[apache2] 01/04: CVE-2014-0226: race condition in scoreboard handling

Stefan Fritsch sf at moszumanska.debian.org
Sat Aug 16 19:38:23 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch wheezy
in repository apache2.

commit b8e5af56d6912993aaed5975a9e7a6711039bfa8
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Wed Jul 23 23:14:06 2014 +0200

    CVE-2014-0226: race condition in scoreboard handling
---
 debian/changelog                              |  7 +++
 debian/patches/CVE-2014-0226_scoreboard.patch | 89 +++++++++++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 97 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ea1e44d..0c2b3dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.2.22-13+deb7u3) UNRELEASED; urgency=medium
+
+  * CVE-2014-0226: Fix a race condition in scoreboard handling,
+    which could lead to a heap buffer overflow.
+
+ -- Stefan Fritsch <sf at debian.org>  Wed, 23 Jul 2014 23:13:37 +0200
+
 apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium
 
   * Backport support for SSL ECC keys and ECDH ciphers.
diff --git a/debian/patches/CVE-2014-0226_scoreboard.patch b/debian/patches/CVE-2014-0226_scoreboard.patch
new file mode 100644
index 0000000..522fa43
--- /dev/null
+++ b/debian/patches/CVE-2014-0226_scoreboard.patch
@@ -0,0 +1,89 @@
+# https://svn.apache.org/r1610515
+#
+#    SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,
+#    which could lead to a heap buffer overflow.  Thanks to Marek Kroemeke
+#    working with HP's Zero Day Initiative for reporting this.
+#    
+#    * include/scoreboard.h: Add ap_copy_scoreboard_worker.
+#    
+#    * server/scoreboard.c (ap_copy_scoreboard_worker): New function.
+#    
+#    * modules/generators/mod_status.c (status_handler): Use it.
+#
+Index: apache2/include/scoreboard.h
+===================================================================
+--- apache2.orig/include/scoreboard.h
++++ apache2/include/scoreboard.h
+@@ -189,7 +189,24 @@ AP_DECLARE(int) ap_update_child_status_f
+                                                     int status, request_rec *r);
+ void ap_time_process_request(ap_sb_handle_t *sbh, int status);
+ 
++/** Return a pointer to the worker_score for a given child, thread pair.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ * @return A pointer to the worker_score structure.
++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. 
++ */
+ AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y);
++
++/** Copy the contents of a worker's scoreboard entry.  The contents of
++ * the worker_score structure are copied verbatim into the dest
++ * structure.
++ * @param dest Output parameter.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ */
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
++                                           int child_num, int thread_num);
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x);
+ AP_DECLARE(global_score *) ap_get_scoreboard_global(void);
+ AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num);
+Index: apache2/modules/generators/mod_status.c
+===================================================================
+--- apache2.orig/modules/generators/mod_status.c
++++ apache2/modules/generators/mod_status.c
+@@ -241,7 +241,7 @@ static int status_handler(request_rec *r
+ #endif
+     int short_report;
+     int no_table_report;
+-    worker_score *ws_record;
++    worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);
+     process_score *ps_record;
+     char *stat_buffer;
+     pid_t *pid_buffer, worker_pid;
+@@ -333,7 +333,7 @@ static int status_handler(request_rec *r
+         for (j = 0; j < thread_limit; ++j) {
+             int indx = (i * thread_limit) + j;
+ 
+-            ws_record = ap_get_scoreboard_worker(i, j);
++            ap_copy_scoreboard_worker(ws_record, i, j);
+             res = ws_record->status;
+             stat_buffer[indx] = status_flags[res];
+ 
+Index: apache2/server/scoreboard.c
+===================================================================
+--- apache2.orig/server/scoreboard.c
++++ apache2/server/scoreboard.c
+@@ -510,6 +510,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb
+     return &ap_scoreboard_image->servers[x][y];
+ }
+ 
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, 
++                                           int child_num,
++                                           int thread_num)
++{
++    worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num);
++
++    memcpy(dest, ws, sizeof *ws);
++
++    /* For extra safety, NUL-terminate the strings returned, though it
++     * should be true those last bytes are always zero anyway. */
++    dest->client[sizeof(dest->client) - 1] = '\0';
++    dest->request[sizeof(dest->request) - 1] = '\0';
++    dest->vhost[sizeof(dest->vhost) - 1] = '\0';
++}
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
+ {
+     if ((x < 0) || (server_limit < x)) {
diff --git a/debian/patches/series b/debian/patches/series
index 1c798c8..7493e68 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,4 @@ mod_dav-CVE-2013-6438.patch
 cookie-logging-CVE-2014-0098.diff
 SSL-ECC.patch
 mod_proxy-crash-PR_50335.patch
+CVE-2014-0226_scoreboard.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list