[Pkg-apache-commits] r1064 - in /branches/lenny-apache2: changelog patches/071_CVE-2009-1891.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Mon Oct 5 16:50:02 UTC 2009 

Author: sf
Date: Mon Oct  5 16:50:02 2009
New Revision: 1064

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1064
Log:
fix regression caused by CVE-2009-1891 fix

Modified:
    branches/lenny-apache2/changelog
    branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch

Modified: branches/lenny-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/changelog?rev=1064&op=diff
==============================================================================
--- branches/lenny-apache2/changelog (original)
+++ branches/lenny-apache2/changelog Mon Oct  5 16:50:02 2009
@@ -4,6 +4,8 @@
     - DoS by malicious ftp server (CVE-2009-3094)
     - missing input sanitization: a user could execute arbitrary ftp commands
       on the backend ftp server (CVE-2009-3095)
+  * Fix segfault in legacy ap_r* API which is triggered more often since
+    the fix for CVE-2009-1891 was applied (closes: #537665).
   * Take care to not override existing index.shtml files when upgrading from
     before 2.2.8-1 (closes: #517089).
   * mod_deflate: Fix invalid etag to be emitted for on-the-fly gzip

Modified: branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch?rev=1064&op=diff
==============================================================================
--- branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch (original)
+++ branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch Mon Oct  5 16:50:02 2009
@@ -3,6 +3,7 @@
 ## All lines beginning with `## DP:' are a description of the patch.
 ## DP: mod_deflate DoS
 ## DP: http://mail-archives.apache.org/mod_mbox/httpd-dev/200907.mbox/<20090703100048.GA4492@redhat.com>
+## DP: also fix segfault which is triggered more often with this patch (#537665, upstream svn r800333)
 
 @DPATCH@
 --- a/server/core_filters.c	(revision 790833)
@@ -34,3 +35,27 @@
              return APR_SUCCESS;
          }
  
+diff --git a/server/util_filter.c b/server/util_filter.c
+index 7d48b52..b2e7b58 100644
+--- a/server/util_filter.c
++++ b/server/util_filter.c
+@@ -578,8 +578,18 @@ AP_DECLARE_NONSTD(apr_status_t) ap_filter_flush(apr_bucket_brigade *bb,
+                                                 void *ctx)
+ {
+     ap_filter_t *f = ctx;
++    apr_status_t rv;
+ 
+-    return ap_pass_brigade(f, bb);
++    rv = ap_pass_brigade(f, bb);
++
++    /* Before invocation of the flush callback, apr_brigade_write et
++     * al may place transient buckets in the brigade, which will fall
++     * out of scope after returning.  Empty the brigade here, to avoid
++     * issues with leaving such buckets in the brigade if some filter
++     * fails and leaves a non-empty brigade. */
++    apr_brigade_cleanup(bb);
++
++    return rv;
+ }
+ 
+ AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb)

More information about the Pkg-apache-commits mailing list