[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. a40771997c44c700df5a3baf73d15af08b31aa9f
Stefan Fritsch
sf at sfritsch.de
Sun Feb 5 20:35:44 UTC 2012
The following commit has been merged in the squeeze branch:
commit a8e2f5dafa7f425b1a8a0c0060fadb0dc6098014
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sat Feb 4 17:45:56 2012 +0100
CVE-2011-3607: Fix integer overflow in ap_pregsub()
diff --git a/debian/changelog b/debian/changelog
index 7910ed3..ce79d7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ apache2 (2.2.16-6+squeeze5) UNRELEASED; urgency=high
* Prevent unintended pattern expansion in some reverse proxy
configurations by strictly validating the request-URI. Fixes
CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
+ * CVE-2011-3607: Fix integer overflow in ap_pregsub(), which allowed local
+ privilege escalation.
-- Stefan Fritsch <sf at debian.org> Sat, 03 Dec 2011 18:38:51 +0100
diff --git a/debian/patches/00list b/debian/patches/00list
index e7407b9..3f627e6 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -33,6 +33,7 @@
089_CVE-2011-3368.dpatch
090_CVE-2011-4317.dpatch
091_CVE-2011-3639.dpatch
+092_CVE-2011-3607.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
diff --git a/debian/patches/092_CVE-2011-3607.dpatch b/debian/patches/092_CVE-2011-3607.dpatch
new file mode 100644
index 0000000..e7ea6c8
--- /dev/null
+++ b/debian/patches/092_CVE-2011-3607.dpatch
@@ -0,0 +1,52 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1227280
+commit ffcd2b1a24a1eeb94cb460e41875c442738ece54
+Author: Stefan Fritsch <sf at apache.org>
+Date: Wed Jan 4 19:45:22 2012 +0000
+
+ Merge fix for CVE-2011-3607:
+
+ Fix integer overflow in ap_pregsub()
+
+ Trunk fix: r1198940
+ Submitted by: Stefan Fritsch, Greg Ames
+ Reviewed by: Stefan Fritsch, Greg Ames, Eric Covener
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1227280 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/util.c b/server/util.c
+index d0b90c6..a50d034 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -82,6 +82,8 @@
+ #define IS_SLASH(s) (s == '/')
+ #endif
+
++/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
++#define UTIL_SIZE_MAX (~((apr_size_t)0))
+
+ /*
+ * Examine a field value (such as a media-/content-type) string and return
+@@ -366,7 +368,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
+ char *dest, *dst;
+ char c;
+ size_t no;
+- int len;
++ apr_size_t len;
+
+ if (!source)
+ return NULL;
+@@ -391,6 +393,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
+ len++;
+ }
+ else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
++ "integer overflow or out of memory condition." );
++ return NULL;
++ }
+ len += pmatch[no].rm_eo - pmatch[no].rm_so;
+ }
+
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list