summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2007-07-31 22:27:59 +0000
committerBenedikt Boehm <hollow@gentoo.org>2007-07-31 22:27:59 +0000
commit992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3 (patch)
treede6af3474753fb43d1f569123e25a252115aff5c /2.2/patches
parentfix typos (diff)
downloadapache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.tar.gz
apache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.tar.bz2
apache-992c0d1bb74c9e2e7c8c9660c848ab7df09a11f3.zip
add various CVE patches backported from 2.2.5-dev; fix mpm-itk patch
Diffstat (limited to '2.2/patches')
-rw-r--r--2.2/patches/10_all_CVE-2006-5752.patch40
-rw-r--r--2.2/patches/11_all_CVE-2007-1862.patch51
-rw-r--r--2.2/patches/12_all_CVE-2007-1863.patch74
-rw-r--r--2.2/patches/13_all_CVE-2007-3304.patch110
-rw-r--r--2.2/patches/21_all_itk_20070425-00.patch54
5 files changed, 305 insertions, 24 deletions
diff --git a/2.2/patches/10_all_CVE-2006-5752.patch b/2.2/patches/10_all_CVE-2006-5752.patch
new file mode 100644
index 0000000..cbf3297
--- /dev/null
+++ b/2.2/patches/10_all_CVE-2006-5752.patch
@@ -0,0 +1,40 @@
+--- httpd-2.2.3/modules/generators/mod_status.c.cve5752
++++ httpd-2.2.3/modules/generators/mod_status.c
+@@ -270,7 +270,7 @@
+ if (r->method_number != M_GET)
+ return DECLINED;
+
+- ap_set_content_type(r, "text/html");
++ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+
+ /*
+ * Simple table-driven form data set parser that lets you alter the header
+@@ -299,7 +299,7 @@
+ no_table_report = 1;
+ break;
+ case STAT_OPT_AUTO:
+- ap_set_content_type(r, "text/plain");
++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+ short_report = 1;
+ break;
+ }
+@@ -673,7 +673,8 @@
+ ap_escape_html(r->pool,
+ ws_record->client),
+ ap_escape_html(r->pool,
+- ws_record->request),
++ ap_escape_logitem(r->pool,
++ ws_record->request)),
+ ap_escape_html(r->pool,
+ ws_record->vhost));
+ }
+@@ -763,7 +764,8 @@
+ ap_escape_html(r->pool,
+ ws_record->vhost),
+ ap_escape_html(r->pool,
+- ws_record->request));
++ ap_escape_logitem(r->pool,
++ ws_record->request)));
+ } /* no_table_report */
+ } /* for (j...) */
+ } /* for (i...) */
diff --git a/2.2/patches/11_all_CVE-2007-1862.patch b/2.2/patches/11_all_CVE-2007-1862.patch
new file mode 100644
index 0000000..17e6cc5
--- /dev/null
+++ b/2.2/patches/11_all_CVE-2007-1862.patch
@@ -0,0 +1,51 @@
+--- httpd-2.2.4/modules/cache/mod_mem_cache.c.cve1862
++++ httpd-2.2.4/modules/cache/mod_mem_cache.c
+@@ -539,12 +539,28 @@
+ return OK;
+ }
+
++static apr_table_t *deep_table_copy(apr_pool_t *p, const apr_table_t *table)
++{
++ const apr_array_header_t *array = apr_table_elts(table);
++ apr_table_entry_t *elts = (apr_table_entry_t *) array->elts;
++ apr_table_t *copy = apr_table_make(p, array->nelts);
++ int i;
++
++ for (i = 0; i < array->nelts; i++) {
++ if (elts[i].key) {
++ apr_table_add(copy, elts[i].key, elts[i].val);
++ }
++ }
++
++ return copy;
++}
++
+ static apr_status_t recall_headers(cache_handle_t *h, request_rec *r)
+ {
+ mem_cache_object_t *mobj = (mem_cache_object_t*) h->cache_obj->vobj;
+
+- h->req_hdrs = apr_table_copy(r->pool, mobj->req_hdrs);
+- h->resp_hdrs = apr_table_copy(r->pool, mobj->header_out);
++ h->req_hdrs = deep_table_copy(r->pool, mobj->req_hdrs);
++ h->resp_hdrs = deep_table_copy(r->pool, mobj->header_out);
+
+ return OK;
+ }
+@@ -585,7 +601,7 @@
+ * - The original response headers (for returning with a cached response)
+ * - The body of the message
+ */
+- mobj->req_hdrs = apr_table_copy(mobj->pool, r->headers_in);
++ mobj->req_hdrs = deep_table_copy(mobj->pool, r->headers_in);
+
+ /* Precompute how much storage we need to hold the headers */
+ headers_out = ap_cache_cacheable_hdrs_out(r->pool, r->headers_out,
+@@ -599,7 +615,7 @@
+ }
+
+ headers_out = apr_table_overlay(r->pool, headers_out, r->err_headers_out);
+- mobj->header_out = apr_table_copy(mobj->pool, headers_out);
++ mobj->header_out = deep_table_copy(mobj->pool, headers_out);
+
+ /* Init the info struct */
+ obj->info.status = info->status;
diff --git a/2.2/patches/12_all_CVE-2007-1863.patch b/2.2/patches/12_all_CVE-2007-1863.patch
new file mode 100644
index 0000000..41c3ba7
--- /dev/null
+++ b/2.2/patches/12_all_CVE-2007-1863.patch
@@ -0,0 +1,74 @@
+--- httpd-2.2.3/modules/cache/cache_util.c.cve1863
++++ httpd-2.2.3/modules/cache/cache_util.c
+@@ -231,7 +231,8 @@
+ age = ap_cache_current_age(info, age_c, r->request_time);
+
+ /* extract s-maxage */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
++ && val != NULL) {
+ smaxage = apr_atoi64(val);
+ }
+ else {
+@@ -240,7 +241,8 @@
+
+ /* extract max-age from request */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
++ && val != NULL) {
+ maxage_req = apr_atoi64(val);
+ }
+ else {
+@@ -248,7 +250,8 @@
+ }
+
+ /* extract max-age from response */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
++ && val != NULL) {
+ maxage_cresp = apr_atoi64(val);
+ }
+ else {
+@@ -270,7 +273,20 @@
+
+ /* extract max-stale */
+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
+- maxstale = apr_atoi64(val);
++ if(val != NULL) {
++ maxstale = apr_atoi64(val);
++ }
++ else {
++ /*
++ * If no value is assigned to max-stale, then the client is willing
++ * to accept a stale response of any age (RFC2616 14.9.3). We will
++ * set it to one year in this case as this situation is somewhat
++ * similar to a "never expires" Expires header (RFC2616 14.21)
++ * which is set to a date one year from the time the response is
++ * sent in this case.
++ */
++ maxstale = APR_INT64_C(86400*365);
++ }
+ }
+ else {
+ maxstale = 0;
+@@ -278,7 +294,8 @@
+
+ /* extract min-fresh */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
++ && val != NULL) {
+ minfresh = apr_atoi64(val);
+ }
+ else {
+@@ -407,6 +424,9 @@
+ next - val_start);
+ }
+ }
++ else {
++ *val = NULL;
++ }
+ }
+ return 1;
+ }
diff --git a/2.2/patches/13_all_CVE-2007-3304.patch b/2.2/patches/13_all_CVE-2007-3304.patch
new file mode 100644
index 0000000..32a1af2
--- /dev/null
+++ b/2.2/patches/13_all_CVE-2007-3304.patch
@@ -0,0 +1,110 @@
+--- httpd-2.2.3/include/mpm_common.h.cve3304
++++ httpd-2.2.3/include/mpm_common.h
+@@ -145,6 +145,17 @@
+ #endif
+
+ /**
++ * Safely signal an MPM child process, if the process is in the
++ * current process group. Otherwise fail.
++ * @param pid the process id of a child process to signal
++ * @param sig the signal number to send
++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3)
++ */
++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig);
++#endif
++
++/**
+ * Determine if any child process has died. If no child process died, then
+ * this process sleeps for the amount of time specified by the MPM defined
+ * macro SCOREBOARD_MAINTENANCE_INTERVAL.
+--- httpd-2.2.3/server/mpm_common.c.cve3304
++++ httpd-2.2.3/server/mpm_common.c
+@@ -126,6 +126,10 @@
+ apr_proc_t proc;
+ apr_status_t waitret;
+
++ if (!MPM_VALID_PID(pid)) {
++ return 1;
++ }
++
+ proc.pid = pid;
+ waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT);
+ if (waitret != APR_CHILD_NOTDONE) {
+@@ -305,6 +309,16 @@
+ cur_extra = next;
+ }
+ }
++
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig)
++{
++ if (MPM_VALID_PID(pid)) {
++ return kill(pid, sig) ? errno : APR_SUCCESS;
++ }
++ else {
++ return APR_EINVAL;
++ }
++}
+ #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */
+
+ #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT
+--- httpd-2.2.3/server/mpm/prefork/prefork.c.cve3304
++++ httpd-2.2.3/server/mpm/prefork/prefork.c
+@@ -1127,7 +1127,7 @@
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) {
+ /* Ask each child to close its listeners. */
+- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
+ active_children++;
+ }
+ }
+@@ -1166,7 +1166,7 @@
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) {
+ active_children = 1;
+ /* Having just one child is enough to stay around */
+ break;
+@@ -1222,7 +1222,7 @@
+ * piped loggers, etc. They almost certainly won't handle
+ * it gracefully.
+ */
+- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
+ }
+ }
+ }
+--- httpd-2.2.3/server/mpm/prefork/mpm.h.cve3304
++++ httpd-2.2.3/server/mpm/prefork/mpm.h
+@@ -53,6 +53,7 @@
+ #define AP_MPM_USES_POD 1
+ #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid)
+ #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp())
+ #define MPM_ACCEPT_FUNC unixd_accept
+
+ extern int ap_threads_per_child;
+--- httpd-2.2.3/server/mpm/worker/worker.c.cve3304
++++ httpd-2.2.3/server/mpm/worker/worker.c
+@@ -1814,7 +1814,7 @@
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) {
+ active_children = 1;
+ /* Having just one child is enough to stay around */
+ break;
+--- httpd-2.2.3/server/mpm/worker/mpm.h.cve3304
++++ httpd-2.2.3/server/mpm/worker/mpm.h
+@@ -52,6 +52,7 @@
+ #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid)
+ #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
+ #define MPM_ACCEPT_FUNC unixd_accept
++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp())
+
+ extern int ap_threads_per_child;
+ extern int ap_max_daemons_limit;
diff --git a/2.2/patches/21_all_itk_20070425-00.patch b/2.2/patches/21_all_itk_20070425-00.patch
index dae5e9a..449a5e1 100644
--- a/2.2/patches/21_all_itk_20070425-00.patch
+++ b/2.2/patches/21_all_itk_20070425-00.patch
@@ -1,25 +1,26 @@
-diff -Nur apache2.2.orig/server/mpm/config.m4 apache2.2/server/mpm/config.m4
---- apache2.2.orig/server/mpm/config.m4 2005-10-30 18:05:26.000000000 +0100
-+++ apache2.2/server/mpm/config.m4 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/config.m4
+===================================================================
+--- httpd-2.2.4.orig/server/mpm/config.m4
++++ httpd-2.2.4/server/mpm/config.m4
@@ -1,7 +1,7 @@
AC_MSG_CHECKING(which MPM to use)
AC_ARG_WITH(mpm,
APACHE_HELP_STRING(--with-mpm=MPM,Choose the process model for Apache to use.
-- MPM={beos|event|worker|prefork|mpmt_os2}),[
-+ MPM={beos|event|worker|prefork|mpmt_os2|itk}),[
+- MPM={beos|event|worker|prefork|mpmt_os2|peruser}),[
++ MPM={beos|event|worker|prefork|mpmt_os2|peruser|itk}),[
APACHE_MPM=$withval
],[
if test "x$APACHE_MPM" = "x"; then
-@@ -23,7 +23,7 @@
+@@ -23,7 +23,7 @@ ap_mpm_is_threaded ()
ap_mpm_is_experimental ()
{
-- if test "$apache_cv_mpm" = "event" ; then
-+ if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "itk" ; then
+- if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "peruser" ; then
++ if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "peruser" -o "$apache_cv_mpm" = "itk" ; then
return 0
else
return 1
-@@ -66,6 +66,11 @@
+@@ -66,6 +66,11 @@ if ap_mpm_is_experimental; then
else
MPM_SUBDIR_NAME=$MPM_NAME
fi
@@ -31,16 +32,18 @@ diff -Nur apache2.2.orig/server/mpm/config.m4 apache2.2/server/mpm/config.m4
MPM_DIR=server/mpm/$MPM_SUBDIR_NAME
MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la
-diff -Nur apache2.2.orig/server/mpm/experimental/itk/config.m4 apache2.2/server/mpm/experimental/itk/config.m4
---- apache2.2.orig/server/mpm/experimental/itk/config.m4 1970-01-01 01:00:00.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/config.m4 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/experimental/itk/config.m4
+===================================================================
+--- /dev/null
++++ httpd-2.2.4/server/mpm/experimental/itk/config.m4
@@ -0,0 +1,3 @@
+if test "$MPM_NAME" = "itk" ; then
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile)
+fi
-diff -Nur apache2.2.orig/server/mpm/experimental/itk/itk.c apache2.2/server/mpm/experimental/itk/itk.c
---- apache2.2.orig/server/mpm/experimental/itk/itk.c 1970-01-01 01:00:00.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/itk.c 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/experimental/itk/itk.c
+===================================================================
+--- /dev/null
++++ httpd-2.2.4/server/mpm/experimental/itk/itk.c
@@ -0,0 +1,1682 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@@ -1724,18 +1727,20 @@ diff -Nur apache2.2.orig/server/mpm/experimental/itk/itk.c apache2.2/server/mpm/
+ itk_cmds, /* command apr_table_t */
+ itk_hooks, /* register hooks */
+};
-diff -Nur apache2.2.orig/server/mpm/experimental/itk/Makefile.in apache2.2/server/mpm/experimental/itk/Makefile.in
---- apache2.2.orig/server/mpm/experimental/itk/Makefile.in 1970-01-01 01:00:00.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/Makefile.in 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/experimental/itk/Makefile.in
+===================================================================
+--- /dev/null
++++ httpd-2.2.4/server/mpm/experimental/itk/Makefile.in
@@ -0,0 +1,5 @@
+
+LTLIBRARY_NAME = libitk.la
+LTLIBRARY_SOURCES = itk.c
+
+include $(top_srcdir)/build/ltlib.mk
-diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm_default.h apache2.2/server/mpm/experimental/itk/mpm_default.h
---- apache2.2.orig/server/mpm/experimental/itk/mpm_default.h 1970-01-01 01:00:00.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/mpm_default.h 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/experimental/itk/mpm_default.h
+===================================================================
+--- /dev/null
++++ httpd-2.2.4/server/mpm/experimental/itk/mpm_default.h
@@ -0,0 +1,77 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@@ -1814,9 +1819,10 @@ diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm_default.h apache2.2/ser
+
+#endif /* AP_MPM_DEFAULT_H */
+/** @} */
-diff -Nur apache2.2.orig/server/mpm/experimental/itk/mpm.h apache2.2/server/mpm/experimental/itk/mpm.h
---- apache2.2.orig/server/mpm/experimental/itk/mpm.h 1970-01-01 01:00:00.000000000 +0100
-+++ apache2.2/server/mpm/experimental/itk/mpm.h 2007-04-25 14:23:35.000000000 +0200
+Index: httpd-2.2.4/server/mpm/experimental/itk/mpm.h
+===================================================================
+--- /dev/null
++++ httpd-2.2.4/server/mpm/experimental/itk/mpm.h
@@ -0,0 +1,65 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with