[Pkg-apache-commits] r1376 - in /trunk/apache2: changelog patches/00list patches/085_CVE-2011-3607.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sat Dec 3 17:50:20 UTC 2011
Author: sf
Date: Sat Dec 3 17:50:19 2011
New Revision: 1376
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1376
Log:
Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.
Added:
trunk/apache2/patches/085_CVE-2011-3607.dpatch (with props)
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1376&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Sat Dec 3 17:50:19 2011
@@ -1,14 +1,16 @@
-apache2 (2.2.21-3) UNRELEASED; urgency=low
+apache2 (2.2.21-4) UNRELEASED; urgency=low
* Fix CVE-2011-4317: Prevent unintended pattern expansion in some
reverse proxy configurations. (Similar to CVE-2011-3368, but different
attack vector.)
+ * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
+ via malicious .htaccess.
* Mention dpkg-statoverride for changing permissions of suexec. LP: #897120
* Fix broken link in docs. Closes: #650528
* Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders.
Thanks for your work in the past.
- -- Stefan Fritsch <sf at debian.org> Sun, 23 Oct 2011 10:03:26 +0200
+ -- Stefan Fritsch <sf at debian.org> Sat, 03 Dec 2011 18:48:43 +0100
apache2 (2.2.21-2) unstable; urgency=high
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1376&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Sat Dec 3 17:50:19 2011
@@ -24,6 +24,7 @@
082_ab_num_requests
083_CVE-2011-3368.dpatch
084_CVE-2011-4317.dpatch
+085_CVE-2011-3607.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/085_CVE-2011-3607.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/085_CVE-2011-3607.dpatch?rev=1376&op=file
==============================================================================
--- trunk/apache2/patches/085_CVE-2011-3607.dpatch (added)
+++ trunk/apache2/patches/085_CVE-2011-3607.dpatch Sat Dec 3 17:50:19 2011
@@ -1,0 +1,28 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 085_CVE-2011-3607.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix integer overflow, based on upstream r1198940
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/util.c trunk/server/util.c
+--- trunk~/server/util.c 2011-05-19 04:17:37.000000000 +0200
++++ trunk/server/util.c 2011-12-03 18:46:39.875941529 +0100
+@@ -366,7 +366,7 @@
+ char *dest, *dst;
+ char c;
+ size_t no;
+- int len;
++ apr_size_t len;
+
+ if (!source)
+ return NULL;
+@@ -391,6 +391,8 @@
+ len++;
+ }
+ else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
++ return APR_ENOMEM;
+ len += pmatch[no].rm_eo - pmatch[no].rm_so;
+ }
+
Propchange: trunk/apache2/patches/085_CVE-2011-3607.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-apache-commits
mailing list