OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 29-Oct-2004 13:23:38
Branch: OPENPKG_2_1_SOLID Handle: 2004102912233800
Modified files: (Branch: OPENPKG_2_1_SOLID)
openpkg-src/apache apache.patch apache.spec
Log:
Security Fix (CAN-2004-0940)
Summary:
Revision Changes Path
1.13.2.3 +249 -25 openpkg-src/apache/apache.patch
1.241.2.10 +1 -1 openpkg-src/apache/apache.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.patch
============================================================================
$ cvs diff -u -r1.13.2.2 -r1.13.2.3 apache.patch
--- openpkg-src/apache/apache.patch 27 Jul 2004 10:12:09 -0000 1.13.2.2
+++ openpkg-src/apache/apache.patch 29 Oct 2004 11:23:38 -0000 1.13.2.3
@@ -54,31 +54,6 @@
if (!(env_path = ap_pstrdup(r->pool, getenv("PATH")))) {
env_path = DEFAULT_PATH;
}
-
-===================================================================
-SA-2004.029-apache CAN-2004-0492
-
-RCS file: /home/cvspublic/apache-1.3/src/modules/proxy/proxy_http.c,v
-retrieving revision 1.106
-retrieving revision 1.107
-diff -u -r1.106 -r1.107
---- apache_1.3.31/src/modules/proxy/proxy_http.c 2004/03/29 17:47:15 1.106
-+++ apache_1.3.31/src/modules/proxy/proxy_http.c 2004/06/11 07:54:38 1.107
-@@ -485,6 +485,13 @@
- content_length = ap_table_get(resp_hdrs, "Content-Length");
- if (content_length != NULL) {
- c->len = ap_strtol(content_length, NULL, 10);
-+
-+ if (c->len < 0) {
-+ ap_kill_timeout(r);
-+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
-+ "Invalid Content-Length from remote server",
-+ NULL));
-+ }
- }
-
- }
-
Index: apache_1.3.31/src/Configure
--- apache_1.3.31/src/Configure.orig 2004-07-26 14:20:53 +0200
+++ apache_1.3.31/src/Configure 2004-07-26 14:41:24 +0200
@@ -113,3 +88,252 @@
fi
####################################################################
+
+-----------------------------------------------------------------------------
+
+Security Fix (SA-2004.029-apache CAN-2004-0492)
+
+Heap-based buffer overflow mod_proxy allows remote attackers to cause a
+denial of service (process crash) and possibly execute arbitrary code
+via a negative Content-Length HTTP header field, which causes a large
+amount of data to be copied.
+
+Index: apache_1.3.31/src/modules/proxy/proxy_http.c
+--- apache_1.3.31/src/modules/proxy/proxy_http.c 2004-03-29 19:47:15 +0200
++++ apache_1.3.31/src/modules/proxy/proxy_http.c 2004-06-11 09:54:38 +0200
+@@ -485,6 +485,13 @@
+ content_length = ap_table_get(resp_hdrs, "Content-Length");
+ if (content_length != NULL) {
+ c->len = ap_strtol(content_length, NULL, 10);
++
++ if (c->len < 0) {
++ ap_kill_timeout(r);
++ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
++ "Invalid Content-Length from remote server",
++ NULL));
++ }
+ }
+
+ }
+
+-----------------------------------------------------------------------------
+
+Security Fix (CAN-2004-0940)
+
+Buffer overflow in the get_tag() function in mod_include allows local
+users who can create SSI documents to execute arbitrary code as the
+Apache run-time user via SSI (XSSI) documents that trigger a length
+calculation error.
+
+Index: apache_1.3.31/src/modules/standard/mod_include.c
+--- apache_1.3.31/src/modules/standard/mod_include.c 2004-02-28 23:19:04 +0100
++++ apache_1.3.31/src/modules/standard/mod_include.c 2004-10-25 17:44:04 +0200
+@@ -309,9 +309,10 @@
+ * the tag value is html decoded if dodecode is non-zero
+ */
+
+-static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)
++static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int
dodecode)
+ {
+ char *t = tag, *tag_val, c, term;
++ pool *p = r->pool;
+
+ /* makes code below a little less cluttered */
+ --tagbuf_len;
+@@ -337,7 +338,7 @@
+
+ /* find end of tag name */
+ while (1) {
+- if (t - tag == tagbuf_len) {
++ if (t == tag + tagbuf_len) {
+ *t = '\0';
+ return NULL;
+ }
+@@ -371,16 +372,30 @@
+ term = c;
+ while (1) {
+ GET_CHAR(in, c, NULL, p);
+- if (t - tag == tagbuf_len) {
++ if (t == tag + tagbuf_len) {
+ *t = '\0';
++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
++ "mod_include: value length exceeds limit"
++ " (%d) in %s", tagbuf_len, r->filename);
+ return NULL;
+ }
+-/* Want to accept \" as a valid character within a string. */
++ /* Want to accept \" as a valid character within a string. */
+ if (c == '\\') {
+- *(t++) = c; /* Add backslash */
+ GET_CHAR(in, c, NULL, p);
+- if (c == term) { /* Only if */
+- *(--t) = c; /* Replace backslash ONLY for terminator */
++ /* Insert backslash only if not escaping a terminator char */
++ if (c != term) {
++ *(t++) = '\\';
++ /*
++ * check to make sure that adding in the backslash won't cause
++ * an overflow, since we're now 1 character ahead.
++ */
++ if (t == tag + tagbuf_len) {
++ *t = '\0';
++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
++ "mod_include: value length exceeds limit"
++ " (%d) in %s", tagbuf_len, r->filename);
++ return NULL;
++ }
+ }
+ }
+ else if (c == term) {
+@@ -395,9 +410,10 @@
+ return ap_pstrdup(p, tag_val);
+ }
+
+-static int get_directive(FILE *in, char *dest, size_t len, pool *p)
++static int get_directive(FILE *in, char *dest, size_t len, request_rec *r)
+ {
+ char *d = dest;
++ pool *p = r->pool;
+ char c;
+
+ /* make room for nul terminator */
+@@ -413,6 +429,9 @@
+ /* now get directive */
+ while (1) {
+ if (d == len + dest) {
++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
++ "mod_include: directive length exceeds limit"
++ " (%lu) in %s", (unsigned long)len+1, r->filename);
+ return 1;
+ }
+ *d++ = ap_tolower(c);
+@@ -616,7 +635,7 @@
+ char *tag_val;
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ if (!strcmp(tag, "file") || !strcmp(tag, "virtual")) {
+@@ -839,7 +858,7 @@
+ char parsed_string[MAX_STRING_LEN];
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ if (!strcmp(tag, "cmd")) {
+@@ -890,7 +909,7 @@
+ encode = E_ENTITY;
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ if (!strcmp(tag, "var")) {
+@@ -952,7 +971,7 @@
+ return DECLINED;
+ }
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ break;
+ }
+ if (strnEQ(tag, "sub", 3)) {
+@@ -985,7 +1004,7 @@
+ table *env = r->subprocess_env;
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 0))) {
+ return 1;
+ }
+ if (!strcmp(tag, "errmsg")) {
+@@ -1101,7 +1120,7 @@
+ char parsed_string[MAX_STRING_LEN];
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -1141,7 +1160,7 @@
+ char parsed_string[MAX_STRING_LEN];
+
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -1917,7 +1936,7 @@
+
+ expr = NULL;
+ while (1) {
+- tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0);
++ tag_val = get_tag(r, in, tag, sizeof(tag), 0);
+ if (!tag_val || *tag == '\0') {
+ return 1;
+ }
+@@ -1960,7 +1979,7 @@
+
+ expr = NULL;
+ while (1) {
+- tag_val = get_tag(r->pool, in, tag, sizeof(tag), 0);
++ tag_val = get_tag(r, in, tag, sizeof(tag), 0);
+ if (!tag_val || *tag == '\0') {
+ return 1;
+ }
+@@ -2007,7 +2026,7 @@
+ {
+ char tag[MAX_STRING_LEN];
+
+- if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) {
++ if (!get_tag(r, in, tag, sizeof(tag), 1)) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -2035,7 +2054,7 @@
+ {
+ char tag[MAX_STRING_LEN];
+
+- if (!get_tag(r->pool, in, tag, sizeof(tag), 1)) {
++ if (!get_tag(r, in, tag, sizeof(tag), 1)) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -2065,7 +2084,7 @@
+
+ var = (char *) NULL;
+ while (1) {
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -2102,7 +2121,7 @@
+ table_entry *elts = (table_entry *) arr->elts;
+ int i;
+
+- if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
++ if (!(tag_val = get_tag(r, in, tag, sizeof(tag), 1))) {
+ return 1;
+ }
+ else if (!strcmp(tag, "done")) {
+@@ -2173,10 +2192,7 @@
+
+ while (1) {
+ if (!find_string(f, STARTING_SEQUENCE, r, printing)) {
+- if (get_directive(f, directive, sizeof(directive), r->pool)) {
+- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+- "mod_include: error reading directive in %s",
+- r->filename);
++ if (get_directive(f, directive, sizeof(directive), r)) {
+ ap_rputs(error, r);
+ return;
+ }
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/apache/apache.spec
============================================================================
$ cvs diff -u -r1.241.2.9 -r1.241.2.10 apache.spec
--- openpkg-src/apache/apache.spec 15 Oct 2004 14:00:48 -0000 1.241.2.9
+++ openpkg-src/apache/apache.spec 29 Oct 2004 11:23:38 -0000 1.241.2.10
@@ -66,7 +66,7 @@
Group: Web
License: ASF
Version: %{V_apache}
-Release: 2.1.5
+Release: 2.1.6
# package options (suexec related)
%option with_suexec yes
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
