From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5DFC513877A for ; Thu, 31 Jul 2014 11:25:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 23DAFE08A8; Thu, 31 Jul 2014 11:25:26 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 899F4E08A8 for ; Thu, 31 Jul 2014 11:25:25 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3B17E33FDF6 for ; Thu, 31 Jul 2014 11:25:24 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id B831718810 for ; Thu, 31 Jul 2014 11:25:21 +0000 (UTC) From: "Lars Wendler" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Lars Wendler" Message-ID: <1406805875.b863adc76dbc98a303c0246c09f1038148f30451.polynomial-c@gentoo> Subject: [gentoo-commits] proj/apache:master commit in: 2.2/patches/ X-VCS-Repository: proj/apache X-VCS-Files: 2.2/patches/20_all_peruser_0.4.0-rc2.patch 2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch 2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch 2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch 2.2/patches/30_all_peruser_0.4.0-rc2.patch X-VCS-Directories: 2.2/patches/ X-VCS-Committer: polynomial-c X-VCS-Committer-Name: Lars Wendler X-VCS-Revision: b863adc76dbc98a303c0246c09f1038148f30451 X-VCS-Branch: master Date: Thu, 31 Jul 2014 11:25:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3386bbf0-da8b-439b-8d6e-d6006dcdccef X-Archives-Hash: f1b557a41e76dff303d021aa5a13ac96 commit: b863adc76dbc98a303c0246c09f1038148f30451 Author: Lars Wendler gentoo org> AuthorDate: Thu Jul 31 11:24:35 2014 +0000 Commit: Lars Wendler gentoo org> CommitDate: Thu Jul 31 11:24:35 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=b863adc7 Added several security fixes (CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231) --- 2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch | 309 +++++++++++++++++++++ 2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch | 137 +++++++++ 2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch | 165 +++++++++++ ....0-rc2.patch => 30_all_peruser_0.4.0-rc2.patch} | 2 +- 4 files changed, 612 insertions(+), 1 deletion(-) diff --git a/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch b/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch new file mode 100644 index 0000000..6db06ba --- /dev/null +++ b/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch @@ -0,0 +1,309 @@ +Author: jim +Date: Thu Jul 17 18:20:46 2014 +New Revision: 1611426 + +URL: http://svn.apache.org/r1611426 +Log: +Merge r1610501 from trunk: + + *) SECURITY: CVE-2014-0118 (cve.mitre.org) + mod_deflate: The DEFLATE input filter (inflates request bodies) now + limits the length and compression ratio of inflated request bodies to avoid + denial of sevice via highly compressed bodies. See directives + DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, + and DeflateInflateRatioBurst. + +Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue. + +Submitted By: ylavic, covener +Reviewed By: jorton, covener, jim + + + +Submitted by: covener +Reviewed/backported by: jim + +Modified: + httpd/httpd/branches/2.2.x/ (props changed) + httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c + +Propchange: httpd/httpd/branches/2.2.x/ +------------------------------------------------------------------------------ + Merged /httpd/httpd/trunk:r1610501 + +Modified: httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c?rev=1611426&r1=1611425&r2=1611426&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c (original) ++++ httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c Thu Jul 17 18:20:46 2014 +@@ -37,6 +37,7 @@ + #include "httpd.h" + #include "http_config.h" + #include "http_log.h" ++#include "http_core.h" + #include "apr_lib.h" + #include "apr_strings.h" + #include "apr_general.h" +@@ -51,6 +52,9 @@ + static const char deflateFilterName[] = "DEFLATE"; + module AP_MODULE_DECLARE_DATA deflate_module; + ++#define AP_INFLATE_RATIO_LIMIT 200 ++#define AP_INFLATE_RATIO_BURST 3 ++ + typedef struct deflate_filter_config_t + { + int windowSize; +@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t + char *note_output_name; + } deflate_filter_config; + ++typedef struct deflate_dirconf_t { ++ apr_off_t inflate_limit; ++ int ratio_limit, ++ ratio_burst; ++} deflate_dirconf_t; ++ + /* RFC 1952 Section 2.3 defines the gzip header: + * + * +---+---+---+---+---+---+---+---+---+---+ +@@ -193,6 +203,14 @@ static void *create_deflate_server_confi + return c; + } + ++static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) ++{ ++ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); ++ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; ++ dc->ratio_burst = AP_INFLATE_RATIO_BURST; ++ return dc; ++} ++ + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, + const char *arg) + { +@@ -284,6 +302,55 @@ static const char *deflate_set_compressi + return NULL; + } + ++ ++static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ char *errp; ++ ++ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { ++ return "DeflateInflateLimitRequestBody is not parsable."; ++ } ++ if (*errp || dc->inflate_limit < 0) { ++ return "DeflateInflateLimitRequestBody requires a non-negative integer."; ++ } ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioLimit must be positive"; ++ ++ dc->ratio_limit = i; ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioBurst must be positive"; ++ ++ dc->ratio_burst = i; ++ ++ return NULL; ++} ++ + typedef struct deflate_ctx_t + { + z_stream stream; +@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t + unsigned char *validation_buffer; + apr_size_t validation_buffer_length; + int inflate_init; ++ int ratio_hits; ++ apr_off_t inflate_total; + } deflate_ctx; + ++/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ ++static int check_ratio(request_rec *r, deflate_ctx *ctx, ++ const deflate_dirconf_t *dc) ++{ ++ if (ctx->stream.total_in) { ++ int ratio = ctx->stream.total_out / ctx->stream.total_in; ++ if (ratio < dc->ratio_limit) { ++ ctx->ratio_hits = 0; ++ } ++ else if (++ctx->ratio_hits > dc->ratio_burst) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + /* Number of validation bytes (CRC and length) after the compressed data */ + #define VALIDATION_SIZE 8 + /* Do not update ctx->crc, see comment in flush_libz_buffer */ +@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap + int zRC; + apr_status_t rv; + deflate_filter_config *c; ++ deflate_dirconf_t *dc; ++ apr_off_t inflate_limit; + + /* just get out of the way of things we don't want. */ + if (mode != AP_MODE_READBYTES) { +@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap + } + + c = ap_get_module_config(r->server->module_config, &deflate_module); ++ dc = ap_get_module_config(r->per_dir_config, &deflate_module); + + if (!ctx) { + char deflate_hdr[10]; +@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap + if (len != 10 || + deflate_hdr[0] != deflate_magic[0] || + deflate_hdr[1] != deflate_magic[1]) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes"); + return APR_EGENERAL; + } + + /* We can't handle flags for now. */ + if (deflate_hdr[3] != 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags"); + return APR_EGENERAL; + } + +@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap + apr_brigade_cleanup(ctx->bb); + } + ++ inflate_limit = dc->inflate_limit; ++ if (inflate_limit == 0) { ++ /* The core is checking the deflated body, we'll check the inflated */ ++ inflate_limit = ap_get_limit_req_body(f->r); ++ } ++ + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { + rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); + +@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap + + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; ++ ++ ctx->inflate_total += len; ++ if (inflate_limit && ctx->inflate_total > inflate_limit) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content length of %" APR_OFF_T_FMT ++ " is larger than the configured limit" ++ " of %" APR_OFF_T_FMT, ++ ctx->inflate_total, inflate_limit); ++ return APR_ENOSPC; ++ } + + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); + tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, +@@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; + ++ ctx->inflate_total += len; ++ if (inflate_limit && ctx->inflate_total > inflate_limit) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content length of %" APR_OFF_T_FMT ++ " is larger than the configured limit" ++ " of %" APR_OFF_T_FMT, ++ ctx->inflate_total, inflate_limit); ++ return APR_ENOSPC; ++ } ++ ++ if (!check_ratio(r, ctx, dc)) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content ratio is larger than the " ++ "configured limit %i by %i time(s)", ++ dc->ratio_limit, dc->ratio_burst); ++ return APR_EINVAL; ++ } ++ + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); + tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, + NULL, f->c->bucket_alloc); +@@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(a + int zRC; + apr_status_t rv; + deflate_filter_config *c; ++ deflate_dirconf_t *dc; + + /* Do nothing if asked to filter nothing. */ + if (APR_BRIGADE_EMPTY(bb)) { +@@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(a + } + + c = ap_get_module_config(r->server->module_config, &deflate_module); ++ dc = ap_get_module_config(r->per_dir_config, &deflate_module); + + if (!ctx) { + +@@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(a + while (ctx->stream.avail_in != 0) { + if (ctx->stream.avail_out == 0) { + ++ if (!check_ratio(r, ctx, dc)) { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content ratio is larger than the " ++ "configured limit %i by %i time(s)", ++ dc->ratio_limit, dc->ratio_burst); ++ return APR_EINVAL; ++ } ++ + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; + +@@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_ + "Set the Deflate Memory Level (1-9)"), + AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, + "Set the Deflate Compression Level (1-9)"), ++ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, ++ "Set a limit on size of inflated input"), ++ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, ++ "Set the inflate ratio limit above which inflation is " ++ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), ++ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, ++ "Set the maximum number of following inflate ratios above limit " ++ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), + {NULL} + }; + + module AP_MODULE_DECLARE_DATA deflate_module = { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_deflate_dirconf, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_deflate_server_config, /* server config */ + NULL, /* merge server config */ diff --git a/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch b/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch new file mode 100644 index 0000000..51f974e --- /dev/null +++ b/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch @@ -0,0 +1,137 @@ +Author: jorton +Date: Mon Jul 14 20:34:32 2014 +New Revision: 1610515 + +URL: http://svn.apache.org/r1610515 +Log: +Merge 1610491 from trunk: + +SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling, +which could lead to a heap buffer overflow. Thanks to Marek Kroemeke +working with HP's Zero Day Initiative for reporting this. + +* include/scoreboard.h: Add ap_copy_scoreboard_worker. + +* server/scoreboard.c (ap_copy_scoreboard_worker): New function. + +* modules/generators/mod_status.c (status_handler): Use it. + +Reviewed by: trawick, jorton, covener +Submitted by: jorton, trawick, covener + +Modified: + httpd/httpd/branches/2.2.x/ (props changed) + httpd/httpd/branches/2.2.x/include/ap_mmn.h + httpd/httpd/branches/2.2.x/include/scoreboard.h + httpd/httpd/branches/2.2.x/modules/generators/mod_status.c + httpd/httpd/branches/2.2.x/server/scoreboard.c + +Propchange: httpd/httpd/branches/2.2.x/ +------------------------------------------------------------------------------ + Merged /httpd/httpd/trunk:r1610491 + +Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original) ++++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Mon Jul 14 20:34:32 2014 +@@ -151,6 +151,7 @@ + * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct + * 20051115.32 (2.2.24) Add ap_get_exec_line + * 20051115.33 (2.2.24) Add ap_pregsub_ex() ++ * 20051115.34 (2.2.28) Add ap_copy_scoreboard_worker() + */ + + #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ +@@ -158,7 +159,7 @@ + #ifndef MODULE_MAGIC_NUMBER_MAJOR + #define MODULE_MAGIC_NUMBER_MAJOR 20051115 + #endif +-#define MODULE_MAGIC_NUMBER_MINOR 33 /* 0...n */ ++#define MODULE_MAGIC_NUMBER_MINOR 34 /* 0...n */ + + /** + * Determine if the server's current MODULE_MAGIC_NUMBER is at least a + +Modified: httpd/httpd/branches/2.2.x/include/scoreboard.h +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/scoreboard.h?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/include/scoreboard.h (original) ++++ httpd/httpd/branches/2.2.x/include/scoreboard.h Mon Jul 14 20:34:32 2014 +@@ -189,7 +189,24 @@ AP_DECLARE(int) ap_update_child_status_f + int status, request_rec *r); + void ap_time_process_request(ap_sb_handle_t *sbh, int status); + ++/** Return a pointer to the worker_score for a given child, thread pair. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ * @return A pointer to the worker_score structure. ++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. ++ */ + AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y); ++ ++/** Copy the contents of a worker's scoreboard entry. The contents of ++ * the worker_score structure are copied verbatim into the dest ++ * structure. ++ * @param dest Output parameter. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ */ ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, int thread_num); ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x); + AP_DECLARE(global_score *) ap_get_scoreboard_global(void); + AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num); + +Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_status.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_status.c?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/generators/mod_status.c (original) ++++ httpd/httpd/branches/2.2.x/modules/generators/mod_status.c Mon Jul 14 20:34:32 2014 +@@ -241,7 +241,7 @@ static int status_handler(request_rec *r + #endif + int short_report; + int no_table_report; +- worker_score *ws_record; ++ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); + process_score *ps_record; + char *stat_buffer; + pid_t *pid_buffer, worker_pid; +@@ -333,7 +333,7 @@ static int status_handler(request_rec *r + for (j = 0; j < thread_limit; ++j) { + int indx = (i * thread_limit) + j; + +- ws_record = ap_get_scoreboard_worker(i, j); ++ ap_copy_scoreboard_worker(ws_record, i, j); + res = ws_record->status; + stat_buffer[indx] = status_flags[res]; + + +Modified: httpd/httpd/branches/2.2.x/server/scoreboard.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/scoreboard.c?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/server/scoreboard.c (original) ++++ httpd/httpd/branches/2.2.x/server/scoreboard.c Mon Jul 14 20:34:32 2014 +@@ -510,6 +510,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb + return &ap_scoreboard_image->servers[x][y]; + } + ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, ++ int thread_num) ++{ ++ worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num); ++ ++ memcpy(dest, ws, sizeof *ws); ++ ++ /* For extra safety, NUL-terminate the strings returned, though it ++ * should be true those last bytes are always zero anyway. */ ++ dest->client[sizeof(dest->client) - 1] = '\0'; ++ dest->request[sizeof(dest->request) - 1] = '\0'; ++ dest->vhost[sizeof(dest->vhost) - 1] = '\0'; ++} ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) + { + if ((x < 0) || (server_limit < x)) { diff --git a/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch b/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch new file mode 100644 index 0000000..e7911e0 --- /dev/null +++ b/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch @@ -0,0 +1,165 @@ +Author: wrowe +Date: Wed Jul 16 20:56:51 2014 +New Revision: 1611185 + +URL: http://svn.apache.org/r1611185 +Log: +SECURITY: CVE-2014-0231 + + mod_cgid: Fix a denial of service against CGI scripts that do + not consume stdin that could lead to lingering HTTPD child processes + filling up the scoreboard and eventually hanging the server. + +Submitted by: Rainer Jung, Eric Covener, Yann Ylavic +Backports: r1610509, r1535125 +Reviewed by: covener, trawick, ylavic + +Modified: + httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c + +Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c?rev=1611185&r1=1611184&r2=1611185&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c (original) ++++ httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c Wed Jul 16 20:56:51 2014 +@@ -93,6 +93,10 @@ static const char *sockname; + static pid_t parent_pid; + static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; + ++typedef struct { ++ apr_interval_time_t timeout; ++} cgid_dirconf; ++ + /* The APR other-child API doesn't tell us how the daemon exited + * (SIGSEGV vs. exit(1)). The other-child maintenance function + * needs to decide whether to restart the daemon after a failure +@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_ + return overrides->logname ? overrides : base; + } + ++static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) ++{ ++ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); ++ return c; ++} ++ + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) ++ + { + server_rec *s = cmd->server; + cgid_server_conf *conf = ap_get_module_config(s->module_config, +@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd + + return NULL; + } ++static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ cgid_dirconf *dc = dummy; + ++ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { ++ return "CGIDScriptTimeout has wrong format"; ++ } ++ ++ return NULL; ++} + static const command_rec cgid_cmds[] = + { + AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, +@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] = + AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, + "the name of the socket to use for communication with " + "the cgi daemon."), ++ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, ++ "The amount of time to wait between successful reads from " ++ "the CGI script, in seconds."), ++ + {NULL} + }; + +@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r) + apr_file_t *tempsock; + struct cleanup_script_info *info; + apr_status_t rv; ++ cgid_dirconf *dc; + + if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script")) + return DECLINED; + + conf = ap_get_module_config(r->server->module_config, &cgid_module); ++ dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ ++ + is_included = !strcmp(r->protocol, "INCLUDED"); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r) + */ + + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r) + if (rv != APR_SUCCESS) { + /* silly script stopped reading, soak up remaining message */ + child_stopped_reading = 1; ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, ++ "Error writing request body to script %s", ++ r->filename); ++ + } + } + apr_brigade_cleanup(bb); +@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r) + return HTTP_MOVED_TEMPORARILY; + } + +- ap_pass_brigade(r->output_filters, bb); ++ rv = ap_pass_brigade(r->output_filters, bb); ++ if (rv != APR_SUCCESS) { ++ /* APLOG_ERR because the core output filter message is at error, ++ * but doesn't know it's passing CGI output ++ */ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client"); ++ } + } + + if (nph) { +@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct + request_rec *r = f->r; + cgid_server_conf *conf = ap_get_module_config(r->server->module_config, + &cgid_module); ++ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ + struct cleanup_script_info *info; + + add_ssi_vars(r); +@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct + * get rid of the cleanup we registered when we created the socket. + */ + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } ++ + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, +@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p) + + module AP_MODULE_DECLARE_DATA cgid_module = { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_cgid_dirconf, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_cgid_config, /* server config */ + merge_cgid_config, /* merge server config */ diff --git a/2.2/patches/20_all_peruser_0.4.0-rc2.patch b/2.2/patches/30_all_peruser_0.4.0-rc2.patch similarity index 99% rename from 2.2/patches/20_all_peruser_0.4.0-rc2.patch rename to 2.2/patches/30_all_peruser_0.4.0-rc2.patch index 6784c78..546d94a 100644 --- a/2.2/patches/20_all_peruser_0.4.0-rc2.patch +++ b/2.2/patches/30_all_peruser_0.4.0-rc2.patch @@ -30,7 +30,7 @@ diff -Nur httpd-2.2.16/modules/generators/mod_status.c httpd-2.2.16-peruser/modu int short_report; int no_table_report; + int peruser_stats; - worker_score *ws_record; + worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); process_score *ps_record; char *stat_buffer; @@ -268,6 +271,7 @@ From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CF1F213877A for ; Sun, 24 Aug 2014 09:46:54 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B9DF1E086C; Sun, 24 Aug 2014 09:46:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4996DE086C for ; Sun, 24 Aug 2014 09:46:52 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3CFF233FDFC for ; Sun, 24 Aug 2014 09:46:51 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DC8CA3C9D for ; Sun, 24 Aug 2014 09:46:49 +0000 (UTC) From: "Lars Wendler" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Lars Wendler" Message-ID: <1406805875.b863adc76dbc98a303c0246c09f1038148f30451.polynomial-c@gentoo> Subject: [gentoo-commits] proj/apache:master commit in: 2.2/patches/ X-VCS-Repository: proj/apache X-VCS-Files: 2.2/patches/20_all_peruser_0.4.0-rc2.patch 2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch 2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch 2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch 2.2/patches/30_all_peruser_0.4.0-rc2.patch X-VCS-Directories: 2.2/patches/ X-VCS-Committer: polynomial-c X-VCS-Committer-Name: Lars Wendler X-VCS-Revision: b863adc76dbc98a303c0246c09f1038148f30451 X-VCS-Branch: master Date: Sun, 24 Aug 2014 09:46:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3df2518e-a4fa-4d8e-ab11-357343593b3c X-Archives-Hash: 280eb854907a76171585d898b54973d7 Message-ID: <20140824094649.mosIlH2_T93UqvN_jWsxc_jQe99ARczr6NHxYen9FPk@z> commit: b863adc76dbc98a303c0246c09f1038148f30451 Author: Lars Wendler gentoo org> AuthorDate: Thu Jul 31 11:24:35 2014 +0000 Commit: Lars Wendler gentoo org> CommitDate: Thu Jul 31 11:24:35 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=b863adc7 Added several security fixes (CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231) --- 2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch | 309 +++++++++++++++++++++ 2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch | 137 +++++++++ 2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch | 165 +++++++++++ ....0-rc2.patch => 30_all_peruser_0.4.0-rc2.patch} | 2 +- 4 files changed, 612 insertions(+), 1 deletion(-) diff --git a/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch b/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch new file mode 100644 index 0000000..6db06ba --- /dev/null +++ b/2.2/patches/26_httpd-2.2.27-CVE-2014-0118.patch @@ -0,0 +1,309 @@ +Author: jim +Date: Thu Jul 17 18:20:46 2014 +New Revision: 1611426 + +URL: http://svn.apache.org/r1611426 +Log: +Merge r1610501 from trunk: + + *) SECURITY: CVE-2014-0118 (cve.mitre.org) + mod_deflate: The DEFLATE input filter (inflates request bodies) now + limits the length and compression ratio of inflated request bodies to avoid + denial of sevice via highly compressed bodies. See directives + DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, + and DeflateInflateRatioBurst. + +Thanks to Giancarlo Pellegrino and Davide Balzarotti for reporting the issue. + +Submitted By: ylavic, covener +Reviewed By: jorton, covener, jim + + + +Submitted by: covener +Reviewed/backported by: jim + +Modified: + httpd/httpd/branches/2.2.x/ (props changed) + httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c + +Propchange: httpd/httpd/branches/2.2.x/ +------------------------------------------------------------------------------ + Merged /httpd/httpd/trunk:r1610501 + +Modified: httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c?rev=1611426&r1=1611425&r2=1611426&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c (original) ++++ httpd/httpd/branches/2.2.x/modules/filters/mod_deflate.c Thu Jul 17 18:20:46 2014 +@@ -37,6 +37,7 @@ + #include "httpd.h" + #include "http_config.h" + #include "http_log.h" ++#include "http_core.h" + #include "apr_lib.h" + #include "apr_strings.h" + #include "apr_general.h" +@@ -51,6 +52,9 @@ + static const char deflateFilterName[] = "DEFLATE"; + module AP_MODULE_DECLARE_DATA deflate_module; + ++#define AP_INFLATE_RATIO_LIMIT 200 ++#define AP_INFLATE_RATIO_BURST 3 ++ + typedef struct deflate_filter_config_t + { + int windowSize; +@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t + char *note_output_name; + } deflate_filter_config; + ++typedef struct deflate_dirconf_t { ++ apr_off_t inflate_limit; ++ int ratio_limit, ++ ratio_burst; ++} deflate_dirconf_t; ++ + /* RFC 1952 Section 2.3 defines the gzip header: + * + * +---+---+---+---+---+---+---+---+---+---+ +@@ -193,6 +203,14 @@ static void *create_deflate_server_confi + return c; + } + ++static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) ++{ ++ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); ++ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; ++ dc->ratio_burst = AP_INFLATE_RATIO_BURST; ++ return dc; ++} ++ + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, + const char *arg) + { +@@ -284,6 +302,55 @@ static const char *deflate_set_compressi + return NULL; + } + ++ ++static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ char *errp; ++ ++ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { ++ return "DeflateInflateLimitRequestBody is not parsable."; ++ } ++ if (*errp || dc->inflate_limit < 0) { ++ return "DeflateInflateLimitRequestBody requires a non-negative integer."; ++ } ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioLimit must be positive"; ++ ++ dc->ratio_limit = i; ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioBurst must be positive"; ++ ++ dc->ratio_burst = i; ++ ++ return NULL; ++} ++ + typedef struct deflate_ctx_t + { + z_stream stream; +@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t + unsigned char *validation_buffer; + apr_size_t validation_buffer_length; + int inflate_init; ++ int ratio_hits; ++ apr_off_t inflate_total; + } deflate_ctx; + ++/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ ++static int check_ratio(request_rec *r, deflate_ctx *ctx, ++ const deflate_dirconf_t *dc) ++{ ++ if (ctx->stream.total_in) { ++ int ratio = ctx->stream.total_out / ctx->stream.total_in; ++ if (ratio < dc->ratio_limit) { ++ ctx->ratio_hits = 0; ++ } ++ else if (++ctx->ratio_hits > dc->ratio_burst) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + /* Number of validation bytes (CRC and length) after the compressed data */ + #define VALIDATION_SIZE 8 + /* Do not update ctx->crc, see comment in flush_libz_buffer */ +@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap + int zRC; + apr_status_t rv; + deflate_filter_config *c; ++ deflate_dirconf_t *dc; ++ apr_off_t inflate_limit; + + /* just get out of the way of things we don't want. */ + if (mode != AP_MODE_READBYTES) { +@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap + } + + c = ap_get_module_config(r->server->module_config, &deflate_module); ++ dc = ap_get_module_config(r->per_dir_config, &deflate_module); + + if (!ctx) { + char deflate_hdr[10]; +@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap + if (len != 10 || + deflate_hdr[0] != deflate_magic[0] || + deflate_hdr[1] != deflate_magic[1]) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes"); + return APR_EGENERAL; + } + + /* We can't handle flags for now. */ + if (deflate_hdr[3] != 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags"); + return APR_EGENERAL; + } + +@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap + apr_brigade_cleanup(ctx->bb); + } + ++ inflate_limit = dc->inflate_limit; ++ if (inflate_limit == 0) { ++ /* The core is checking the deflated body, we'll check the inflated */ ++ inflate_limit = ap_get_limit_req_body(f->r); ++ } ++ + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { + rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); + +@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap + + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; ++ ++ ctx->inflate_total += len; ++ if (inflate_limit && ctx->inflate_total > inflate_limit) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content length of %" APR_OFF_T_FMT ++ " is larger than the configured limit" ++ " of %" APR_OFF_T_FMT, ++ ctx->inflate_total, inflate_limit); ++ return APR_ENOSPC; ++ } + + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); + tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, +@@ -891,6 +998,26 @@ static apr_status_t deflate_in_filter(ap + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; + ++ ctx->inflate_total += len; ++ if (inflate_limit && ctx->inflate_total > inflate_limit) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content length of %" APR_OFF_T_FMT ++ " is larger than the configured limit" ++ " of %" APR_OFF_T_FMT, ++ ctx->inflate_total, inflate_limit); ++ return APR_ENOSPC; ++ } ++ ++ if (!check_ratio(r, ctx, dc)) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content ratio is larger than the " ++ "configured limit %i by %i time(s)", ++ dc->ratio_limit, dc->ratio_burst); ++ return APR_EINVAL; ++ } ++ + ctx->crc = crc32(ctx->crc, (const Bytef *)ctx->buffer, len); + tmp_heap = apr_bucket_heap_create((char *)ctx->buffer, len, + NULL, f->c->bucket_alloc); +@@ -1003,6 +1130,7 @@ static apr_status_t inflate_out_filter(a + int zRC; + apr_status_t rv; + deflate_filter_config *c; ++ deflate_dirconf_t *dc; + + /* Do nothing if asked to filter nothing. */ + if (APR_BRIGADE_EMPTY(bb)) { +@@ -1010,6 +1138,7 @@ static apr_status_t inflate_out_filter(a + } + + c = ap_get_module_config(r->server->module_config, &deflate_module); ++ dc = ap_get_module_config(r->per_dir_config, &deflate_module); + + if (!ctx) { + +@@ -1272,6 +1401,14 @@ static apr_status_t inflate_out_filter(a + while (ctx->stream.avail_in != 0) { + if (ctx->stream.avail_out == 0) { + ++ if (!check_ratio(r, ctx, dc)) { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content ratio is larger than the " ++ "configured limit %i by %i time(s)", ++ dc->ratio_limit, dc->ratio_burst); ++ return APR_EINVAL; ++ } ++ + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; + +@@ -1346,12 +1483,20 @@ static const command_rec deflate_filter_ + "Set the Deflate Memory Level (1-9)"), + AP_INIT_TAKE1("DeflateCompressionLevel", deflate_set_compressionlevel, NULL, RSRC_CONF, + "Set the Deflate Compression Level (1-9)"), ++ AP_INIT_TAKE1("DeflateInflateLimitRequestBody", deflate_set_inflate_limit, NULL, OR_ALL, ++ "Set a limit on size of inflated input"), ++ AP_INIT_TAKE1("DeflateInflateRatioLimit", deflate_set_inflate_ratio_limit, NULL, OR_ALL, ++ "Set the inflate ratio limit above which inflation is " ++ "aborted (default: " APR_STRINGIFY(AP_INFLATE_RATIO_LIMIT) ")"), ++ AP_INIT_TAKE1("DeflateInflateRatioBurst", deflate_set_inflate_ratio_burst, NULL, OR_ALL, ++ "Set the maximum number of following inflate ratios above limit " ++ "(default: " APR_STRINGIFY(AP_INFLATE_RATIO_BURST) ")"), + {NULL} + }; + + module AP_MODULE_DECLARE_DATA deflate_module = { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_deflate_dirconf, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_deflate_server_config, /* server config */ + NULL, /* merge server config */ diff --git a/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch b/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch new file mode 100644 index 0000000..51f974e --- /dev/null +++ b/2.2/patches/27_httpd-2.2.27-CVE-2014-0226.patch @@ -0,0 +1,137 @@ +Author: jorton +Date: Mon Jul 14 20:34:32 2014 +New Revision: 1610515 + +URL: http://svn.apache.org/r1610515 +Log: +Merge 1610491 from trunk: + +SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling, +which could lead to a heap buffer overflow. Thanks to Marek Kroemeke +working with HP's Zero Day Initiative for reporting this. + +* include/scoreboard.h: Add ap_copy_scoreboard_worker. + +* server/scoreboard.c (ap_copy_scoreboard_worker): New function. + +* modules/generators/mod_status.c (status_handler): Use it. + +Reviewed by: trawick, jorton, covener +Submitted by: jorton, trawick, covener + +Modified: + httpd/httpd/branches/2.2.x/ (props changed) + httpd/httpd/branches/2.2.x/include/ap_mmn.h + httpd/httpd/branches/2.2.x/include/scoreboard.h + httpd/httpd/branches/2.2.x/modules/generators/mod_status.c + httpd/httpd/branches/2.2.x/server/scoreboard.c + +Propchange: httpd/httpd/branches/2.2.x/ +------------------------------------------------------------------------------ + Merged /httpd/httpd/trunk:r1610491 + +Modified: httpd/httpd/branches/2.2.x/include/ap_mmn.h +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/ap_mmn.h?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/include/ap_mmn.h (original) ++++ httpd/httpd/branches/2.2.x/include/ap_mmn.h Mon Jul 14 20:34:32 2014 +@@ -151,6 +151,7 @@ + * 20051115.31 (2.2.23) Add forcerecovery to proxy_balancer_shared struct + * 20051115.32 (2.2.24) Add ap_get_exec_line + * 20051115.33 (2.2.24) Add ap_pregsub_ex() ++ * 20051115.34 (2.2.28) Add ap_copy_scoreboard_worker() + */ + + #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */ +@@ -158,7 +159,7 @@ + #ifndef MODULE_MAGIC_NUMBER_MAJOR + #define MODULE_MAGIC_NUMBER_MAJOR 20051115 + #endif +-#define MODULE_MAGIC_NUMBER_MINOR 33 /* 0...n */ ++#define MODULE_MAGIC_NUMBER_MINOR 34 /* 0...n */ + + /** + * Determine if the server's current MODULE_MAGIC_NUMBER is at least a + +Modified: httpd/httpd/branches/2.2.x/include/scoreboard.h +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/include/scoreboard.h?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/include/scoreboard.h (original) ++++ httpd/httpd/branches/2.2.x/include/scoreboard.h Mon Jul 14 20:34:32 2014 +@@ -189,7 +189,24 @@ AP_DECLARE(int) ap_update_child_status_f + int status, request_rec *r); + void ap_time_process_request(ap_sb_handle_t *sbh, int status); + ++/** Return a pointer to the worker_score for a given child, thread pair. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ * @return A pointer to the worker_score structure. ++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. ++ */ + AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y); ++ ++/** Copy the contents of a worker's scoreboard entry. The contents of ++ * the worker_score structure are copied verbatim into the dest ++ * structure. ++ * @param dest Output parameter. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ */ ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, int thread_num); ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x); + AP_DECLARE(global_score *) ap_get_scoreboard_global(void); + AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num); + +Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_status.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_status.c?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/generators/mod_status.c (original) ++++ httpd/httpd/branches/2.2.x/modules/generators/mod_status.c Mon Jul 14 20:34:32 2014 +@@ -241,7 +241,7 @@ static int status_handler(request_rec *r + #endif + int short_report; + int no_table_report; +- worker_score *ws_record; ++ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); + process_score *ps_record; + char *stat_buffer; + pid_t *pid_buffer, worker_pid; +@@ -333,7 +333,7 @@ static int status_handler(request_rec *r + for (j = 0; j < thread_limit; ++j) { + int indx = (i * thread_limit) + j; + +- ws_record = ap_get_scoreboard_worker(i, j); ++ ap_copy_scoreboard_worker(ws_record, i, j); + res = ws_record->status; + stat_buffer[indx] = status_flags[res]; + + +Modified: httpd/httpd/branches/2.2.x/server/scoreboard.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/scoreboard.c?rev=1610515&r1=1610514&r2=1610515&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/server/scoreboard.c (original) ++++ httpd/httpd/branches/2.2.x/server/scoreboard.c Mon Jul 14 20:34:32 2014 +@@ -510,6 +510,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb + return &ap_scoreboard_image->servers[x][y]; + } + ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, ++ int thread_num) ++{ ++ worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num); ++ ++ memcpy(dest, ws, sizeof *ws); ++ ++ /* For extra safety, NUL-terminate the strings returned, though it ++ * should be true those last bytes are always zero anyway. */ ++ dest->client[sizeof(dest->client) - 1] = '\0'; ++ dest->request[sizeof(dest->request) - 1] = '\0'; ++ dest->vhost[sizeof(dest->vhost) - 1] = '\0'; ++} ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) + { + if ((x < 0) || (server_limit < x)) { diff --git a/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch b/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch new file mode 100644 index 0000000..e7911e0 --- /dev/null +++ b/2.2/patches/28_httpd-2.2.27-CVE-2014-0231.patch @@ -0,0 +1,165 @@ +Author: wrowe +Date: Wed Jul 16 20:56:51 2014 +New Revision: 1611185 + +URL: http://svn.apache.org/r1611185 +Log: +SECURITY: CVE-2014-0231 + + mod_cgid: Fix a denial of service against CGI scripts that do + not consume stdin that could lead to lingering HTTPD child processes + filling up the scoreboard and eventually hanging the server. + +Submitted by: Rainer Jung, Eric Covener, Yann Ylavic +Backports: r1610509, r1535125 +Reviewed by: covener, trawick, ylavic + +Modified: + httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c + +Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c +URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c?rev=1611185&r1=1611184&r2=1611185&view=diff +============================================================================== +--- httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c (original) ++++ httpd/httpd/branches/2.2.x/modules/generators/mod_cgid.c Wed Jul 16 20:56:51 2014 +@@ -93,6 +93,10 @@ static const char *sockname; + static pid_t parent_pid; + static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; + ++typedef struct { ++ apr_interval_time_t timeout; ++} cgid_dirconf; ++ + /* The APR other-child API doesn't tell us how the daemon exited + * (SIGSEGV vs. exit(1)). The other-child maintenance function + * needs to decide whether to restart the daemon after a failure +@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_ + return overrides->logname ? overrides : base; + } + ++static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) ++{ ++ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); ++ return c; ++} ++ + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) ++ + { + server_rec *s = cmd->server; + cgid_server_conf *conf = ap_get_module_config(s->module_config, +@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd + + return NULL; + } ++static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ cgid_dirconf *dc = dummy; + ++ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { ++ return "CGIDScriptTimeout has wrong format"; ++ } ++ ++ return NULL; ++} + static const command_rec cgid_cmds[] = + { + AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, +@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] = + AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, + "the name of the socket to use for communication with " + "the cgi daemon."), ++ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, ++ "The amount of time to wait between successful reads from " ++ "the CGI script, in seconds."), ++ + {NULL} + }; + +@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r) + apr_file_t *tempsock; + struct cleanup_script_info *info; + apr_status_t rv; ++ cgid_dirconf *dc; + + if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script")) + return DECLINED; + + conf = ap_get_module_config(r->server->module_config, &cgid_module); ++ dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ ++ + is_included = !strcmp(r->protocol, "INCLUDED"); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r) + */ + + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r) + if (rv != APR_SUCCESS) { + /* silly script stopped reading, soak up remaining message */ + child_stopped_reading = 1; ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, ++ "Error writing request body to script %s", ++ r->filename); ++ + } + } + apr_brigade_cleanup(bb); +@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r) + return HTTP_MOVED_TEMPORARILY; + } + +- ap_pass_brigade(r->output_filters, bb); ++ rv = ap_pass_brigade(r->output_filters, bb); ++ if (rv != APR_SUCCESS) { ++ /* APLOG_ERR because the core output filter message is at error, ++ * but doesn't know it's passing CGI output ++ */ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client"); ++ } + } + + if (nph) { +@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct + request_rec *r = f->r; + cgid_server_conf *conf = ap_get_module_config(r->server->module_config, + &cgid_module); ++ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ + struct cleanup_script_info *info; + + add_ssi_vars(r); +@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct + * get rid of the cleanup we registered when we created the socket. + */ + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } ++ + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, +@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p) + + module AP_MODULE_DECLARE_DATA cgid_module = { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_cgid_dirconf, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_cgid_config, /* server config */ + merge_cgid_config, /* merge server config */ diff --git a/2.2/patches/20_all_peruser_0.4.0-rc2.patch b/2.2/patches/30_all_peruser_0.4.0-rc2.patch similarity index 99% rename from 2.2/patches/20_all_peruser_0.4.0-rc2.patch rename to 2.2/patches/30_all_peruser_0.4.0-rc2.patch index 6784c78..546d94a 100644 --- a/2.2/patches/20_all_peruser_0.4.0-rc2.patch +++ b/2.2/patches/30_all_peruser_0.4.0-rc2.patch @@ -30,7 +30,7 @@ diff -Nur httpd-2.2.16/modules/generators/mod_status.c httpd-2.2.16-peruser/modu int short_report; int no_table_report; + int peruser_stats; - worker_score *ws_record; + worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); process_score *ps_record; char *stat_buffer; @@ -268,6 +271,7 @@