[Pkg-apache-commits] r1031 - in /branches/etch-apr: changelog patches/001_cve-2009-2412.dpatch patches/00list
peters at alioth.debian.org
peters at alioth.debian.org
Thu Aug 6 14:08:40 UTC 2009
Author: peters
Date: Thu Aug 6 14:08:39 2009
New Revision: 1031
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1031
Log:
Prepare etch release for CVE-2009-2412.
Added:
branches/etch-apr/patches/001_cve-2009-2412.dpatch
Modified:
branches/etch-apr/changelog
branches/etch-apr/patches/00list
Modified: branches/etch-apr/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr/changelog?rev=1031&op=diff
==============================================================================
--- branches/etch-apr/changelog (original)
+++ branches/etch-apr/changelog Thu Aug 6 14:08:39 2009
@@ -1,3 +1,10 @@
+apr (1.2.7-9) oldstable-security; urgency=high
+
+ * Fix CVE-2009-2412: overflow in pool allocations, where size alignment
+ was taking place.
+
+ -- Peter Samuelson <peter at p12n.org> Thu, 06 Aug 2009 09:01:34 -0500
+
apr (1.2.7-8.2) unstable; urgency=high
* Non-maintainer upload.
Added: branches/etch-apr/patches/001_cve-2009-2412.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr/patches/001_cve-2009-2412.dpatch?rev=1031&op=file
==============================================================================
--- branches/etch-apr/patches/001_cve-2009-2412.dpatch (added)
+++ branches/etch-apr/patches/001_cve-2009-2412.dpatch Thu Aug 6 14:08:39 2009
@@ -1,0 +1,71 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 001_cve-2009-2412.dpatch by William Rowe <wrowe at rowe-clan.net>
+##
+## DP: SECURITY: CVE-2009-2412 (cve.mitre.org)
+## DP: Fix overflow in pools, where size alignment was taking place.
+## DP:
+## DP: Reported by: Matt Lewis <mattlewis at google.com>
+## DP:
+## DP: * memory/unix/apr_pools.c
+## DP: (allocator_alloc, apr_palloc): Check for overflow after aligning size.
+## DP: (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
+## DP:
+## DP: SEE ALSO: apr-util-1.x-CVE-2009-2412.patch
+
+ at DPATCH@
+--- a/memory/unix/apr_pools.c
++++ b/memory/unix/apr_pools.c
+@@ -191,16 +191,19 @@
+ }
+
+ static APR_INLINE
+-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size)
++apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
+ {
+ apr_memnode_t *node, **ref;
+ apr_uint32_t max_index;
+- apr_size_t i, index;
++ apr_size_t size, i, index;
+
+ /* Round up the block size to the next boundary, but always
+ * allocate at least a certain size (MIN_ALLOC).
+ */
+- size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++ size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++ if (size < in_size) {
++ return NULL;
++ }
+ if (size < MIN_ALLOC)
+ size = MIN_ALLOC;
+
+@@ -628,13 +631,19 @@
+ * Memory allocation
+ */
+
+-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
++APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
+ {
+ apr_memnode_t *active, *node;
+ void *mem;
+- apr_size_t free_index;
++ apr_size_t size, free_index;
+
+- size = APR_ALIGN_DEFAULT(size);
++ size = APR_ALIGN_DEFAULT(in_size);
++ if (size < in_size) {
++ if (pool->abort_fn)
++ pool->abort_fn(APR_ENOMEM);
++
++ return NULL;
++ }
+ active = pool->active;
+
+ /* If the active node has enough bytes left, use it. */
+@@ -699,7 +708,6 @@
+ {
+ void *mem;
+
+- size = APR_ALIGN_DEFAULT(size);
+ if ((mem = apr_palloc(pool, size)) != NULL) {
+ memset(mem, 0, size);
+ }
Modified: branches/etch-apr/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr/patches/00list?rev=1031&op=diff
==============================================================================
--- branches/etch-apr/patches/00list (original)
+++ branches/etch-apr/patches/00list Thu Aug 6 14:08:39 2009
@@ -1,3 +1,4 @@
+001_cve-2009-2412
011_fix_apr-config
013_ship_find_apr.m4
014_fix-apr.pc
More information about the Pkg-apache-commits
mailing list