[Pkg-apache-commits] r1376 - in /trunk/apache2: changelog patches/00list patches/085_CVE-2011-3607.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Sat Dec 3 17:50:20 UTC 2011 

Author: sf
Date: Sat Dec  3 17:50:19 2011
New Revision: 1376

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1376
Log:
Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.

Added:
    trunk/apache2/patches/085_CVE-2011-3607.dpatch   (with props)
Modified:
    trunk/apache2/changelog
    trunk/apache2/patches/00list

Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1376&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Dec  3 17:50:19 2011
@@ -1,14 +1,16 @@
-apache2 (2.2.21-3) UNRELEASED; urgency=low
+apache2 (2.2.21-4) UNRELEASED; urgency=low
 
   * Fix CVE-2011-4317: Prevent unintended pattern expansion in some
     reverse proxy configurations. (Similar to CVE-2011-3368, but different
     attack vector.)
+  * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
+    via malicious .htaccess. 
   * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
   * Fix broken link in docs. Closes: #650528
   * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
     Thanks for your work in the past.
 
- -- Stefan Fritsch <sf at debian.org>  Sun, 23 Oct 2011 10:03:26 +0200
+ -- Stefan Fritsch <sf at debian.org>  Sat, 03 Dec 2011 18:48:43 +0100
 
 apache2 (2.2.21-2) unstable; urgency=high
 

Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1376&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sat Dec  3 17:50:19 2011
@@ -24,6 +24,7 @@
 082_ab_num_requests
 083_CVE-2011-3368.dpatch
 084_CVE-2011-4317.dpatch
+085_CVE-2011-3607.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: trunk/apache2/patches/085_CVE-2011-3607.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/085_CVE-2011-3607.dpatch?rev=1376&op=file
==============================================================================
--- trunk/apache2/patches/085_CVE-2011-3607.dpatch (added)
+++ trunk/apache2/patches/085_CVE-2011-3607.dpatch Sat Dec  3 17:50:19 2011
@@ -1,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 085_CVE-2011-3607.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow, based on upstream r1198940
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/util.c trunk/server/util.c
+--- trunk~/server/util.c	2011-05-19 04:17:37.000000000 +0200
++++ trunk/server/util.c	2011-12-03 18:46:39.875941529 +0100
+@@ -366,7 +366,7 @@
+     char *dest, *dst;
+     char c;
+     size_t no;
+-    int len;
++    apr_size_t len;
+ 
+     if (!source)
+         return NULL;
+@@ -391,6 +391,8 @@
+             len++;
+         }
+         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
++                return APR_ENOMEM;
+             len += pmatch[no].rm_eo - pmatch[no].rm_so;
+         }
+ 

Propchange: trunk/apache2/patches/085_CVE-2011-3607.dpatch
------------------------------------------------------------------------------
    svn:executable = *

More information about the Pkg-apache-commits mailing list