Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070806125305-e2957-a1ee1481ba0ae889583db520f8b6fbf16042152e.gz;
[apache-2.2.4-2terminus1-i686 VMiklos <[EMAIL PROTECTED]>**20070806125305 added CVE-2006-5752.patch, CVE-2007-1863.patch and CVE-2007-3304.patch secfixes closes #2298 ] { addfile ./source/network/apache/CVE-2006-5752.patch hunk ./source/network/apache/CVE-2006-5752.patch 1 +--- trunk/modules/generators/mod_status.c 2007/06/20 17:22:08 549158 ++++ trunk/modules/generators/mod_status.c 2007/06/20 17:29:24 549159 +@@ -270,7 +270,7 @@ + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -299,7 +299,7 @@ + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + short_report = 1; + break; + } +@@ -673,7 +673,8 @@ + ap_escape_html(r->pool, + ws_record->client), + ap_escape_html(r->pool, +- ws_record->request), ++ ap_escape_logitem(r->pool, ++ ws_record->request)), + ap_escape_html(r->pool, + ws_record->vhost)); + } +@@ -763,7 +764,8 @@ + ap_escape_html(r->pool, + ws_record->vhost), + ap_escape_html(r->pool, +- ws_record->request)); ++ ap_escape_logitem(r->pool, ++ ws_record->request))); + } /* no_table_report */ + } /* for (j...) */ + } /* for (i...) */ addfile ./source/network/apache/CVE-2007-1863.patch hunk ./source/network/apache/CVE-2007-1863.patch 1 +--- trunk/modules/cache/cache_util.c 2007/05/06 14:17:08 535616 ++++ trunk/modules/cache/cache_util.c 2007/05/06 14:35:02 535617 +@@ -243,7 +243,8 @@ + age = ap_cache_current_age(info, age_c, r->request_time); + + /* extract s-maxage */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } + else { +@@ -252,7 +253,8 @@ + + /* extract max-age from request */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) ++ && val != NULL) { + maxage_req = apr_atoi64(val); + } + else { +@@ -260,7 +262,8 @@ + } + + /* extract max-age from response */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } + else { +@@ -282,7 +285,20 @@ + + /* extract max-stale */ + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { +- maxstale = apr_atoi64(val); ++ if(val != NULL) { ++ maxstale = apr_atoi64(val); ++ } ++ else { ++ /* ++ * If no value is assigned to max-stale, then the client is willing ++ * to accept a stale response of any age (RFC2616 14.9.3). We will ++ * set it to one year in this case as this situation is somewhat ++ * similar to a "never expires" Expires header (RFC2616 14.21) ++ * which is set to a date one year from the time the response is ++ * sent in this case. ++ */ ++ maxstale = APR_INT64_C(86400*365); ++ } + } + else { + maxstale = 0; +@@ -290,7 +306,8 @@ + + /* extract min-fresh */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) ++ && val != NULL) { + minfresh = apr_atoi64(val); + } + else { +@@ -418,6 +435,9 @@ + *val = apr_pstrmemdup(p, val_start, + next - val_start); + } ++ } ++ else { ++ *val = NULL; + } + } + return 1; addfile ./source/network/apache/CVE-2007-3304.patch hunk ./source/network/apache/CVE-2007-3304.patch 1 +Index: server/mpm/prefork/prefork.c +=================================================================== +--- server/mpm/prefork/prefork.c (revision 551928) ++++ server/mpm/prefork/prefork.c (working copy) +@@ -1127,7 +1127,7 @@ + for (index = 0; index < ap_daemons_limit; ++index) { + if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) { + /* Ask each child to close its listeners. */ +- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); + active_children++; + } + } +@@ -1165,12 +1165,10 @@ + + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { +- if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { +- active_children = 1; +- /* Having just one child is enough to stay around */ +- break; +- } ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) { ++ active_children = 1; ++ /* Having just one child is enough to stay around */ ++ break; + } + } + } while (!shutdown_pending && active_children && +@@ -1222,7 +1220,7 @@ + * piped loggers, etc. They almost certainly won't handle + * it gracefully. + */ +- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); ++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); + } + } + } +Index: server/mpm/worker/worker.c +=================================================================== +--- server/mpm/worker/worker.c (revision 551928) ++++ server/mpm/worker/worker.c (working copy) +@@ -1813,12 +1813,10 @@ + + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { +- if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { +- active_children = 1; +- /* Having just one child is enough to stay around */ +- break; +- } ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) { ++ active_children = 1; ++ /* Having just one child is enough to stay around */ ++ break; + } + } + } while (!shutdown_pending && active_children && +Index: server/mpm/experimental/event/event.c +=================================================================== +--- server/mpm/experimental/event/event.c (revision 551928) ++++ server/mpm/experimental/event/event.c (working copy) +@@ -1998,12 +1998,10 @@ + + active_children = 0; + for (index = 0; index < ap_daemons_limit; ++index) { +- if (MPM_CHILD_PID(index) != 0) { +- if (kill(MPM_CHILD_PID(index), 0) == 0) { +- active_children = 1; +- /* Having just one child is enough to stay around */ +- break; +- } ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) { ++ active_children = 1; ++ /* Having just one child is enough to stay around */ ++ break; + } + } + } while (!shutdown_pending && active_children && +Index: server/mpm_common.c +=================================================================== +--- server/mpm_common.c (revision 551928) ++++ server/mpm_common.c (working copy) +@@ -126,6 +126,11 @@ + apr_proc_t proc; + apr_status_t waitret; + ++ /* Ensure pid sanity. */ ++ if (pid < 1) { ++ return 1; ++ } ++ + proc.pid = pid; + waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT); + if (waitret != APR_CHILD_NOTDONE) { +@@ -305,6 +310,66 @@ + cur_extra = next; + } + } ++ ++/* Before sending the signal to the pid this function verifies that ++ * the pid is a member of the current process group; either using ++ * apr_proc_wait(), where waitpid() guarantees to fail for non-child ++ * processes; or by using getpgid() directly, if available. */ ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig) ++{ ++#ifndef HAVE_GETPGID ++ apr_proc_t proc; ++ apr_status_t rv; ++ apr_exit_why_e why; ++ int status; ++ ++ /* Ensure pid sanity */ ++ if (pid < 1) { ++ return APR_EINVAL; ++ } ++ ++ proc.pid = pid; ++ rv = apr_proc_wait(&proc, &status, &why, APR_NOWAIT); ++ if (rv == APR_CHILD_DONE) { ++#ifdef AP_MPM_WANT_PROCESS_CHILD_STATUS ++ /* The child already died - log the termination status if ++ * necessary: */ ++ ap_process_child_status(&proc, why, status); ++#endif ++ return APR_EINVAL; ++ } ++ else if (rv != APR_CHILD_NOTDONE) { ++ /* The child is already dead and reaped, or was a bogus pid - ++ * log this either way. */ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, rv, ap_server_conf, ++ "cannot send signal %d to pid %ld (non-child or " ++ "already dead)", sig, (long)pid); ++ return APR_EINVAL; ++ } ++#else ++ pid_t pg; ++ ++ /* Ensure pid sanity. */ ++ if (pid < 1) { ++ return APR_EINVAL; ++ } ++ ++ pg = getpgid(pid); ++ if (pg == -1) { ++ /* Process already dead... */ ++ return errno; ++ } ++ ++ if (pg != getpgrp()) { ++ ap_log_error(APLOG_MARK, APLOG_ALERT, 0, ap_server_conf, ++ "refusing to send signal %d to pid %ld outside " ++ "process group", sig, (long)pid); ++ return APR_EINVAL; ++ } ++#endif ++ ++ return kill(pid, sig) ? errno : APR_SUCCESS; ++} + #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */ + + #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT +Index: include/mpm_common.h +=================================================================== +--- include/mpm_common.h (revision 551928) ++++ include/mpm_common.h (working copy) +@@ -145,6 +145,19 @@ + #endif + + /** ++ * Safely signal an MPM child process, if the process is in the ++ * current process group. Otherwise fail. ++ * @param pid the process id of a child process to signal ++ * @param sig the signal number to send ++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3); ++ * APR_EINVAL is returned if passed either an invalid (< 1) pid, or if ++ * the pid is not in the current process group ++ */ ++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES ++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig); ++#endif ++ ++/** + * Determine if any child process has died. If no child process died, then + * this process sleeps for the amount of time specified by the MPM defined + * macro SCOREBOARD_MAINTENANCE_INTERVAL. +Index: include/ap_mmn.h +=================================================================== +--- include/ap_mmn.h (revision 551928) ++++ include/ap_mmn.h (working copy) +@@ -113,6 +113,8 @@ + * 20051115.3 (2.2.3) Added server_scheme member to server_rec (minor) + * 20051115.4 (2.2.4) Added ap_get_server_banner() and + * ap_get_server_description() (minor) ++ * 20051115.5 (2.2.5) Added ap_mpm_safe_kill() (minor) ++ * + */ + + #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ +@@ -120,7 +122,7 @@ + #ifndef MODULE_MAGIC_NUMBER_MAJOR + #define MODULE_MAGIC_NUMBER_MAJOR 20051115 + #endif +-#define MODULE_MAGIC_NUMBER_MINOR 4 /* 0...n */ ++#define MODULE_MAGIC_NUMBER_MINOR 5 /* 0...n */ + + /** + * Determine if the server's current MODULE_MAGIC_NUMBER is at least a +Index: configure.in +=================================================================== +--- configure.in (revision 551928) ++++ configure.in (working copy) +@@ -392,6 +392,7 @@ + bindprocessor \ + prctl \ + timegm \ ++getpgid + ) + + dnl confirm that a void pointer is large enough to store a long integer hunk ./source/network/apache/FrugalBuild 7 -pkgrel=1 +pkgrel=2terminus1 hunk ./source/network/apache/FrugalBuild 18 - README.Frugalware index.html http://frugalware.org/images/frugalware.png) -signatures=($source.asc '' '' '' '' '' '' '' '') + README.Frugalware index.html http://frugalware.org/images/frugalware.png \ + CVE-2006-5752.patch CVE-2007-1863.patch CVE-2007-3304.patch) +signatures=($source.asc '' '' '' '' '' '' '' '' '' '' '') hunk ./source/network/apache/FrugalBuild 25 - Fbuild --sysconfdir=/etc/httpd/conf --enable-layout=RedHat --datadir=/var/www \ + Fpatchall + autoconf || return 1 + Fmake --sysconfdir=/etc/httpd/conf --enable-layout=RedHat --datadir=/var/www \ hunk ./source/network/apache/FrugalBuild 32 + Fmakeinstall } _______________________________________________ Frugalware-darcs mailing list Frugalware-darcs@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-darcs