diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2014-05-29 21:46:49 +0200 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2014-05-29 22:14:57 +0200 |
| commit | 860448dc798790f4cee49ba5ff04e3ff232a1908 (patch) | |
| tree | d6f2fd87a94c0cb6f722d789e28f355ae6876804 /debian/patches/suexec-custom.patch | |
| parent | ed0624771068963e31e0450b8556b82c96a8cf37 (diff) | |
| download | apache2-860448dc798790f4cee49ba5ff04e3ff232a1908.tar.gz | |
Fix buffer overflows in suexec with very long usernames
Not exploitable due to FORTIFY_SOURCE. And creating users usually
requires root, anyway.
Diffstat (limited to 'debian/patches/suexec-custom.patch')
| -rw-r--r-- | debian/patches/suexec-custom.patch | 30 |
1 files changed, 13 insertions, 17 deletions
diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch index e25842e3..532f99a3 100644 --- a/debian/patches/suexec-custom.patch +++ b/debian/patches/suexec-custom.patch @@ -1,9 +1,9 @@ Description: the actual patch to make suexec-custom read a config file Forwarded: not-needed Author: Stefan Fritsch <sf@debian.org> -Last-Update: 2012-02-25 ---- a/support/suexec-custom.c -+++ b/support/suexec-custom.c +Last-Update: 2014-05-29 +--- apache2.orig/support/suexec-custom.c ++++ apache2/support/suexec-custom.c @@ -29,6 +29,7 @@ * * @@ -20,7 +20,7 @@ Last-Update: 2012-02-25 #if APR_HAVE_UNISTD_H #include <unistd.h> #endif -@@ -197,6 +199,26 @@ +@@ -197,6 +199,26 @@ static void log_no_err(const char *fmt,. return; } @@ -47,7 +47,7 @@ Last-Update: 2012-02-25 static void clean_env(void) { char pathbuf[512]; -@@ -263,6 +285,11 @@ +@@ -263,6 +285,11 @@ int main(int argc, char *argv[]) struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ int cwdh; /* handle to cwd */ @@ -59,7 +59,7 @@ Last-Update: 2012-02-25 /* * Start with a "clean" environment -@@ -292,15 +319,10 @@ +@@ -292,15 +319,10 @@ int main(int argc, char *argv[]) || (! strcmp(AP_HTTPD_USER, pw->pw_name))) #endif /* _OSD_POSIX */ ) { @@ -76,7 +76,7 @@ Last-Update: 2012-02-25 #ifdef AP_LOG_EXEC fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif -@@ -313,9 +335,6 @@ +@@ -313,9 +335,6 @@ int main(int argc, char *argv[]) #ifdef AP_UID_MIN fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN); #endif @@ -86,7 +86,7 @@ Last-Update: 2012-02-25 exit(0); } /* -@@ -330,23 +349,6 @@ +@@ -330,23 +349,6 @@ int main(int argc, char *argv[]) target_gname = argv[2]; cmd = argv[3]; @@ -110,7 +110,7 @@ Last-Update: 2012-02-25 /* * Check for a leading '/' (absolute path) in the command to be executed, -@@ -371,6 +373,63 @@ +@@ -371,6 +373,59 @@ int main(int argc, char *argv[]) } /* @@ -119,18 +119,14 @@ Last-Update: 2012-02-25 + * SUEXEC_CONFIG_DIR/username + * If not, error out. + */ -+ filename = malloc(AP_MAXPATH+1); + suexec_docroot = malloc(AP_MAXPATH+1); + suexec_userdir_suffix = malloc(AP_MAXPATH+1); -+ if (!filename || !suexec_docroot || !suexec_userdir_suffix) { ++ if (!suexec_docroot || !suexec_userdir_suffix || ++ asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) { + log_err("malloc failed\n"); + exit(120); + } + -+ strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH); -+ strncat(filename, pw->pw_name, AP_MAXPATH); -+ filename[AP_MAXPATH] = '\0'; -+ + configfile = fopen(filename, "r"); + if (!configfile) { + log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename); @@ -174,7 +170,7 @@ Last-Update: 2012-02-25 * Error out if the target username is invalid. */ if (strspn(target_uname, "1234567890") != strlen(target_uname)) { -@@ -511,7 +570,7 @@ +@@ -511,7 +566,7 @@ int main(int argc, char *argv[]) if (userdir) { if (((chdir(target_homedir)) != 0) || @@ -183,7 +179,7 @@ Last-Update: 2012-02-25 ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", target_homedir); -@@ -519,7 +578,7 @@ +@@ -519,7 +574,7 @@ int main(int argc, char *argv[]) } } else { |