[Pkg-apache-commits] r960 - in /trunk/apache2: changelog patches/00list patches/070_CVE-2009-1195_mod_include_noexec.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Mon Jun 8 17:20:07 UTC 2009


Author: sf
Date: Mon Jun  8 17:20:06 2009
New Revision: 960

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=960
Log:
070_CVE-2009-1195

Added:
    trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch   (with props)
Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/00list

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=960&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Mon Jun  8 17:20:06 2009
@@ -1,5 +1,7 @@
-apache2 (2.2.11-6) UNRELEASED; urgency=low
-
+apache2 (2.2.11-6) UNRELEASED; urgency=high
+
+  * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
+    Side Includes (closes: #530834).
   * Fix postinst scripts (closes: #532278).
 
  -- Stefan Fritsch <sf at debian.org>  Mon, 08 Jun 2009 19:04:13 +0200

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=960&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Mon Jun  8 17:20:06 2009
@@ -20,6 +20,7 @@
 067_fix_segfault_in_ab.dpatch
 068_check_pollset_create_error.dpatch
 069_backports_from_2.2.12.dpatch
+070_CVE-2009-1195_mod_include_noexec.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch?rev=960&op=file
==============================================================================
--- trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch (added)
+++ trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch Mon Jun  8 17:20:06 2009
@@ -1,0 +1,150 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 070_CVE-2009-1195_mod_include_noexec.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad apache2-2.2.9~/include/http_core.h apache2-2.2.9/include/http_core.h
+--- apache2-2.2.9~/include/http_core.h	2008-02-26 20:47:51.000000000 +0100
++++ apache2-2.2.9/include/http_core.h	2009-06-01 19:34:09.774738408 +0200
+@@ -65,7 +65,7 @@
+ #define OPT_NONE 0
+ /** Indexes directive */
+ #define OPT_INDEXES 1
+-/**  Includes directive */
++/** SSI is enabled without exec= permission  */
+ #define OPT_INCLUDES 2
+ /**  FollowSymLinks directive */
+ #define OPT_SYM_LINKS 4
+@@ -80,9 +80,22 @@
+ /** MultiViews directive */
+ #define OPT_MULTI 128
+ /**  All directives */
+-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+ /** @} */
+ 
++#ifdef CORE_PRIVATE
++/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
++ * internally replaced by OPT_INC_WITH_EXEC.  The internal semantics
++ * of the two SSI-related bits are hence:
++ *
++ *  OPT_INCLUDES => "enable SSI, without exec= permission"
++ *  OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
++ *
++ * The set of options exposed via ap_allow_options() retains the
++ * semantics of OPT_INCNOEXEC by flipping the bit. */
++#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
++#endif
++
+ /**
+  * @defgroup get_remote_host Remote Host Resolution 
+  * @ingroup APACHE_CORE_HTTPD
+diff -urNad apache2-2.2.9~/server/config.c apache2-2.2.9/server/config.c
+--- apache2-2.2.9~/server/config.c	2009-06-01 19:34:08.826702009 +0200
++++ apache2-2.2.9/server/config.c	2009-06-01 19:34:09.778739729 +0200
+@@ -1510,7 +1510,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
+                                             &arr_parms, NULL,
+@@ -1642,7 +1642,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     rv = ap_pcfg_openfile(&cfp, p, fname);
+     if (rv != APR_SUCCESS) {
+@@ -1781,7 +1781,7 @@
+     parms.temp_pool = ptemp;
+     parms.server = s;
+     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+     parms.limited = -1;
+ 
+     errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
+diff -urNad apache2-2.2.9~/server/core.c apache2-2.2.9/server/core.c
+--- apache2-2.2.9~/server/core.c	2009-06-01 19:34:08.702731858 +0200
++++ apache2-2.2.9/server/core.c	2009-06-01 19:34:42.926701125 +0200
+@@ -108,8 +108,7 @@
+     conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
+     conf->opts_add = conf->opts_remove = OPT_NONE;
+     conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
+-    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
+-                          | OPT_MULTI;
++    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ 
+     conf->content_md5 = 2;
+     conf->accept_path_info = 3;
+@@ -242,8 +241,15 @@
+         conf->opts_remove = (conf->opts_remove & ~new->opts_add)
+                             | new->opts_remove;
+         conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
+-        if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
+-            conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
++
++        /* If Includes was enabled with exec in the base config, but
++         * was enabled without exec in the new config, then disable
++         * exec in the merged set. */
++        if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++             == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++            && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++                == OPT_INCLUDES)) {
++            conf->opts &= ~OPT_INC_WITH_EXEC;
+         }
+     }
+     else {
+@@ -655,7 +661,16 @@
+     core_dir_config *conf =
+       (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
+ 
+-    return conf->opts;
++    /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
++     * inverted, such that the exposed semantics match that of
++     * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
++     * permitted. */
++    if (conf->opts & OPT_INCLUDES) {
++        return conf->opts ^ OPT_INC_WITH_EXEC;
++    }
++    else {
++        return conf->opts;
++    }
+ }
+ 
+ AP_DECLARE(int) ap_allow_overrides(request_rec *r)
+@@ -1304,10 +1319,12 @@
+             opt = OPT_INDEXES;
+         }
+         else if (!strcasecmp(w, "Includes")) {
+-            opt = OPT_INCLUDES;
++            /* If Includes is permitted, both Includes and
++             * IncludesNOEXEC may be changed. */
++            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+         }
+         else if (!strcasecmp(w, "IncludesNOEXEC")) {
+-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++            opt = OPT_INCLUDES;
+         }
+         else if (!strcasecmp(w, "FollowSymLinks")) {
+             opt = OPT_SYM_LINKS;
+@@ -1428,10 +1445,10 @@
+             opt = OPT_INDEXES;
+         }
+         else if (!strcasecmp(w, "Includes")) {
+-            opt = OPT_INCLUDES;
++            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+         }
+         else if (!strcasecmp(w, "IncludesNOEXEC")) {
+-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++            opt = OPT_INCLUDES;
+         }
+         else if (!strcasecmp(w, "FollowSymLinks")) {
+             opt = OPT_SYM_LINKS;

Propchange: trunk/apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
------------------------------------------------------------------------------
    svn:executable = *




More information about the Pkg-apache-commits mailing list