mod_dav: Fix segfaults

https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
author: Stefan Fritsch <sf@sfritsch.de> 2014-01-27 23:00:44 +0100
committer: Stefan Fritsch <sf@sfritsch.de> 2014-01-27 23:01:45 +0100
commit: 83ac799babcccba5f38c2a7f1714b272c6c5e547 (patch)
tree: c34ee6f9a7c41b1dc2c7f77d0f82e5c5d3b66d7c
parent: 352d5e16eb597557f4adeec67652c4b3b7e0d0cb (diff)
download: apache2-83ac799babcccba5f38c2a7f1714b272c6c5e547.tar.gz
3 files changed, 92 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog
index 88364de2..227e2d55 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,13 +1,14 @@
 apache2 (2.2.16-6+squeeze12) squeeze; urgency=medium
 
-  Low impact security fixes:
-  * CVE-2013-1862: mod_rewrite: Ensure that client data written to the
-    RewriteLog is escaped to prevent terminal escape sequences from entering
-    the log file. Closes: #722333
-  * CVE-2013-1896: mod_dav: denial of service via MERGE request.
+  * Security: CVE-2013-1862: mod_rewrite: Ensure that client data written to
+    the RewriteLog is escaped to prevent terminal escape sequences from
+    entering the log file. Closes: #722333
+  * Security: CVE-2013-1896: mod_dav: denial of service via MERGE request.
     Closes: #717272
+  * mod_dav: Fix segfaults in certain error conditions.
+    https://issues.apache.org/bugzilla/show_bug.cgi?id=52559
 
- -- Stefan Fritsch <sf@debian.org>  Sun, 03 Mar 2013 12:25:22 +0100
+ -- Stefan Fritsch <sf@debian.org>  Mon, 27 Jan 2014 22:53:07 +0100
 
 apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 9282ed80..288b1b10 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -48,3 +48,4 @@
 302_CVE-2012-3499_CVE-2012-4558_XSS.dpatch
 303_mod_rewrite-CVE-2013-1862.dpatch
 304_CVE-2013-1896.dpatch
+305_mod_dav_crash_PR_52559.dpatch
diff --git a/debian/patches/305_mod_dav_crash_PR_52559.dpatch b/debian/patches/305_mod_dav_crash_PR_52559.dpatch
new file mode 100755
index 00000000..2af258c2
--- /dev/null
+++ b/debian/patches/305_mod_dav_crash_PR_52559.dpatch
@@ -0,0 +1,84 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: http://svn.apache.org/r1497455
+## DP: mod_dav: When a PROPPATCH attempts to remove a non-existent dead
+## DP: property on a resource for which there is no dead property in the same
+## DP: namespace httpd segfaults.
+## DP:
+## DP: http://svn.apache.org/r1497457
+## DP: mod_dav: Do not fail PROPPATCH when prop namespace is not known.
+## DP:
+## DP: http://svn.apache.org/r1497463
+## DP: mod_dav: Do not segfault on PROPFIND with a zero length DBM.
+#
+@DPATCH@
+diff --git a/modules/dav/fs/dbm.c b/modules/dav/fs/dbm.c
+index 751a82b..ec42105 100644
+--- a/modules/dav/fs/dbm.c
++++ b/modules/dav/fs/dbm.c
+@@ -191,7 +191,15 @@ void dav_dbm_close(dav_db *db)
+ 
+ dav_error * dav_dbm_fetch(dav_db *db, apr_datum_t key, apr_datum_t *pvalue)
+ {
+-    apr_status_t status = apr_dbm_fetch(db->file, key, pvalue);
++    apr_status_t status;
++
++    if (!key.dptr) {
++        /* no key could be created (namespace not known) => no value */
++        memset(pvalue, 0, sizeof(*pvalue));
++        status = APR_SUCCESS;
++    } else {
++        status = apr_dbm_fetch(db->file, key, pvalue);
++    }
+ 
+     return dav_fs_dbm_error(db, NULL, status);
+ }
+@@ -729,6 +737,10 @@ static dav_error * dav_propdb_get_rollback(dav_db *db,
+ static dav_error * dav_propdb_apply_rollback(dav_db *db,
+                                              dav_deadprop_rollback *rollback)
+ {
++    if (!rollback) {
++        return NULL; /* no rollback, nothing to do */
++    }
++
+     if (rollback->value.dptr == NULL) {
+         /* don't fail if the thing isn't really there. */
+         (void) dav_dbm_delete(db, rollback->key);
+diff --git a/modules/dav/main/props.c b/modules/dav/main/props.c
+index b9601d7..2796737 100644
+--- a/modules/dav/main/props.c
++++ b/modules/dav/main/props.c
+@@ -594,13 +594,14 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+         if (propdb->db != NULL) {
+             dav_xmlns_info *xi = dav_xmlns_create(propdb->p);
+             dav_prop_name name;
++            dav_error *err;
+ 
+             /* define (up front) any namespaces the db might need */
+             (void) (*db_hooks->define_namespaces)(propdb->db, xi);
+ 
+             /* get the first property name, beginning the scan */
+-            (void) (*db_hooks->first_name)(propdb->db, &name);
+-            while (name.ns != NULL) {
++            err = (*db_hooks->first_name)(propdb->db, &name);
++            while (!err && name.ns) {
+ 
+                 /*
+                 ** We also look for <DAV:getcontenttype> and
+@@ -619,7 +620,6 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+                 }
+ 
+                 if (what == DAV_PROP_INSERT_VALUE) {
+-                    dav_error *err;
+                     int found;
+ 
+                     if ((err = (*db_hooks->output_value)(propdb->db, &name,
+@@ -638,7 +638,7 @@ DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
+                 }
+ 
+               next_key:
+-                (void) (*db_hooks->next_name)(propdb->db, &name);
++                err = (*db_hooks->next_name)(propdb->db, &name);
+             }
+ 
+             /* all namespaces have been entered into xi. generate them into
author	Stefan Fritsch <sf@sfritsch.de>	2014-01-27 23:00:44 +0100
committer	Stefan Fritsch <sf@sfritsch.de>	2014-01-27 23:01:45 +0100
commit	83ac799babcccba5f38c2a7f1714b272c6c5e547 (patch)
tree	c34ee6f9a7c41b1dc2c7f77d0f82e5c5d3b66d7c
parent	352d5e16eb597557f4adeec67652c4b3b7e0d0cb (diff)
download	apache2-83ac799babcccba5f38c2a7f1714b272c6c5e547.tar.gz