[Pkg-apache-commits] r1035 - in /branches/etch-apr-util: changelog patches/00list patches/020_CVE-2009-2412.dpatch
peters at alioth.debian.org
peters at alioth.debian.org
Thu Aug 6 14:32:02 UTC 2009
Author: peters
Date: Thu Aug 6 14:32:01 2009
New Revision: 1035
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1035
Log:
Prepare apr-util 1.2.7+dfsg-2+etch3 security release for CVE-2009-2412.
Added:
branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch
Modified:
branches/etch-apr-util/changelog
branches/etch-apr-util/patches/00list
Modified: branches/etch-apr-util/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/changelog?rev=1035&op=diff
==============================================================================
--- branches/etch-apr-util/changelog (original)
+++ branches/etch-apr-util/changelog Thu Aug 6 14:32:01 2009
@@ -1,3 +1,9 @@
+apr-util (1.2.7+dfsg-2+etch3) oldstable-security; urgency=high
+
+ * CVE-2009-2412: Fix overflow in RMM allocations due to alignment.
+
+ -- Peter Samuelson <peter at p12n.org> Thu, 06 Aug 2009 09:27:58 -0500
+
apr-util (1.2.7+dfsg-2+etch2) oldstable-security; urgency=high
* CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
Modified: branches/etch-apr-util/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/00list?rev=1035&op=diff
==============================================================================
--- branches/etch-apr-util/patches/00list (original)
+++ branches/etch-apr-util/patches/00list Thu Aug 6 14:32:01 2009
@@ -6,4 +6,5 @@
014_apu_config_dont_list_indep_libs
017_CVE-2009-0023
018_expat_entity_expansion.dpatch
+020_CVE-2009-2412
099_alternate_md4_md5_impl
Added: branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch?rev=1035&op=file
==============================================================================
--- branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch (added)
+++ branches/etch-apr-util/patches/020_CVE-2009-2412.dpatch Thu Aug 6 14:32:01 2009
@@ -1,0 +1,96 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 020_CVE-2009-2412 by William Rowe <wrowe at rowe-clan.net>
+##
+## DP: SECURITY: CVE-2009-2412 (cve.mitre.org)
+## DP: Fix overflow in rmm, where size alignment was taking place.
+## DP:
+## DP: Reported by: Matt Lewis <mattlewis at google.com>
+## DP:
+## DP: * misc/apr_rmm.c
+## DP: (apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
+## DP:
+## DP: SEE ALSO: apr-1.x-CVE-2009-2412.patch
+
+ at DPATCH@
+Index: misc/apr_rmm.c
+===================================================================
+--- a/misc/apr_rmm.c
++++ b/misc/apr_rmm.c
+@@ -306,13 +306,17 @@
+
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++ apr_size_t size;
+ apr_rmm_off_t this;
+
+- reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++ size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++ if (size < reqsize) {
++ return 0;
++ }
+
+ APR_ANYLOCK_LOCK(&rmm->lock);
+
+- this = find_block_of_size(rmm, reqsize);
++ this = find_block_of_size(rmm, size);
+
+ if (this) {
+ move_block(rmm, this, 0);
+@@ -325,18 +329,22 @@
+
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++ apr_size_t size;
+ apr_rmm_off_t this;
+
+- reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++ size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++ if (size < reqsize) {
++ return 0;
++ }
+
+ APR_ANYLOCK_LOCK(&rmm->lock);
+
+- this = find_block_of_size(rmm, reqsize);
++ this = find_block_of_size(rmm, size);
+
+ if (this) {
+ move_block(rmm, this, 0);
+ this += RMM_BLOCK_SIZE;
+- memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
++ memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
+ }
+
+ APR_ANYLOCK_UNLOCK(&rmm->lock);
+@@ -349,16 +357,19 @@
+ apr_rmm_off_t this;
+ apr_rmm_off_t old;
+ struct rmm_block_t *blk;
+- apr_size_t oldsize;
++ apr_size_t size, oldsize;
+
+ if (!entity) {
+ return apr_rmm_malloc(rmm, reqsize);
+ }
+
+- reqsize = APR_ALIGN_DEFAULT(reqsize);
++ size = APR_ALIGN_DEFAULT(reqsize);
++ if (size < reqsize) {
++ return 0;
++ }
+ old = apr_rmm_offset_get(rmm, entity);
+
+- if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
++ if ((this = apr_rmm_malloc(rmm, size)) == 0) {
+ return 0;
+ }
+
+@@ -366,7 +377,7 @@
+ oldsize = blk->size;
+
+ memcpy(apr_rmm_addr_get(rmm, this),
+- apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
++ apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
+ apr_rmm_free(rmm, old);
+
+ return this;
More information about the Pkg-apache-commits
mailing list