[apache2] 01/04: Fix buffer overflows in suexec with very long usernames

Stefan Fritsch sf at moszumanska.debian.org
Sun Jun 8 08:39:04 UTC 2014 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit 860448dc798790f4cee49ba5ff04e3ff232a1908
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Thu May 29 21:46:49 2014 +0200

    Fix buffer overflows in suexec with very long usernames
    
    Not exploitable due to FORTIFY_SOURCE. And creating users usually
    requires root, anyway.
---
 debian/changelog                          |  3 +++
 debian/patches/suexec-CVE-2007-1742.patch | 24 ++++++++++++++----------
 debian/patches/suexec-custom.patch        | 30 +++++++++++++-----------------
 3 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 711e3a4..4c28ce4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ apache2 (2.4.9-2) UNRELEASED; urgency=medium
     DocumentRoots, the old /var/www and the new /var/www/html. Also
     change the compiled in default DocumentRoot to /var/www/html.
     Closes: #743915
+  * Fix buffer overflows in suexec with very long (unix) usernames. Not
+    exploitable due to FORTIFY_SOURCE. And creating users usually requires
+    root, anyway. Thanks to Luca Bruno for the report.
 
  -- Stefan Fritsch <sf at debian.org>  Sun, 27 Apr 2014 22:15:58 +0200
 
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
index 9ea0ee0..5655522 100644
--- a/debian/patches/suexec-CVE-2007-1742.patch
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -2,10 +2,10 @@ Description: Fix race condition with chdir
  Fix /var/www* being accepted as docroot instead of /var/www/*
  (the same for public_html* instead of public_html/* )
 Author: Stefan Fritsch <sf at debian.org>
-Last-Update: 2012-02-25
+Last-Update: 2014-05-29
 Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
---- a/support/suexec.c
-+++ b/support/suexec.c
+--- apache2.orig/support/suexec.c
++++ apache2/support/suexec.c
 @@ -42,6 +42,7 @@
  #if APR_HAVE_UNISTD_H
  #include <unistd.h>
@@ -14,7 +14,13 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
  
  #include <stdio.h>
  #include <stdarg.h>
-@@ -261,6 +262,7 @@
+@@ -256,11 +257,12 @@ int main(int argc, char *argv[])
+     char *actual_gname;     /* actual group name         */
+     char *cmd;              /* command to be executed    */
+     char cwd[AP_MAXPATH];   /* current working directory */
+-    char dwd[AP_MAXPATH];   /* docroot working directory */
++    char dwd[AP_MAXPATH+1]; /* docroot working directory */
+     struct passwd *pw;      /* password entry holder     */
      struct group *gr;       /* group entry holder        */
      struct stat dir_info;   /* directory info holder     */
      struct stat prg_info;   /* program info holder       */
@@ -22,7 +28,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
  
      /*
       * Start with a "clean" environment
-@@ -502,11 +504,16 @@
+@@ -502,11 +504,16 @@ int main(int argc, char *argv[])
          exit(111);
      }
  
@@ -40,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
          }
-@@ -514,12 +521,18 @@
+@@ -514,12 +521,16 @@ int main(int argc, char *argv[])
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
              ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
@@ -53,10 +59,8 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
  
 +    close(cwdh);
 +
-+    if (strlen(cwd) > strlen(dwd)) {
-+        strncat(dwd, "/", AP_MAXPATH);
-+        dwd[AP_MAXPATH-1] = '\0';
-+    }
++    if (strlen(cwd) > strlen(dwd))
++        strncat(dwd, "/", 1);
      if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
          log_err("command not in docroot (%s/%s)\n", cwd, cmd);
          exit(114);
diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch
index e25842e..532f99a 100644
--- a/debian/patches/suexec-custom.patch
+++ b/debian/patches/suexec-custom.patch
@@ -1,9 +1,9 @@
 Description: the actual patch to make suexec-custom read a config file
 Forwarded: not-needed
 Author: Stefan Fritsch <sf at debian.org>
-Last-Update: 2012-02-25
---- a/support/suexec-custom.c
-+++ b/support/suexec-custom.c
+Last-Update: 2014-05-29
+--- apache2.orig/support/suexec-custom.c
++++ apache2/support/suexec-custom.c
 @@ -29,6 +29,7 @@
   *
   *
@@ -20,7 +20,7 @@ Last-Update: 2012-02-25
  #if APR_HAVE_UNISTD_H
  #include <unistd.h>
  #endif
-@@ -197,6 +199,26 @@
+@@ -197,6 +199,26 @@ static void log_no_err(const char *fmt,.
      return;
  }
  
@@ -47,7 +47,7 @@ Last-Update: 2012-02-25
  static void clean_env(void)
  {
      char pathbuf[512];
-@@ -263,6 +285,11 @@
+@@ -263,6 +285,11 @@ int main(int argc, char *argv[])
      struct stat dir_info;   /* directory info holder     */
      struct stat prg_info;   /* program info holder       */
      int cwdh;               /* handle to cwd             */
@@ -59,7 +59,7 @@ Last-Update: 2012-02-25
  
      /*
       * Start with a "clean" environment
-@@ -292,15 +319,10 @@
+@@ -292,15 +319,10 @@ int main(int argc, char *argv[])
              || (! strcmp(AP_HTTPD_USER, pw->pw_name)))
  #endif /* _OSD_POSIX */
          ) {
@@ -76,7 +76,7 @@ Last-Update: 2012-02-25
  #ifdef AP_LOG_EXEC
          fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
  #endif
-@@ -313,9 +335,6 @@
+@@ -313,9 +335,6 @@ int main(int argc, char *argv[])
  #ifdef AP_UID_MIN
          fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN);
  #endif
@@ -86,7 +86,7 @@ Last-Update: 2012-02-25
          exit(0);
      }
      /*
-@@ -330,23 +349,6 @@
+@@ -330,23 +349,6 @@ int main(int argc, char *argv[])
      target_gname = argv[2];
      cmd = argv[3];
  
@@ -110,7 +110,7 @@ Last-Update: 2012-02-25
  
      /*
       * Check for a leading '/' (absolute path) in the command to be executed,
-@@ -371,6 +373,63 @@
+@@ -371,6 +373,59 @@ int main(int argc, char *argv[])
      }
  
      /*
@@ -119,18 +119,14 @@ Last-Update: 2012-02-25
 +     * SUEXEC_CONFIG_DIR/username
 +     * If not, error out.
 +     */
-+    filename = malloc(AP_MAXPATH+1);
 +    suexec_docroot = malloc(AP_MAXPATH+1);
 +    suexec_userdir_suffix = malloc(AP_MAXPATH+1);
-+    if (!filename || !suexec_docroot || !suexec_userdir_suffix) {
++    if (!suexec_docroot || !suexec_userdir_suffix ||
++        asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) {
 +        log_err("malloc failed\n");
 +        exit(120);
 +    }
 +
-+    strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH);
-+    strncat(filename, pw->pw_name, AP_MAXPATH);
-+    filename[AP_MAXPATH] = '\0';
-+
 +    configfile = fopen(filename, "r");
 +    if (!configfile) {
 +        log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename);
@@ -174,7 +170,7 @@ Last-Update: 2012-02-25
       * Error out if the target username is invalid.
       */
      if (strspn(target_uname, "1234567890") != strlen(target_uname)) {
-@@ -511,7 +570,7 @@
+@@ -511,7 +566,7 @@ int main(int argc, char *argv[])
  
      if (userdir) {
          if (((chdir(target_homedir)) != 0) ||
@@ -183,7 +179,7 @@ Last-Update: 2012-02-25
              ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
              ((fchdir(cwdh)) != 0)) {
              log_err("cannot get docroot information (%s)\n", target_homedir);
-@@ -519,7 +578,7 @@
+@@ -519,7 +574,7 @@ int main(int argc, char *argv[])
          }
      }
      else {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list