Darcsweb-Url:
http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070806125305-e2957-a1ee1481ba0ae889583db520f8b6fbf16042152e.gz;
[apache-2.2.4-2terminus1-i686
VMiklos <[EMAIL PROTECTED]>**20070806125305
added CVE-2006-5752.patch, CVE-2007-1863.patch and CVE-2007-3304.patch secfixes
closes #2298
] {
addfile ./source/network/apache/CVE-2006-5752.patch
hunk ./source/network/apache/CVE-2006-5752.patch 1
+--- trunk/modules/generators/mod_status.c 2007/06/20 17:22:08 549158
++++ trunk/modules/generators/mod_status.c 2007/06/20 17:29:24 549159
+@@ -270,7 +270,7 @@
+ if (r->method_number != M_GET)
+ return DECLINED;
+
+- ap_set_content_type(r, "text/html");
++ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+
+ /*
+ * Simple table-driven form data set parser that lets you alter the header
+@@ -299,7 +299,7 @@
+ no_table_report = 1;
+ break;
+ case STAT_OPT_AUTO:
+- ap_set_content_type(r, "text/plain");
++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+ short_report = 1;
+ break;
+ }
+@@ -673,7 +673,8 @@
+ ap_escape_html(r->pool,
+ ws_record->client),
+ ap_escape_html(r->pool,
+- ws_record->request),
++ ap_escape_logitem(r->pool,
++
ws_record->request)),
+ ap_escape_html(r->pool,
+ ws_record->vhost));
+ }
+@@ -763,7 +764,8 @@
+ ap_escape_html(r->pool,
+ ws_record->vhost),
+ ap_escape_html(r->pool,
+- ws_record->request));
++ ap_escape_logitem(r->pool,
++
ws_record->request)));
+ } /* no_table_report */
+ } /* for (j...) */
+ } /* for (i...) */
addfile ./source/network/apache/CVE-2007-1863.patch
hunk ./source/network/apache/CVE-2007-1863.patch 1
+--- trunk/modules/cache/cache_util.c 2007/05/06 14:17:08 535616
++++ trunk/modules/cache/cache_util.c 2007/05/06 14:35:02 535617
+@@ -243,7 +243,8 @@
+ age = ap_cache_current_age(info, age_c, r->request_time);
+
+ /* extract s-maxage */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
++ && val != NULL) {
+ smaxage = apr_atoi64(val);
+ }
+ else {
+@@ -252,7 +253,8 @@
+
+ /* extract max-age from request */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
++ && val != NULL) {
+ maxage_req = apr_atoi64(val);
+ }
+ else {
+@@ -260,7 +262,8 @@
+ }
+
+ /* extract max-age from response */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
++ && val != NULL) {
+ maxage_cresp = apr_atoi64(val);
+ }
+ else {
+@@ -282,7 +285,20 @@
+
+ /* extract max-stale */
+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
+- maxstale = apr_atoi64(val);
++ if(val != NULL) {
++ maxstale = apr_atoi64(val);
++ }
++ else {
++ /*
++ * If no value is assigned to max-stale, then the client is
willing
++ * to accept a stale response of any age (RFC2616 14.9.3). We will
++ * set it to one year in this case as this situation is somewhat
++ * similar to a "never expires" Expires header (RFC2616 14.21)
++ * which is set to a date one year from the time the response is
++ * sent in this case.
++ */
++ maxstale = APR_INT64_C(86400*365);
++ }
+ }
+ else {
+ maxstale = 0;
+@@ -290,7 +306,8 @@
+
+ /* extract min-fresh */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
++ && val != NULL) {
+ minfresh = apr_atoi64(val);
+ }
+ else {
+@@ -418,6 +435,9 @@
+ *val = apr_pstrmemdup(p, val_start,
+ next - val_start);
+ }
++ }
++ else {
++ *val = NULL;
+ }
+ }
+ return 1;
addfile ./source/network/apache/CVE-2007-3304.patch
hunk ./source/network/apache/CVE-2007-3304.patch 1
+Index: server/mpm/prefork/prefork.c
+===================================================================
+--- server/mpm/prefork/prefork.c (revision 551928)
++++ server/mpm/prefork/prefork.c (working copy)
+@@ -1127,7 +1127,7 @@
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD)
{
+ /* Ask each child to close its listeners. */
+- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
+ active_children++;
+ }
+ }
+@@ -1165,12 +1165,10 @@
+
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+- if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
+- active_children = 1;
+- /* Having just one child is enough to stay around
*/
+- break;
+- }
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS)
{
++ active_children = 1;
++ /* Having just one child is enough to stay around */
++ break;
+ }
+ }
+ } while (!shutdown_pending && active_children &&
+@@ -1222,7 +1220,7 @@
+ * piped loggers, etc. They almost certainly won't handle
+ * it gracefully.
+ */
+- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid,
AP_SIG_GRACEFUL);
+ }
+ }
+ }
+Index: server/mpm/worker/worker.c
+===================================================================
+--- server/mpm/worker/worker.c (revision 551928)
++++ server/mpm/worker/worker.c (working copy)
+@@ -1813,12 +1813,10 @@
+
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+- if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
+- active_children = 1;
+- /* Having just one child is enough to stay around
*/
+- break;
+- }
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS)
{
++ active_children = 1;
++ /* Having just one child is enough to stay around */
++ break;
+ }
+ }
+ } while (!shutdown_pending && active_children &&
+Index: server/mpm/experimental/event/event.c
+===================================================================
+--- server/mpm/experimental/event/event.c (revision 551928)
++++ server/mpm/experimental/event/event.c (working copy)
+@@ -1998,12 +1998,10 @@
+
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+- if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
+- active_children = 1;
+- /* Having just one child is enough to stay around
*/
+- break;
+- }
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS)
{
++ active_children = 1;
++ /* Having just one child is enough to stay around */
++ break;
+ }
+ }
+ } while (!shutdown_pending && active_children &&
+Index: server/mpm_common.c
+===================================================================
+--- server/mpm_common.c (revision 551928)
++++ server/mpm_common.c (working copy)
+@@ -126,6 +126,11 @@
+ apr_proc_t proc;
+ apr_status_t waitret;
+
++ /* Ensure pid sanity. */
++ if (pid < 1) {
++ return 1;
++ }
++
+ proc.pid = pid;
+ waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT);
+ if (waitret != APR_CHILD_NOTDONE) {
+@@ -305,6 +310,66 @@
+ cur_extra = next;
+ }
+ }
++
++/* Before sending the signal to the pid this function verifies that
++ * the pid is a member of the current process group; either using
++ * apr_proc_wait(), where waitpid() guarantees to fail for non-child
++ * processes; or by using getpgid() directly, if available. */
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig)
++{
++#ifndef HAVE_GETPGID
++ apr_proc_t proc;
++ apr_status_t rv;
++ apr_exit_why_e why;
++ int status;
++
++ /* Ensure pid sanity */
++ if (pid < 1) {
++ return APR_EINVAL;
++ }
++
++ proc.pid = pid;
++ rv = apr_proc_wait(&proc, &status, &why, APR_NOWAIT);
++ if (rv == APR_CHILD_DONE) {
++#ifdef AP_MPM_WANT_PROCESS_CHILD_STATUS
++ /* The child already died - log the termination status if
++ * necessary: */
++ ap_process_child_status(&proc, why, status);
++#endif
++ return APR_EINVAL;
++ }
++ else if (rv != APR_CHILD_NOTDONE) {
++ /* The child is already dead and reaped, or was a bogus pid -
++ * log this either way. */
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, ap_server_conf,
++ "cannot send signal %d to pid %ld (non-child or "
++ "already dead)", sig, (long)pid);
++ return APR_EINVAL;
++ }
++#else
++ pid_t pg;
++
++ /* Ensure pid sanity. */
++ if (pid < 1) {
++ return APR_EINVAL;
++ }
++
++ pg = getpgid(pid);
++ if (pg == -1) {
++ /* Process already dead... */
++ return errno;
++ }
++
++ if (pg != getpgrp()) {
++ ap_log_error(APLOG_MARK, APLOG_ALERT, 0, ap_server_conf,
++ "refusing to send signal %d to pid %ld outside "
++ "process group", sig, (long)pid);
++ return APR_EINVAL;
++ }
++#endif
++
++ return kill(pid, sig) ? errno : APR_SUCCESS;
++}
+ #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */
+
+ #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT
+Index: include/mpm_common.h
+===================================================================
+--- include/mpm_common.h (revision 551928)
++++ include/mpm_common.h (working copy)
+@@ -145,6 +145,19 @@
+ #endif
+
+ /**
++ * Safely signal an MPM child process, if the process is in the
++ * current process group. Otherwise fail.
++ * @param pid the process id of a child process to signal
++ * @param sig the signal number to send
++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3);
++ * APR_EINVAL is returned if passed either an invalid (< 1) pid, or if
++ * the pid is not in the current process group
++ */
++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig);
++#endif
++
++/**
+ * Determine if any child process has died. If no child process died, then
+ * this process sleeps for the amount of time specified by the MPM defined
+ * macro SCOREBOARD_MAINTENANCE_INTERVAL.
+Index: include/ap_mmn.h
+===================================================================
+--- include/ap_mmn.h (revision 551928)
++++ include/ap_mmn.h (working copy)
+@@ -113,6 +113,8 @@
+ * 20051115.3 (2.2.3) Added server_scheme member to server_rec (minor)
+ * 20051115.4 (2.2.4) Added ap_get_server_banner() and
+ * ap_get_server_description() (minor)
++ * 20051115.5 (2.2.5) Added ap_mpm_safe_kill() (minor)
++ *
+ */
+
+ #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
+@@ -120,7 +122,7 @@
+ #ifndef MODULE_MAGIC_NUMBER_MAJOR
+ #define MODULE_MAGIC_NUMBER_MAJOR 20051115
+ #endif
+-#define MODULE_MAGIC_NUMBER_MINOR 4 /* 0...n */
++#define MODULE_MAGIC_NUMBER_MINOR 5 /* 0...n */
+
+ /**
+ * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
+Index: configure.in
+===================================================================
+--- configure.in (revision 551928)
++++ configure.in (working copy)
+@@ -392,6 +392,7 @@
+ bindprocessor \
+ prctl \
+ timegm \
++getpgid
+ )
+
+ dnl confirm that a void pointer is large enough to store a long integer
hunk ./source/network/apache/FrugalBuild 7
-pkgrel=1
+pkgrel=2terminus1
hunk ./source/network/apache/FrugalBuild 18
- README.Frugalware index.html
http://frugalware.org/images/frugalware.png)
-signatures=($source.asc '' '' '' '' '' '' '' '')
+ README.Frugalware index.html
http://frugalware.org/images/frugalware.png \
+ CVE-2006-5752.patch CVE-2007-1863.patch CVE-2007-3304.patch)
+signatures=($source.asc '' '' '' '' '' '' '' '' '' '' '')
hunk ./source/network/apache/FrugalBuild 25
- Fbuild --sysconfdir=/etc/httpd/conf --enable-layout=RedHat
--datadir=/var/www \
+ Fpatchall
+ autoconf || return 1
+ Fmake --sysconfdir=/etc/httpd/conf --enable-layout=RedHat
--datadir=/var/www \
hunk ./source/network/apache/FrugalBuild 32
+ Fmakeinstall
}
_______________________________________________
Frugalware-darcs mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-darcs
