[apache2] 01/04: Fix buffer overflows in suexec with very long usernames
Stefan Fritsch
sf at moszumanska.debian.org
Sun Jun 8 08:39:04 UTC 2014
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 860448dc798790f4cee49ba5ff04e3ff232a1908
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Thu May 29 21:46:49 2014 +0200
Fix buffer overflows in suexec with very long usernames
Not exploitable due to FORTIFY_SOURCE. And creating users usually
requires root, anyway.
---
debian/changelog | 3 +++
debian/patches/suexec-CVE-2007-1742.patch | 24 ++++++++++++++----------
debian/patches/suexec-custom.patch | 30 +++++++++++++-----------------
3 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 711e3a4..4c28ce4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ apache2 (2.4.9-2) UNRELEASED; urgency=medium
DocumentRoots, the old /var/www and the new /var/www/html. Also
change the compiled in default DocumentRoot to /var/www/html.
Closes: #743915
+ * Fix buffer overflows in suexec with very long (unix) usernames. Not
+ exploitable due to FORTIFY_SOURCE. And creating users usually requires
+ root, anyway. Thanks to Luca Bruno for the report.
-- Stefan Fritsch <sf at debian.org> Sun, 27 Apr 2014 22:15:58 +0200
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
index 9ea0ee0..5655522 100644
--- a/debian/patches/suexec-CVE-2007-1742.patch
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -2,10 +2,10 @@ Description: Fix race condition with chdir
Fix /var/www* being accepted as docroot instead of /var/www/*
(the same for public_html* instead of public_html/* )
Author: Stefan Fritsch <sf at debian.org>
-Last-Update: 2012-02-25
+Last-Update: 2014-05-29
Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
---- a/support/suexec.c
-+++ b/support/suexec.c
+--- apache2.orig/support/suexec.c
++++ apache2/support/suexec.c
@@ -42,6 +42,7 @@
#if APR_HAVE_UNISTD_H
#include <unistd.h>
@@ -14,7 +14,13 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
#include <stdio.h>
#include <stdarg.h>
-@@ -261,6 +262,7 @@
+@@ -256,11 +257,12 @@ int main(int argc, char *argv[])
+ char *actual_gname; /* actual group name */
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+- char dwd[AP_MAXPATH]; /* docroot working directory */
++ char dwd[AP_MAXPATH+1]; /* docroot working directory */
+ struct passwd *pw; /* password entry holder */
struct group *gr; /* group entry holder */
struct stat dir_info; /* directory info holder */
struct stat prg_info; /* program info holder */
@@ -22,7 +28,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
/*
* Start with a "clean" environment
-@@ -502,11 +504,16 @@
+@@ -502,11 +504,16 @@ int main(int argc, char *argv[])
exit(111);
}
@@ -40,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
log_err("cannot get docroot information (%s)\n", target_homedir);
exit(112);
}
-@@ -514,12 +521,18 @@
+@@ -514,12 +521,16 @@ int main(int argc, char *argv[])
else {
if (((chdir(AP_DOC_ROOT)) != 0) ||
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
@@ -53,10 +59,8 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
+ close(cwdh);
+
-+ if (strlen(cwd) > strlen(dwd)) {
-+ strncat(dwd, "/", AP_MAXPATH);
-+ dwd[AP_MAXPATH-1] = '\0';
-+ }
++ if (strlen(cwd) > strlen(dwd))
++ strncat(dwd, "/", 1);
if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
log_err("command not in docroot (%s/%s)\n", cwd, cmd);
exit(114);
diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch
index e25842e..532f99a 100644
--- a/debian/patches/suexec-custom.patch
+++ b/debian/patches/suexec-custom.patch
@@ -1,9 +1,9 @@
Description: the actual patch to make suexec-custom read a config file
Forwarded: not-needed
Author: Stefan Fritsch <sf at debian.org>
-Last-Update: 2012-02-25
---- a/support/suexec-custom.c
-+++ b/support/suexec-custom.c
+Last-Update: 2014-05-29
+--- apache2.orig/support/suexec-custom.c
++++ apache2/support/suexec-custom.c
@@ -29,6 +29,7 @@
*
*
@@ -20,7 +20,7 @@ Last-Update: 2012-02-25
#if APR_HAVE_UNISTD_H
#include <unistd.h>
#endif
-@@ -197,6 +199,26 @@
+@@ -197,6 +199,26 @@ static void log_no_err(const char *fmt,.
return;
}
@@ -47,7 +47,7 @@ Last-Update: 2012-02-25
static void clean_env(void)
{
char pathbuf[512];
-@@ -263,6 +285,11 @@
+@@ -263,6 +285,11 @@ int main(int argc, char *argv[])
struct stat dir_info; /* directory info holder */
struct stat prg_info; /* program info holder */
int cwdh; /* handle to cwd */
@@ -59,7 +59,7 @@ Last-Update: 2012-02-25
/*
* Start with a "clean" environment
-@@ -292,15 +319,10 @@
+@@ -292,15 +319,10 @@ int main(int argc, char *argv[])
|| (! strcmp(AP_HTTPD_USER, pw->pw_name)))
#endif /* _OSD_POSIX */
) {
@@ -76,7 +76,7 @@ Last-Update: 2012-02-25
#ifdef AP_LOG_EXEC
fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC);
#endif
-@@ -313,9 +335,6 @@
+@@ -313,9 +335,6 @@ int main(int argc, char *argv[])
#ifdef AP_UID_MIN
fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN);
#endif
@@ -86,7 +86,7 @@ Last-Update: 2012-02-25
exit(0);
}
/*
-@@ -330,23 +349,6 @@
+@@ -330,23 +349,6 @@ int main(int argc, char *argv[])
target_gname = argv[2];
cmd = argv[3];
@@ -110,7 +110,7 @@ Last-Update: 2012-02-25
/*
* Check for a leading '/' (absolute path) in the command to be executed,
-@@ -371,6 +373,63 @@
+@@ -371,6 +373,59 @@ int main(int argc, char *argv[])
}
/*
@@ -119,18 +119,14 @@ Last-Update: 2012-02-25
+ * SUEXEC_CONFIG_DIR/username
+ * If not, error out.
+ */
-+ filename = malloc(AP_MAXPATH+1);
+ suexec_docroot = malloc(AP_MAXPATH+1);
+ suexec_userdir_suffix = malloc(AP_MAXPATH+1);
-+ if (!filename || !suexec_docroot || !suexec_userdir_suffix) {
++ if (!suexec_docroot || !suexec_userdir_suffix ||
++ asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) {
+ log_err("malloc failed\n");
+ exit(120);
+ }
+
-+ strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH);
-+ strncat(filename, pw->pw_name, AP_MAXPATH);
-+ filename[AP_MAXPATH] = '\0';
-+
+ configfile = fopen(filename, "r");
+ if (!configfile) {
+ log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename);
@@ -174,7 +170,7 @@ Last-Update: 2012-02-25
* Error out if the target username is invalid.
*/
if (strspn(target_uname, "1234567890") != strlen(target_uname)) {
-@@ -511,7 +570,7 @@
+@@ -511,7 +566,7 @@ int main(int argc, char *argv[])
if (userdir) {
if (((chdir(target_homedir)) != 0) ||
@@ -183,7 +179,7 @@ Last-Update: 2012-02-25
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
((fchdir(cwdh)) != 0)) {
log_err("cannot get docroot information (%s)\n", target_homedir);
-@@ -519,7 +578,7 @@
+@@ -519,7 +574,7 @@ int main(int argc, char *argv[])
}
}
else {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list