diff options
author | Stefan Fritsch <sf@debian.org> | 2011-12-03 17:50:19 +0000 |
---|---|---|
committer | Stefan Fritsch <sf@sfritsch.de> | 2012-01-02 10:37:15 +0100 |
commit | 57e8820bebaac9e6d49599458d364366f1dbcd6c (patch) | |
tree | 898275a0c585810c9faccaaeba5f633f44e0d50e | |
parent | c4b58d7024bbfa9f7f0920bb8319750fba10d538 (diff) | |
download | apache2-57e8820bebaac9e6d49599458d364366f1dbcd6c.tar.gz |
Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault
via malicious .htaccess.
git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/trunk/apache2@1376 01b336ce-410b-0410-9a02-a0e7f243c266
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/patches/00list | 1 | ||||
-rwxr-xr-x | debian/patches/085_CVE-2011-3607.dpatch | 28 |
3 files changed, 33 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 648654f5..04c05fb4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,14 +1,16 @@ -apache2 (2.2.21-3) UNRELEASED; urgency=low +apache2 (2.2.21-4) UNRELEASED; urgency=low * Fix CVE-2011-4317: Prevent unintended pattern expansion in some reverse proxy configurations. (Similar to CVE-2011-3368, but different attack vector.) + * Fix CVE-2011-3607: Integer overflow in ap_pregsub could cause segfault + via malicious .htaccess. * Mention dpkg-statoverride for changing permissions of suexec. LP: #897120 * Fix broken link in docs. Closes: #650528 * Remove Tollef Fog Heen, Thom May, and Peter Samuelson from uploaders. Thanks for your work in the past. - -- Stefan Fritsch <sf@debian.org> Sun, 23 Oct 2011 10:03:26 +0200 + -- Stefan Fritsch <sf@debian.org> Sat, 03 Dec 2011 18:48:43 +0100 apache2 (2.2.21-2) unstable; urgency=high diff --git a/debian/patches/00list b/debian/patches/00list index 0681229f..5a84bc5a 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -24,6 +24,7 @@ 082_ab_num_requests 083_CVE-2011-3368.dpatch 084_CVE-2011-4317.dpatch +085_CVE-2011-3607.dpatch 099_config_guess_sub_update 200_cp_suexec.dpatch 201_build_suexec-custom.dpatch diff --git a/debian/patches/085_CVE-2011-3607.dpatch b/debian/patches/085_CVE-2011-3607.dpatch new file mode 100755 index 00000000..aed1117c --- /dev/null +++ b/debian/patches/085_CVE-2011-3607.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 085_CVE-2011-3607.dpatch by Stefan Fritsch <sf@debian.org> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix integer overflow, based on upstream r1198940 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/util.c trunk/server/util.c +--- trunk~/server/util.c 2011-05-19 04:17:37.000000000 +0200 ++++ trunk/server/util.c 2011-12-03 18:46:39.875941529 +0100 +@@ -366,7 +366,7 @@ + char *dest, *dst; + char c; + size_t no; +- int len; ++ apr_size_t len; + + if (!source) + return NULL; +@@ -391,6 +391,8 @@ + len++; + } + else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { ++ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) ++ return APR_ENOMEM; + len += pmatch[no].rm_eo - pmatch[no].rm_so; + } + |