[Pkg-apache-commits] r1313 - in /branches/lenny-apr: changelog patches/00list patches/024_cloexec.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sat May 14 08:38:23 UTC 2011
Author: sf
Date: Sat May 14 08:38:21 2011
New Revision: 1313
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1313
Log:
commit missing change from 1.2.12-5+lenny2:
* Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd
modules which do not use the apr API for executing other processes to leak
file descriptors to the called processes. In some setups, this could cause
security issues and/or problems with Apache failing to restart. This issue
affected mod_php (but not mod_cgi). Closes: #366124
Added:
branches/lenny-apr/patches/024_cloexec.dpatch
Modified:
branches/lenny-apr/changelog
branches/lenny-apr/patches/00list
Modified: branches/lenny-apr/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr/changelog?rev=1313&op=diff
==============================================================================
--- branches/lenny-apr/changelog (original)
+++ branches/lenny-apr/changelog Sat May 14 08:38:21 2011
@@ -1,3 +1,13 @@
+apr (1.2.12-5+lenny2) stable; urgency=low
+
+ * Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd
+ modules which do not use the apr API for executing other processes to leak
+ file descriptors to the called processes. In some setups, this could cause
+ security issues and/or problems with Apache failing to restart. This issue
+ affected mod_php (but not mod_cgi). Closes: #366124
+
+ -- Stefan Fritsch <sf at debian.org> Tue, 01 Jun 2010 23:11:19 +0200
+
apr (1.2.12-5+lenny1) stable-security; urgency=high
* Fix CVE-2009-2412: overflow in pool allocations, where size alignment
Modified: branches/lenny-apr/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr/patches/00list?rev=1313&op=diff
==============================================================================
--- branches/lenny-apr/patches/00list (original)
+++ branches/lenny-apr/patches/00list Sat May 14 08:38:21 2011
@@ -6,3 +6,4 @@
016_sendfile_hurd
022_hurd_path_max.dpatch
023_fix_doxygen.dpatch
+024_cloexec.dpatch
Added: branches/lenny-apr/patches/024_cloexec.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apr/patches/024_cloexec.dpatch?rev=1313&op=file
==============================================================================
--- branches/lenny-apr/patches/024_cloexec.dpatch (added)
+++ branches/lenny-apr/patches/024_cloexec.dpatch Sat May 14 08:38:21 2011
@@ -1,0 +1,284 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 024_cloexec.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Use FD_CLOEXEC for fds, but don't use the new APIs yet. PR 46425 / #366124
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/netware/mktemp.c lenny/file_io/netware/mktemp.c
+--- lenny~/file_io/netware/mktemp.c 2007-06-01 19:58:33.000000000 +0200
++++ lenny/file_io/netware/mktemp.c 2010-05-25 22:33:40.689808938 +0200
+@@ -19,6 +19,7 @@
+ #include "apr_strings.h" /* prototype of apr_mkstemp() */
+ #include "apr_arch_file_io.h" /* prototype of apr_mkstemp() */
+ #include "apr_portable.h" /* for apr_os_file_put() */
++#include "apr_arch_inherit.h"
+
+ #include <stdlib.h> /* for mkstemp() - Single Unix */
+
+@@ -43,6 +44,15 @@
+
+
+ if (!(flags & APR_FILE_NOCLEANUP)) {
++ int flags;
++
++ if ((flags = fcntl((*fp)->filedes, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*fp)->filedes, F_SETFD, flags) == -1)
++ return errno;
++
+ apr_pool_cleanup_register((*fp)->pool, (void *)(*fp),
+ apr_unix_file_cleanup,
+ apr_unix_child_file_cleanup);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/filedup.c lenny/file_io/unix/filedup.c
+--- lenny~/file_io/unix/filedup.c 2007-05-21 08:49:32.000000000 +0200
++++ lenny/file_io/unix/filedup.c 2010-05-25 22:33:40.689808938 +0200
+@@ -25,13 +25,27 @@
+ int which_dup)
+ {
+ int rv;
+-
++
+ if (which_dup == 2) {
+ if ((*new_file) == NULL) {
+ /* We can't dup2 unless we have a valid new_file */
+ return APR_EINVAL;
+ }
+ rv = dup2(old_file->filedes, (*new_file)->filedes);
++ if (!((*new_file)->flags & (APR_FILE_NOCLEANUP|APR_INHERIT))) {
++ int flags;
++
++ if (rv == -1)
++ return errno;
++
++ if ((flags = fcntl((*new_file)->filedes, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*new_file)->filedes, F_SETFD, flags) == -1)
++ return errno;
++
++ }
+ } else {
+ rv = dup(old_file->filedes);
+ }
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/mktemp.c lenny/file_io/unix/mktemp.c
+--- lenny~/file_io/unix/mktemp.c 2007-06-01 19:58:33.000000000 +0200
++++ lenny/file_io/unix/mktemp.c 2010-05-25 22:33:40.689808938 +0200
+@@ -51,6 +51,7 @@
+ #include "apr_strings.h" /* prototype of apr_mkstemp() */
+ #include "apr_arch_file_io.h" /* prototype of apr_mkstemp() */
+ #include "apr_portable.h" /* for apr_os_file_put() */
++#include "apr_arch_inherit.h"
+
+ #ifndef HAVE_MKSTEMP
+
+@@ -203,6 +204,15 @@
+ (*fp)->fname = apr_pstrdup(p, template);
+
+ if (!(flags & APR_FILE_NOCLEANUP)) {
++ int flags;
++
++ if ((flags = fcntl(fd, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) == -1)
++ return errno;
++
+ apr_pool_cleanup_register((*fp)->pool, (void *)(*fp),
+ apr_unix_file_cleanup,
+ apr_unix_child_file_cleanup);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/open.c lenny/file_io/unix/open.c
+--- lenny~/file_io/unix/open.c 2007-05-21 08:49:32.000000000 +0200
++++ lenny/file_io/unix/open.c 2010-05-25 22:33:40.689808938 +0200
+@@ -153,6 +153,16 @@
+ if (fd < 0) {
+ return errno;
+ }
++ if (!(flag & APR_FILE_NOCLEANUP)) {
++ int flags;
++
++ if ((flags = fcntl(fd, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) == -1)
++ return errno;
++ }
+
+ (*new) = (apr_file_t *)apr_pcalloc(pool, sizeof(apr_file_t));
+ (*new)->pool = pool;
+@@ -312,6 +322,15 @@
+ return APR_EINVAL;
+ }
+ if (thefile->flags & APR_INHERIT) {
++ int flags;
++
++ if ((flags = fcntl(thefile->filedes, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl(thefile->filedes, F_SETFD, flags) == -1)
++ return errno;
++
+ thefile->flags &= ~APR_INHERIT;
+ apr_pool_child_cleanup_set(thefile->pool,
+ (void *)thefile,
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/include/arch/unix/apr_arch_inherit.h lenny/include/arch/unix/apr_arch_inherit.h
+--- lenny~/include/arch/unix/apr_arch_inherit.h 2006-08-03 13:05:27.000000000 +0200
++++ lenny/include/arch/unix/apr_arch_inherit.h 2010-05-25 22:33:40.689808938 +0200
+@@ -27,6 +27,12 @@
+ if (the##name->flag & APR_FILE_NOCLEANUP) \
+ return APR_EINVAL; \
+ if (!(the##name->flag & APR_INHERIT)) { \
++ int flags = fcntl(the##name->name##des, F_GETFD); \
++ if (flags == -1) \
++ return errno; \
++ flags &= ~(FD_CLOEXEC); \
++ if (fcntl(the##name->name##des, F_SETFD, flags) == -1) \
++ return errno; \
+ the##name->flag |= APR_INHERIT; \
+ apr_pool_child_cleanup_set(the##name->pool, \
+ (void *)the##name, \
+@@ -41,6 +47,12 @@
+ if (the##name->flag & APR_FILE_NOCLEANUP) \
+ return APR_EINVAL; \
+ if (the##name->flag & APR_INHERIT) { \
++ int flags; \
++ if ((flags = fcntl(the##name->name##des, F_GETFD)) == -1) \
++ return errno; \
++ flags |= FD_CLOEXEC; \
++ if (fcntl(the##name->name##des, F_SETFD, flags) == -1) \
++ return errno; \
+ the##name->flag &= ~APR_INHERIT; \
+ apr_pool_child_cleanup_set(the##name->pool, \
+ (void *)the##name, \
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/network_io/unix/sockets.c lenny/network_io/unix/sockets.c
+--- lenny~/network_io/unix/sockets.c 2006-11-11 11:07:48.000000000 +0100
++++ lenny/network_io/unix/sockets.c 2010-05-25 22:33:40.689808938 +0200
+@@ -130,6 +130,17 @@
+ }
+ set_socket_vars(*new, family, type, protocol);
+
++ {
++ int flags;
++
++ if ((flags = fcntl((*new)->socketdes, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*new)->socketdes, F_SETFD, flags) == -1)
++ return errno;
++ }
++
+ (*new)->timeout = -1;
+ (*new)->inherit = 0;
+ apr_pool_cleanup_register((*new)->pool, (void *)(*new), socket_cleanup,
+@@ -247,6 +258,17 @@
+ (*new)->local_interface_unknown = 1;
+ }
+
++ {
++ int flags;
++
++ if ((flags = fcntl((*new)->socketdes, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*new)->socketdes, F_SETFD, flags) == -1)
++ return errno;
++ }
++
+ (*new)->inherit = 0;
+ apr_pool_cleanup_register((*new)->pool, (void *)(*new), socket_cleanup,
+ socket_cleanup);
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/epoll.c lenny/poll/unix/epoll.c
+--- lenny~/poll/unix/epoll.c 2006-08-03 13:05:27.000000000 +0200
++++ lenny/poll/unix/epoll.c 2010-05-25 22:33:40.689808938 +0200
+@@ -15,6 +15,7 @@
+ */
+
+ #include "apr_arch_poll_private.h"
++#include "apr_arch_inherit.h"
+
+ #ifdef POLLSET_USES_EPOLL
+
+@@ -99,6 +100,17 @@
+ return errno;
+ }
+
++ {
++ int flags;
++
++ if ((flags = fcntl(fd, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl(fd, F_SETFD, flags) == -1)
++ return errno;
++ }
++
+ *pollset = apr_palloc(p, sizeof(**pollset));
+ #if APR_HAS_THREADS
+ if (flags & APR_POLLSET_THREADSAFE &&
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/kqueue.c lenny/poll/unix/kqueue.c
+--- lenny~/poll/unix/kqueue.c 2007-04-13 22:54:13.000000000 +0200
++++ lenny/poll/unix/kqueue.c 2010-05-25 22:33:40.689808938 +0200
+@@ -15,6 +15,7 @@
+ */
+
+ #include "apr_arch_poll_private.h"
++#include "apr_arch_inherit.h"
+
+ #ifdef POLLSET_USES_KQUEUE
+
+@@ -101,6 +102,17 @@
+ return APR_ENOMEM;
+ }
+
++ {
++ int flags;
++
++ if ((flags = fcntl((*pollset)->kqueue_fd, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*pollset)->kqueue_fd, F_SETFD, flags) == -1)
++ return errno;
++ }
++
+ apr_pool_cleanup_register(p, (void *) (*pollset), backend_cleanup,
+ apr_pool_cleanup_null);
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/port.c lenny/poll/unix/port.c
+--- lenny~/poll/unix/port.c 2007-04-13 22:54:13.000000000 +0200
++++ lenny/poll/unix/port.c 2010-05-25 22:36:39.625539106 +0200
+@@ -15,6 +15,7 @@
+ */
+
+ #include "apr_arch_poll_private.h"
++#include "apr_arch_inherit.h"
+
+ #ifdef POLLSET_USES_PORT
+
+@@ -123,6 +124,17 @@
+ return APR_ENOMEM;
+ }
+
++ {
++ int flags;
++
++ if ((flags = fcntl((*pollset)->port_fd, F_GETFD)) == -1)
++ return errno;
++
++ flags |= FD_CLOEXEC;
++ if (fcntl((*pollset)->port_fd, F_SETFD, flags) == -1)
++ return errno;
++ }
++
+ apr_pool_cleanup_register(p, (void *) (*pollset), backend_cleanup,
+ apr_pool_cleanup_null);
+
More information about the Pkg-apache-commits
mailing list