OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 04-Oct-2002 21:31:29
Branch: OPENPKG_1_1_SOLID Handle: 2002100420312800
Added files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/apache apache.patch
Modified files: (Branch: OPENPKG_1_1_SOLID)
openpkg-src/apache apache.spec
Log:
fix security bugs (see OpenPKG-SA-2002.009-apache)
Summary:
Revision Changes Path
1.1.4.1 +195 -0 openpkg-src/apache/apache.patch
1.81.2.2 +7 -5 openpkg-src/apache/apache.spec
____________________________________________________________________________
Index: openpkg-src/apache/apache.patch
============================================================
$ cvs update -p -r1.1.4.1 apache.patch
CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of
Apache prior to 1.3.27 on platforms using System V shared memory based
scoreboards. This vulnerability allows an attacker who can execute under
the Apache UID to exploit the Apache shared memory scoreboard format
and send a signal to any process as root or cause a local denial of
service attack. We thank iDefense for their responsible notification and
disclosure of this issue.
CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site
scripting vulnerability in the default 404 page of any web server hosted
on a domain that allows wildcard DNS lookups. We thank Matthew Murphy
for notification of this issue.
CAN-2002-0843 (cve.mitre.org): There were some possible overflows in
ab.c which could be exploited by a malicious server. Note that this
vulnerability is not in Apache itself, but rather one of the support
programs bundled with Apache. We thank David Wagner for the responsible
notification and disclosure of this issue.
diff -ru3 apache_1.3.26.orig/src/include/http_conf_globals.h
apache_1.3.26/src/include/http_conf_globals.h
--- apache_1.3.26.orig/src/include/http_conf_globals.h Wed Mar 13 22:05:29
2002
+++ apache_1.3.26/src/include/http_conf_globals.h Fri Oct 4 18:11:24 2002
@@ -102,6 +102,7 @@
extern API_VAR_EXPORT char *ap_server_argv0;
extern enum server_token_type ap_server_tokens;
+extern int ap_change_shmem_uid;
/* Trying to allocate these in the config pool gets us into some *nasty*
* chicken-and-egg problems in http_main.c --- where do you stick them
Only in apache_1.3.26/src/include: http_conf_globals.h~
diff -ru3 apache_1.3.26.orig/src/main/http_core.c apache_1.3.26/src/main/http_core.c
--- apache_1.3.26.orig/src/main/http_core.c Tue Jun 18 02:59:57 2002
+++ apache_1.3.26/src/main/http_core.c Fri Oct 4 18:11:27 2002
@@ -2746,11 +2746,14 @@
return ap_pstrcat(r->pool, prefix, "<ADDRESS>" SERVER_BASEVERSION
" Server at <A HREF=\"mailto:";,
r->server->server_admin, "\">",
- ap_get_server_name(r), "</A> Port ", sport,
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ "</A> Port ", sport,
"</ADDRESS>\n", NULL);
}
return ap_pstrcat(r->pool, prefix, "<ADDRESS>" SERVER_BASEVERSION
- " Server at ", ap_get_server_name(r), " Port ", sport,
+ " Server at ",
+ ap_escape_html(r->pool, ap_get_server_name(r)),
+ " Port ", sport,
"</ADDRESS>\n", NULL);
}
@@ -2778,6 +2781,18 @@
}
#endif /*_OSD_POSIX*/
+static const char *set_change_shmem_uid(cmd_parms *cmd,
+ core_dir_config *d, int arg)
+{
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err != NULL) {
+ return err;
+ }
+
+ ap_change_shmem_uid = arg != 0;
+ return NULL;
+}
+
/*
* Handle a request to include the server's OS platform in the Server
* response header field (the ServerTokens directive). Unfortunately
@@ -3411,6 +3426,8 @@
(void*)XtOffsetOf(core_dir_config, limit_req_body),
OR_ALL, TAKE1,
"Limit (in bytes) on maximum size of request message body" },
+{ "ShmemUIDisUser", set_change_shmem_uid, NULL, RSRC_CONF, FLAG,
+ "Enable the setting of SysV shared memory scoreboard uid/gid to User/Group" },
{ "AcceptMutex", set_accept_mutex, NULL, RSRC_CONF, TAKE1,
"Serialized Accept Mutex; the methods "
#ifdef HAVE_USLOCK_SERIALIZED_ACCEPT
@@ -3813,7 +3830,8 @@
if (r->method_number == M_INVALID) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
- "Invalid method in request %s", r->the_request);
+ "Invalid method in request %s",
+ ap_escape_logitem(r->pool, r->the_request));
return NOT_IMPLEMENTED;
}
if (r->method_number == M_OPTIONS) {
Only in apache_1.3.26/src/main: http_core.c~
diff -ru3 apache_1.3.26.orig/src/main/http_main.c apache_1.3.26/src/main/http_main.c
--- apache_1.3.26.orig/src/main/http_main.c Wed Jun 5 06:53:15 2002
+++ apache_1.3.26/src/main/http_main.c Fri Oct 4 18:11:24 2002
@@ -398,6 +398,8 @@
/* Global, alas, so http_core can talk to us */
enum server_token_type ap_server_tokens = SrvTk_FULL;
+int ap_change_shmem_uid = 0;
+
/*
* This routine is called when the pconf pool is vacuumed. It resets the
* server version string to a known value and [re]enables modifications
@@ -2327,7 +2329,9 @@
* We exit below, after we try to remove the segment
*/
}
- else { /* only worry about permissions if we attached the
segment */
+ /* only worry about permissions if we attached the segment
+ and we want/need to change the uid/gid */
+ else if (ap_change_shmem_uid) {
if (shmctl(shmid, IPC_STAT, &shmbuf) != 0) {
ap_log_error(APLOG_MARK, APLOG_ERR, server_conf,
"shmctl() could not stat segment #%d", shmid);
Only in apache_1.3.26/src/main: http_main.c~
diff -ru3 apache_1.3.26.orig/src/main/util_script.c
apache_1.3.26/src/main/util_script.c
--- apache_1.3.26.orig/src/main/util_script.c Thu Mar 21 17:07:02 2002
+++ apache_1.3.26/src/main/util_script.c Fri Oct 4 18:11:26 2002
@@ -280,7 +280,8 @@
ap_table_addn(e, "PATH", env_path);
ap_table_addn(e, "SERVER_SIGNATURE", ap_psignature("", r));
ap_table_addn(e, "SERVER_SOFTWARE", ap_get_server_version());
- ap_table_addn(e, "SERVER_NAME", ap_get_server_name(r));
+ ap_table_addn(e, "SERVER_NAME",
+ ap_escape_html(r->pool,ap_get_server_name(r)));
ap_table_addn(e, "SERVER_ADDR", r->connection->local_ip); /* Apache */
ap_table_addn(e, "SERVER_PORT",
ap_psprintf(r->pool, "%u", ap_get_server_port(r)));
diff -ru3 apache_1.3.26.orig/src/support/ab.c apache_1.3.26/src/support/ab.c
--- apache_1.3.26.orig/src/support/ab.c Sat May 11 22:47:57 2002
+++ apache_1.3.26/src/support/ab.c Fri Oct 4 18:11:23 2002
@@ -1079,11 +1079,12 @@
* this is first time, extract some interesting info
*/
char *p, *q;
+ int qlen;
p = strstr(c->cbuff, "Server:");
- q = servername;
+ q = servername; qlen = sizeof(servername);
if (p) {
p += 8;
- while (*p > 32)
+ while (*p > 32 && qlen-- > 1)
*q++ = *p++;
}
*q = 0;
@@ -1575,9 +1576,9 @@
strcpy(content_type, optarg);
break;
case 'C':
- strncat(cookie, "Cookie: ", sizeof(cookie));
- strncat(cookie, optarg, sizeof(cookie));
- strncat(cookie, "\r\n", sizeof(cookie));
+ strncat(cookie, "Cookie: ", sizeof(cookie)-strlen(cookie)-1);
+ strncat(cookie, optarg, sizeof(cookie)-strlen(cookie)-1);
+ strncat(cookie, "\r\n", sizeof(cookie)-strlen(cookie)-1);
break;
case 'A':
/*
@@ -1589,9 +1590,9 @@
l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
- strncat(auth, "Authorization: Basic ", sizeof(auth));
- strncat(auth, tmp, sizeof(auth));
- strncat(auth, "\r\n", sizeof(auth));
+ strncat(auth, "Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+ strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+ strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
break;
case 'P':
/*
@@ -1602,9 +1603,9 @@
l = ap_base64encode(tmp, optarg, strlen(optarg));
tmp[l] = '\0';
- strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth));
- strncat(auth, tmp, sizeof(auth));
- strncat(auth, "\r\n", sizeof(auth));
+ strncat(auth, "Proxy-Authorization: Basic ", sizeof(auth)-strlen(auth)-1);
+ strncat(auth, tmp, sizeof(auth)-strlen(auth)-1);
+ strncat(auth, "\r\n", sizeof(auth)-strlen(auth)-1);
break;
case 'X':
{
@@ -1622,8 +1623,8 @@
}
break;
case 'H':
- strncat(hdrs, optarg, sizeof(hdrs));
- strncat(hdrs, "\r\n", sizeof(hdrs));
+ strncat(hdrs, optarg, sizeof(hdrs)-strlen(hdrs)-1);
+ strncat(hdrs, "\r\n", sizeof(hdrs)-strlen(hdrs)-1);
break;
case 'V':
copyright();
Index: openpkg-src/apache/apache.spec
============================================================
$ cvs diff -u -r1.81.2.1 -r1.81.2.2 apache.spec
--- openpkg-src/apache/apache.spec 26 Aug 2002 19:53:12 -0000 1.81.2.1
+++ openpkg-src/apache/apache.spec 4 Oct 2002 19:31:28 -0000 1.81.2.2
@@ -143,7 +143,7 @@
Group: Web
License: ASF
Version: %{V_apache}
-Release: 1.1.0
+Release: 1.1.1
# list of sources
Source0: http://www.apache.org/dist/httpd/apache_%{V_apache}.tar.gz
@@ -166,6 +166,7 @@
Source21: apache.base
Source22: apache.vhost
Source23: rc.apache
+Patch0: apache.patch
# build information
Prefix: %{l_prefix}
@@ -318,6 +319,7 @@
%prep
# unpack Apache distribution
%setup0 -q -c
+ %patch0 -p0
# unpack optional extension modules
%if "%{with_mod_ssl}" == "yes"
%setup1 -q -T -D -a 1
@@ -686,11 +688,11 @@
libs=""
%if "%{with_mod_auth_pam}" == "yes"
pam_incdir=`%{l_prefix}/etc/rc --query pam_incdir`
- if [ ".$pam_incdir" != "./usr/include" ]; then
+ if [ ".$pam_incdir" != "./usr/include" -a ".$pam_incdir" != "./include" ];
then
cflags="$cflags -I$pam_incdir"
fi
pam_libdir=`%{l_prefix}/etc/rc --query pam_libdir`
- if [ ".$pam_libdir" != "./usr/lib" ]; then
+ if [ ".$pam_libdir" != "./usr/lib" -a ".$pam_libdir" != "./lib" ]; then
ldflags="$ldflags -L$pam_libdir"
fi
libs="$libs -lpam"
@@ -843,7 +845,7 @@
%if "%{with_mod_auth_pam}" == "yes"
# add PAM configuration entry
if [ $1 -eq 1 ]; then
- $RPM_INSTALL_PREFIX/sbin/pamtool -a -s -n "apache"
+ $RPM_INSTALL_PREFIX/sbin/pamtool --add --smart --name=apache
fi
%endif
@@ -851,7 +853,7 @@
%if "%{with_mod_auth_pam}" == "yes"
# remove PAM configuration entry
if [ $1 -eq 0 ]; then
- $RPM_INSTALL_PREFIX/sbin/pamtool -r -s -n "apache"
+ $RPM_INSTALL_PREFIX/sbin/pamtool --remove --smart --name=apache
fi
%endif
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
