[apache2] 01/03: mod_dav: Fix segfaults

Stefan Fritsch sf at moszumanska.debian.org
Sat Feb 1 13:56:03 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to tag debian/2.2.22-13+deb7u1
in repository apache2.

commit 37289d0697dc79ae1ffb9fa102dbd2b6d4432878
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Fri Jan 31 19:39:41 2014 +0100

    mod_dav: Fix segfaults
    
    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
---
 debian/changelog                            |  2 +
 debian/patches/mod_dav_crash_PR_52559.patch | 81 +++++++++++++++++++++++++++++
 debian/patches/series                       |  1 +
 3 files changed, 84 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5dc434f..b7f93e0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ apache2 (2.2.22-13+wheezy1) UNRELEASED; urgency=low
 
   * Make apache2ctl create the necessary directories even if started with
     special options for apache2. Closes: #731531
+  * mod_dav: Fix segfaults in certain error conditions.
+    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
   * Adjust paragraph in README.Debian about MaxMemFree not working properly.
     The issue has been fixed with apr 1.4.5-1.
 
diff --git a/debian/patches/mod_dav_crash_PR_52559.patch b/debian/patches/mod_dav_crash_PR_52559.patch
new file mode 100644
index 0000000..e96de33
--- /dev/null
+++ b/debian/patches/mod_dav_crash_PR_52559.patch
@@ -0,0 +1,81 @@
+# http://svn.apache.org/r1497455
+# mod_dav: When a PROPPATCH attempts to remove a non-existent dead
+# property on a resource for which there is no dead property in the same
+# namespace httpd segfaults.
+#
+# http://svn.apache.org/r1497457
+# mod_dav: Do not fail PROPPATCH when prop namespace is not known.
+#
+# http://svn.apache.org/r1497463
+# mod_dav: Do not segfault on PROPFIND with a zero length DBM.
+#
+Index: apache2/modules/dav/fs/dbm.c
+===================================================================
+--- apache2.orig/modules/dav/fs/dbm.c
++++ apache2/modules/dav/fs/dbm.c
+@@ -191,7 +191,15 @@
+ 
+ dav_error * dav_dbm_fetch(dav_db *db, apr_datum_t key, apr_datum_t *pvalue)
+ {
+-    apr_status_t status = apr_dbm_fetch(db->file, key, pvalue);
++    apr_status_t status;
++
++    if (!key.dptr) {
++        /* no key could be created (namespace not known) => no value */
++        memset(pvalue, 0, sizeof(*pvalue));
++        status = APR_SUCCESS;
++    } else {
++        status = apr_dbm_fetch(db->file, key, pvalue);
++    }
+ 
+     return dav_fs_dbm_error(db, NULL, status);
+ }
+@@ -729,6 +737,10 @@
+ static dav_error * dav_propdb_apply_rollback(dav_db *db,
+                                              dav_deadprop_rollback *rollback)
+ {
++    if (!rollback) {
++        return NULL; /* no rollback, nothing to do */
++    }
++
+     if (rollback->value.dptr == NULL) {
+         /* don't fail if the thing isn't really there. */
+         (void) dav_dbm_delete(db, rollback->key);
+Index: apache2/modules/dav/main/props.c
+===================================================================
+--- apache2.orig/modules/dav/main/props.c
++++ apache2/modules/dav/main/props.c
+@@ -594,13 +594,14 @@
+         if (propdb->db != NULL) {
+             dav_xmlns_info *xi = dav_xmlns_create(propdb->p);
+             dav_prop_name name;
++            dav_error *err;
+ 
+             /* define (up front) any namespaces the db might need */
+             (void) (*db_hooks->define_namespaces)(propdb->db, xi);
+ 
+             /* get the first property name, beginning the scan */
+-            (void) (*db_hooks->first_name)(propdb->db, &name);
+-            while (name.ns != NULL) {
++            err = (*db_hooks->first_name)(propdb->db, &name);
++            while (!err && name.ns) {
+ 
+                 /*
+                 ** We also look for <DAV:getcontenttype> and
+@@ -619,7 +620,6 @@
+                 }
+ 
+                 if (what == DAV_PROP_INSERT_VALUE) {
+-                    dav_error *err;
+                     int found;
+ 
+                     if ((err = (*db_hooks->output_value)(propdb->db, &name,
+@@ -638,7 +638,7 @@
+                 }
+ 
+               next_key:
+-                (void) (*db_hooks->next_name)(propdb->db, &name);
++                err = (*db_hooks->next_name)(propdb->db, &name);
+             }
+ 
+             /* all namespaces have been entered into xi. generate them into
diff --git a/debian/patches/series b/debian/patches/series
index 9425aae..a1d774a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ CVE-2012-3499_CVE-2012-4558_XSS.patch
 mod_log_forensic_693292.patch
 mod_rewrite-CVE-2013-1862.patch
 CVE-2013-1896.patch
+mod_dav_crash_PR_52559.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list