[Pkg-apache-commits] r1035 - in /branches/etch-apr-util: changelog patches/00list patches/020_CVE-2009-2412.dpatch

peters at alioth.debian.org peters at alioth.debian.org
Thu Aug 6 14:32:02 UTC 2009 

Author: peters
Date: Thu Aug  6 14:32:01 2009
New Revision: 1035

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1035
Log:
Prepare apr-util 1.2.7+dfsg-2+etch3 security release for CVE-2009-2412.

Added:
    branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch
Modified:
    branches/etch-apr-util/changelog
    branches/etch-apr-util/patches/00list

Modified: branches/etch-apr-util/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/changelog?rev=1035&op=diff
==============================================================================
--- branches/etch-apr-util/changelog (original)
+++ branches/etch-apr-util/changelog Thu Aug  6 14:32:01 2009
@@ -1,3 +1,9 @@
+apr-util (1.2.7+dfsg-2+etch3) oldstable-security; urgency=high
+
+  * CVE-2009-2412: Fix overflow in RMM allocations due to alignment.
+
+ -- Peter Samuelson <peter at p12n.org>  Thu, 06 Aug 2009 09:27:58 -0500
+
 apr-util (1.2.7+dfsg-2+etch2) oldstable-security; urgency=high
 
   * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes

Modified: branches/etch-apr-util/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/00list?rev=1035&op=diff
==============================================================================
--- branches/etch-apr-util/patches/00list (original)
+++ branches/etch-apr-util/patches/00list Thu Aug  6 14:32:01 2009
@@ -6,4 +6,5 @@
 014_apu_config_dont_list_indep_libs
 017_CVE-2009-0023
 018_expat_entity_expansion.dpatch
+020_CVE-2009-2412
 099_alternate_md4_md5_impl

Added: branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch?rev=1035&op=file
==============================================================================
--- branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch (added)
+++ branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch Thu Aug  6 14:32:01 2009
@@ -1,0 +1,96 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 020_CVE-2009-2412 by William Rowe <wrowe at rowe-clan.net>
+##
+## DP: SECURITY: CVE-2009-2412 (cve.mitre.org)
+## DP: Fix overflow in rmm, where size alignment was taking place.
+## DP: 
+## DP: Reported by: Matt Lewis <mattlewis at google.com>
+## DP: 
+## DP: * misc/apr_rmm.c
+## DP:   (apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
+## DP: 
+## DP: SEE ALSO: apr-1.x-CVE-2009-2412.patch
+
+ at DPATCH@
+Index: misc/apr_rmm.c
+===================================================================
+--- a/misc/apr_rmm.c
++++ b/misc/apr_rmm.c
+@@ -306,13 +306,17 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+     
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+@@ -325,18 +329,22 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+         
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+         this += RMM_BLOCK_SIZE;
+-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
++        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
+     }
+ 
+     APR_ANYLOCK_UNLOCK(&rmm->lock);
+@@ -349,16 +357,19 @@
+     apr_rmm_off_t this;
+     apr_rmm_off_t old;
+     struct rmm_block_t *blk;
+-    apr_size_t oldsize;
++    apr_size_t size, oldsize;
+ 
+     if (!entity) {
+         return apr_rmm_malloc(rmm, reqsize);
+     }
+ 
+-    reqsize = APR_ALIGN_DEFAULT(reqsize);
++    size = APR_ALIGN_DEFAULT(reqsize);
++    if (size < reqsize) {
++        return 0;
++    }
+     old = apr_rmm_offset_get(rmm, entity);
+ 
+-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
++    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
+         return 0;
+     }
+ 
+@@ -366,7 +377,7 @@
+     oldsize = blk->size;
+ 
+     memcpy(apr_rmm_addr_get(rmm, this),
+-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
++           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
+     apr_rmm_free(rmm, old);
+ 
+     return this;

More information about the Pkg-apache-commits mailing list