Hi again, Martin Pitt [2004-10-29 14:22 +0200]: > I prepared a patch for fixing a mod_include buffer overflow in Ubuntu > and was asked by Fabio to upload a fixed sid version as well > (1.3.31-7). > > Please find attached the interdiff that was used for 1.3.31-7; you can > remove the "Uploaders:" change; the "patch" patch should give no > problems, just the changelog patch will probably fail due to a > different woody version.
katie rejected my upload because libapache-mod-perl was still the old version. One has to manually tweak that in debian/rules. I reuploaded using attached (updated) interdiff. The two new hunks will not apply to woody, too (since woody has other revision numbers), but at least you know where to change what :-) That's what you get by poking in other people's packages... Happy patching and have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
diff -u apache-1.3.31/debian/changelog apache-1.3.31/debian/changelog --- apache-1.3.31/debian/changelog +++ apache-1.3.31/debian/changelog @@ -1,3 +1,13 @@ +apache (1.3.31-7) unstable; urgency=high + + * SECURITY UPDATE to fix a buffer overflow in mod_include + * added patch 000_stolen_from_HEAD_CAN-2004-0940, backported from upstream + CVS (CAN-2004-0940) + * Same security update as for Ubuntu, Fabio asked me to upload and add + myself to Uploaders. + + -- Martin Pitt <[EMAIL PROTECTED]> Fri, 29 Oct 2004 10:18:38 +0200 + apache (1.3.31-6) unstable; urgency=medium * (Fabio M. Di Nitto) diff -u apache-1.3.31/debian/control apache-1.3.31/debian/control --- apache-1.3.31/debian/control +++ apache-1.3.31/debian/control @@ -2,7 +2,7 @@ Section: web Priority: optional Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> -Uploaders: Tollef Fog Heen <[EMAIL PROTECTED]>, Thom May <[EMAIL PROTECTED]>, Fabio M. Di Nitto <[EMAIL PROTECTED]>, Matthew Wilcox <[EMAIL PROTECTED]>, Amaya Rodrigo Sastre <[EMAIL PROTECTED]> +Uploaders: Tollef Fog Heen <[EMAIL PROTECTED]>, Thom May <[EMAIL PROTECTED]>, Fabio M. Di Nitto <[EMAIL PROTECTED]>, Matthew Wilcox <[EMAIL PROTECTED]>, Amaya Rodrigo Sastre <[EMAIL PROTECTED]>, Martin Pitt <[EMAIL PROTECTED]> Standards-Version: 3.6.1 Build-Depends: debhelper (>= 4.1.16), sharutils, libdb4.2-dev (>= 4.2.52), libexpat1-dev, imagemagick, libssl-dev, perl (>= 5.8.4-2), libperl-dev (>= 5.8.4-2), libwww-perl, libdevel-symdump-perl, libhtml-parser-perl, po-debconf diff -u apache-1.3.31/debian/rules apache-1.3.31/debian/rules --- apache-1.3.31/debian/rules +++ apache-1.3.31/debian/rules @@ -12,7 +12,7 @@ DEBMAJOR= APACHE_MAJOR = 1.3.31 -APACHE_MINOR = 6 +APACHE_MINOR = 7 PERL_MAJOR = 1.29 SSL_MAJOR = 1.3.29 SSL_MINOR = 1.53 @@ -753,7 +753,7 @@ dh_shlibdeps -a dh_gencontrol -a -u-isp # dh_gencontrol -v -plibapache-mod-perl -u-v$(PERL_MAJOR)$(DEBMAJOR)-$(APACHE_MINOR) - dh_gencontrol -v -plibapache-mod-perl -u-v1.29.0.2-13 + dh_gencontrol -v -plibapache-mod-perl -u-v1.29.0.2-14 dh_md5sums -a dh_builddeb -a only in patch2: unchanged: --- apache-1.3.31.orig/debian/patches/000_stolen_from_HEAD_CAN-2004-0940 +++ apache-1.3.31/debian/patches/000_stolen_from_HEAD_CAN-2004-0940 @@ -0,0 +1,215 @@ +=================================================================== +RCS file: /home/cvspublic/apache-1.3/src/modules/standard/mod_include.c,v +retrieving revision 1.140 +retrieving revision 1.141 +diff -u -r1.140 -r1.141 +--- build-tree.orig/apache_1.3.31/src/modules/standard/mod_include.c 2004/02/28 22:19:04 1.140 ++++ build-tree/apache_1.3.31/src/modules/standard/mod_include.c 2004/10/22 19:31:08 1.141 +@@ -309,9 +309,10 @@ + * the tag value is html decoded if dodecode is non-zero + */ + +-static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) ++static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int dodecode) + { + char *t = tag, *tag_val, c, term; ++ pool *p = r->pool; + + /* makes code below a little less cluttered */ + --tagbuf_len; +@@ -337,7 +338,7 @@ + + /* find end of tag name */ + while (1) { +- if (t - tag == tagbuf_len) { ++ if (t == tag + tagbuf_len) { + *t = '\0'; + return NULL; + } +@@ -371,16 +372,30 @@ + term = c; + while (1) { + GET_CHAR(in, c, NULL, p); +- if (t - tag == tagbuf_len) { ++ if (t == tag + tagbuf_len) { + *t = '\0'; ++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, ++ "mod_include: value length exceeds limit" ++ " (%d) in %s", tagbuf_len, r->filename); + return NULL; + } +-/* Want to accept \" as a valid character within a string. */ ++ /* Want to accept \" as a valid character within a string. */ + if (c == '\\') { +- *(t++) = c; /* Add backslash */ + GET_CHAR(in, c, NULL, p); +- if (c == term) { /* Only if */ +- *(--t) = c; /* Replace backslash ONLY for terminator */ ++ /* Insert backslash only if not escaping a terminator char */ ++ if (c != term) { ++ *(t++) = '\\'; ++ /* ++ * check to make sure that adding in the backslash won't cause ++ * an overflow, since we're now 1 character ahead. ++ */ ++ if (t == tag + tagbuf_len) { ++ *t = '\0'; ++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, ++ "mod_include: value length exceeds limit" ++ " (%d) in %s", tagbuf_len, r->filename); ++ return NULL; ++ } + } + } + else if (c == term) { +@@ -395,9 +410,10 @@ + return ap_pstrdup(p, tag_val); + } + +-static int get_directive(FILE *in, char *dest, size_t len, pool *p) ++static int get_directive(FILE *in, char *dest, size_t len, request_rec *r) + { + char *d = dest; ++ pool *p = r->pool; + char c; + + /* make room for nul terminator */ +@@ -413,6 +429,9 @@ + /* now get directive */ + while (1) { + if (d == len + dest) { ++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, ++ "mod_include: directive length exceeds limit" ++ " (%d) in %s", len+1, r->filename); + return 1; + } + *d++ = ap_tolower(c); +@@ -616,7 +635,7 @@ + char *tag_val; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) { +@@ -839,7 +858,7 @@ + char parsed_string[MAX_STRING_LEN]; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + if (!strcmp(tag, "cmd")) { +@@ -890,7 +909,7 @@ + encode = E_ENTITY; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + if (!strcmp(tag, "var")) { +@@ -952,7 +971,7 @@ + return DECLINED; + } + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + break; + } + if (strnEQ(tag, "sub", 3)) { +@@ -985,7 +1004,7 @@ + table *env = r->subprocess_env; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) { + return 1; + } + if (!strcmp(tag, "errmsg")) { +@@ -1101,7 +1120,7 @@ + char parsed_string[MAX_STRING_LEN]; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -1141,7 +1160,7 @@ + char parsed_string[MAX_STRING_LEN]; + + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -1917,7 +1936,7 @@ + + expr = NULL; + while (1) { +- tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); ++ tag_val = get_tag(r, in, tag, sizeof(tag), 0); + if (!tag_val || *tag == '\0') { + return 1; + } +@@ -1960,7 +1979,7 @@ + + expr = NULL; + while (1) { +- tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0); ++ tag_val = get_tag(r, in, tag, sizeof(tag), 0); + if (!tag_val || *tag == '\0') { + return 1; + } +@@ -2007,7 +2026,7 @@ + { + char tag[MAX_STRING_LEN]; + +- if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { ++ if (!get_tag(r, in, tag, sizeof(tag), 1)) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -2035,7 +2054,7 @@ + { + char tag[MAX_STRING_LEN]; + +- if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) { ++ if (!get_tag(r, in, tag, sizeof(tag), 1)) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -2065,7 +2084,7 @@ + + var = (char *) NULL; + while (1) { +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -2102,7 +2121,7 @@ + table_entry *elts = (table_entry *) arr->elts; + int i; + +- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) { ++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) { + return 1; + } + else if (!strcmp(tag, "done")) { +@@ -2173,10 +2192,7 @@ + + while (1) { + if (!find_string(f, STARTING_SEQUENCE, r, printing)) { +- if (get_directive(f, directive, sizeof(directive), r->pool)) { +- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, +- "mod_include: error reading directive in %s", +- r->filename); ++ if (get_directive(f, directive, sizeof(directive), r)) { + ap_rputs(error, r); + return; + }
signature.asc
Description: Digital signature