[apache2] 01/04: CVE-2014-0226: race condition in scoreboard handling
Stefan Fritsch
sf at moszumanska.debian.org
Sat Aug 16 19:38:23 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch wheezy
in repository apache2.
commit b8e5af56d6912993aaed5975a9e7a6711039bfa8
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Jul 23 23:14:06 2014 +0200
CVE-2014-0226: race condition in scoreboard handling
---
debian/changelog | 7 +++
debian/patches/CVE-2014-0226_scoreboard.patch | 89 +++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 97 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ea1e44d..0c2b3dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.2.22-13+deb7u3) UNRELEASED; urgency=medium
+
+ * CVE-2014-0226: Fix a race condition in scoreboard handling,
+ which could lead to a heap buffer overflow.
+
+ -- Stefan Fritsch <sf at debian.org> Wed, 23 Jul 2014 23:13:37 +0200
+
apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium
* Backport support for SSL ECC keys and ECDH ciphers.
diff --git a/debian/patches/CVE-2014-0226_scoreboard.patch b/debian/patches/CVE-2014-0226_scoreboard.patch
new file mode 100644
index 0000000..522fa43
--- /dev/null
+++ b/debian/patches/CVE-2014-0226_scoreboard.patch
@@ -0,0 +1,89 @@
+# https://svn.apache.org/r1610515
+#
+# SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling,
+# which could lead to a heap buffer overflow. Thanks to Marek Kroemeke
+# working with HP's Zero Day Initiative for reporting this.
+#
+# * include/scoreboard.h: Add ap_copy_scoreboard_worker.
+#
+# * server/scoreboard.c (ap_copy_scoreboard_worker): New function.
+#
+# * modules/generators/mod_status.c (status_handler): Use it.
+#
+Index: apache2/include/scoreboard.h
+===================================================================
+--- apache2.orig/include/scoreboard.h
++++ apache2/include/scoreboard.h
+@@ -189,7 +189,24 @@ AP_DECLARE(int) ap_update_child_status_f
+ int status, request_rec *r);
+ void ap_time_process_request(ap_sb_handle_t *sbh, int status);
+
++/** Return a pointer to the worker_score for a given child, thread pair.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ * @return A pointer to the worker_score structure.
++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead.
++ */
+ AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y);
++
++/** Copy the contents of a worker's scoreboard entry. The contents of
++ * the worker_score structure are copied verbatim into the dest
++ * structure.
++ * @param dest Output parameter.
++ * @param child_num The child number.
++ * @param thread_num The thread number.
++ */
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
++ int child_num, int thread_num);
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x);
+ AP_DECLARE(global_score *) ap_get_scoreboard_global(void);
+ AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num);
+Index: apache2/modules/generators/mod_status.c
+===================================================================
+--- apache2.orig/modules/generators/mod_status.c
++++ apache2/modules/generators/mod_status.c
+@@ -241,7 +241,7 @@ static int status_handler(request_rec *r
+ #endif
+ int short_report;
+ int no_table_report;
+- worker_score *ws_record;
++ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record);
+ process_score *ps_record;
+ char *stat_buffer;
+ pid_t *pid_buffer, worker_pid;
+@@ -333,7 +333,7 @@ static int status_handler(request_rec *r
+ for (j = 0; j < thread_limit; ++j) {
+ int indx = (i * thread_limit) + j;
+
+- ws_record = ap_get_scoreboard_worker(i, j);
++ ap_copy_scoreboard_worker(ws_record, i, j);
+ res = ws_record->status;
+ stat_buffer[indx] = status_flags[res];
+
+Index: apache2/server/scoreboard.c
+===================================================================
+--- apache2.orig/server/scoreboard.c
++++ apache2/server/scoreboard.c
+@@ -510,6 +510,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb
+ return &ap_scoreboard_image->servers[x][y];
+ }
+
++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest,
++ int child_num,
++ int thread_num)
++{
++ worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num);
++
++ memcpy(dest, ws, sizeof *ws);
++
++ /* For extra safety, NUL-terminate the strings returned, though it
++ * should be true those last bytes are always zero anyway. */
++ dest->client[sizeof(dest->client) - 1] = '\0';
++ dest->request[sizeof(dest->request) - 1] = '\0';
++ dest->vhost[sizeof(dest->vhost) - 1] = '\0';
++}
++
+ AP_DECLARE(process_score *) ap_get_scoreboard_process(int x)
+ {
+ if ((x < 0) || (server_limit < x)) {
diff --git a/debian/patches/series b/debian/patches/series
index 1c798c8..7493e68 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -42,3 +42,4 @@ mod_dav-CVE-2013-6438.patch
cookie-logging-CVE-2014-0098.diff
SSL-ECC.patch
mod_proxy-crash-PR_50335.patch
+CVE-2014-0226_scoreboard.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list