/cache_util.c.cve1863 ++++ httpd-2.2.3/modules/cache/cache_util.c +@@ -231,7 +231,8 @@ + age = ap_cache_current_age(info, age_c, r->request_time); + + /* extract s-maxage */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } + else { +@@ -240,7 +241,8 @@ + + /* extract max-age from request */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) ++ && val != NULL) { + maxage_req = apr_atoi64(val); + } + else { +@@ -248,7 +250,8 @@ + } + + /* extract max-age from response */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } + else { +@@ -270,7 +273,20 @@ + + /* extract max-stale */ + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { +- maxstale = apr_atoi64(val); ++ if(val != NULL) { ++ maxstale = apr_atoi64(val); ++ } ++ else { ++ /* ++ * If no value is assigned to max-stale, then the client is willing ++ * to accept a stale response of any age (RFC2616 14.9.3). We will ++ * set it to one year in this case as this situation is somewhat ++ * similar to a "never expires" Expires header (RFC2616 14.21) ++ * which is set to a date one year from the time the response is ++ * sent in this case. ++ */ ++ maxstale = APR_INT64_C(86400*365); ++ } + } + else { + maxstale = 0; +@@ -278,7 +294,8 @@ + + /* extract min-fresh */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) ++ && val != NULL) { + minfresh = apr_atoi64(val); + } + else { +@@ -407,6 +424,9 @@ + next - val_start); + } + } ++ else { ++ *val = NULL; ++ } + } + return 1; + } diff --git a/2.2/patches/13_all_CVE-2007-3304.patch b/2.2/patches/13_all_CVE-2007-3304.patch new file mode 100644 index 0000000..32a1af2 --- /dev/null +++ b/2.2/patches/13_all_CVE-2007-3304.patch @@ -0,0 +1,110 @@ +--- httpd-2.2.3/include/mpm_common.h.cve3304 ++++ httpd-2.2.3/include/mpm_common.h +@@ -145,6 +145,17 @@ + #endif + + /** ++ * Safely signal an MPM child process, if the process is in the ++ * current process group. Otherwise fail. ++ * @param pid the process id of a child process to signal ++ * @param sig the signal number to send ++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3) ++ */ ++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig); ++#endif ++ ++/** + * Determine if any child process has died. If no child process died, then + * this process sleeps for the amount of time specified by the MPM defined + * macro SCOREBOARD_MAINTENANCE_INTERVAL. +--- httpd-2.2.3/server/mpm_common.c.cve3304 ++++ httpd-2.2.3/server/mpm_common.c +@@ -126,6 +126,10 @@ + apr_proc_t proc; + apr_status_t waitret; + ++ if (!MPM_VALID_PID(pid)) { ++ return 1; ++ } ++ + proc.pid = pid; + waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT); + if (waitret != APR_CHILD_NOTDONE) { +@@ -305,6 +309,16 @@ + cur_extra = next; + } + } ++ ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig) ++{ ++ if (MPM_VALID_PID(pid)) { ++ return kill(pid, sig) ? errno : APR_SUCCESS; ++ } ++ else { ++ return APR_EINVAL; ++ } ++} + #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */ + + #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT +--- httpd-2.2.3/server/mpm/prefork/prefork.c.cve3304 ++++ httpd-2.2.3/server/mpm/prefork/prefork.c +@@ -1127,7 +1127,7 @@ + for (index = 0; index < ap_daemons_limit; ++index) { + if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) { + /* Ask each child to close its listeners. */ +- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); + active_children++; + } + } +@@ -1166,7 +1166,7 @@ + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { + if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) { + active_children = 1; + /* Having just one child is enough to stay around */ + break; +@@ -1222,7 +1222,7 @@ + * piped loggers, etc. They almost certainly won't handle + * it gracefully. + */ +- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); + } + } + } +--- httpd-2.2.3/server/mpm/prefork/mpm.h.cve3304 ++++ httpd-2.2.3/server/mpm/prefork/mpm.h +@@ -53,6 +53,7 @@ + #define AP_MPM_USES_POD 1 + #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid) + #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0) ++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp()) + #define MPM_ACCEPT_FUNC unixd_accept + + extern int ap_threads_per_child; +--- httpd-2.2.3/server/mpm/worker/worker.c.cve3304 ++++ httpd-2.2.3/server/mpm/worker/worker.c +@@ -1814,7 +1814,7 @@ + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { + if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) { + active_children = 1; + /* Having just one child is enough to stay around */ + break; +--- httpd-2.2.3/server/mpm/worker/mpm.h.cve3304 ++++ httpd-2.2.3/server/mpm/worker/mpm.h +@@ -52,6 +52,7 @@ + #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid) + #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0) + #define MPM_ACCEPT_FUNC unixd_accept ++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp()) + + extern int ap_threads_per_child; + extern int ap_max_daemons_limit; diff --git a/2.2/patches/21_all_itk_20070425-00.patch b/2.2/patches/21_all_itk_20070425-00.patch index dae5e9a..449a5e1 100644 --- a/2.2/patches/21_all_itk_20070425-00.patch +++ b/2.2/patches/21_all_itk_20070425-00.patch @@ -1,25 +1,26 @@ -diff -Nur apache2.2.orig/server/mpm/config.m4 apache2.2/server/mpm/config.m4 ---- apache2.2.orig/server/mpm/config.m4 2005-10-30 18:05:26.000000000 +0100 -+++ apache2.2/server/mpm/config.m4 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/config.m4 +=================================================================== +--- httpd-2.2.4.orig/server/mpm/config.m4 ++++ httpd-2.2.4/server/mpm/config.m4 @@ -1,7 +1,7 @@ AC_MSG_CHECKING(which MPM to use) AC_ARG_WITH(mpm, APACHE_HELP_STRING(--with-mpm=MPM,Choose the process model for Apache to use. -- MPM={beos|event|worker|prefork|mpmt_os2}),[ -+ MPM={beos|event|worker|prefork|mpmt_os2|itk}),[ +- MPM={beos|event|worker|prefork|mpmt_os2|peruser}),[ ++ MPM={beos|event|worker|prefork|mpmt_os2|peruser|itk}),[ APACHE_MPM=$withval ],[ if test "x$APACHE_MPM" = "x"; then -@@ -23,7 +23,7 @@ +@@ -23,7 +23,7 @@ ap_mpm_is_threaded () ap_mpm_is_experimental () { -- if test "$apache_cv_mpm" = "event" ; then -+ if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "itk" ; then +- if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "peruser" ; then ++ if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "peruser" -o "$apache_cv_mpm" = "itk" ; then return 0 else return 1 -@@ -66,6 +66,11 @@ +@@ -66,6 +66,11 @@ if ap_mpm_is_experimental; then else MPM_SUBDIR_NAME=$MPM_NAME fi @@ -31,16 +32,18 @@ diff -Nur apache2.2.orig/server/mpm/config.m4 apache2.2/server/mpm/config.m4 MPM_DIR=server/mpm/$MPM_SUBDIR_NAME MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la -diff -Nur apache2.2.orig/server/mpm/experimental/itk/config.m4 apache2.2/server/mpm/experimental/itk/config.m4 ---- apache2.2.orig/server/mpm/experimental/itk/config.m4 1970-01-01 01:00:00.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/config.m4 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/experimental/itk/config.m4 +=================================================================== +--- /dev/null ++++ httpd-2.2.4/server/mpm/experimental/itk/config.m4 @@ -0,0 +1,3 @@ +if test "$MPM_NAME" = "itk" ; then + APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile) +fi -diff -Nur apache2.2.orig/server/mpm/experimental/itk/itk.c apache2.2/server/mpm/experimental/itk/itk.c ---- apache2.2.orig/server/mpm/experimental/itk/itk.c 1970-01-01 01:00:00.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/itk.c 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/experimental/itk/itk.c +=================================================================== +--- /dev/null ++++ httpd-2.2.4/server/mpm/experimental/itk/itk.c @@ -0,0 +1,1682 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with @@ -1724,18 +1727,20 @@ diff -Nur apache2.2.orig/server/mpm/experimental/itk/itk.c apache2.2/server/mpm/ + itk_cmds, /* command apr_table_t */ + itk_hooks, /* register hooks */ +}; -diff -Nur apache2.2.orig/server/mpm/experimental/itk/Makefile.in apache2.2/server/mpm/experimental/itk/Makefile.in ---- apache2.2.orig/server/mpm/experimental/itk/Makefile.in 1970-01-01 01:00:00.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/Makefile.in 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/experimental/itk/Makefile.in +=================================================================== +--- /dev/null ++++ httpd-2.2.4/server/mpm/experimental/itk/Makefile.in @@ -0,0 +1,5 @@ + +LTLIBRARY_NAME = libitk.la +LTLIBRARY_SOURCES = itk.c + +include $(top_srcdir)/build/ltlib.mk -diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm_default.h apache2.2/server/mpm/experimental/itk/mpm_default.h ---- apache2.2.orig/server/mpm/experimental/itk/mpm_default.h 1970-01-01 01:00:00.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/mpm_default.h 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/experimental/itk/mpm_default.h +=================================================================== +--- /dev/null ++++ httpd-2.2.4/server/mpm/experimental/itk/mpm_default.h @@ -0,0 +1,77 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with @@ -1814,9 +1819,10 @@ diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm_default.h apache2.2/ser + +#endif /* AP_MPM_DEFAULT_H */ +/** @} */ -diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm.h apache2.2/server/mpm/experimental/itk/mpm.h ---- apache2.2.orig/server/mpm/experimental/itk/mpm.h 1970-01-01 01:00:00.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/mpm.h 2007-04-25 14:23:35.000000000 +0200 +Index: httpd-2.2.4/server/mpm/experimental/itk/mpm.h +=================================================================== +--- /dev/null ++++ httpd-2.2.4/server/mpm/experimental/itk/mpm.h @@ -0,0 +1,65 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with |