[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#542623: apache2: segfaults when using mod_deflate

Package: apache2.2-common
Version: 2.2.12-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch

The fix for CVE-2009-1891 that is included in upstream's 2.2.12 release
causes segfaults when using mod_deflate.

*** /tmp/tmpajcHE_
In Ubuntu, we've applied the attached patch to achieve the following:

  * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: 
    - Fix potential segfaults with the use of the legacy ap_rputs() etc
      interfaces, in cases where an output filter fails. This happens
      frequently after CVE-2009-1891 got fixed. (LP: #409987) 

We thought you might be interested in doing the same. 

-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-6-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2.2-common depends on:
ii  apache2-utils           2.2.12-1ubuntu2  utility programs for webservers
ii  apache2.2-bin           2.2.12-1ubuntu2  Apache HTTP Server common binary f
ii  libmagic1               5.03-1ubuntu1    File type determination library us
ii  lsb-base                4.0-0ubuntu2     Linux Standard Base 4.0 init scrip
ii  mime-support            3.46-1           MIME files 'mime.types' & 'mailcap
ii  perl                    5.10.0-24ubuntu2 Larry Wall's Practical Extraction 
ii  procps                  1:3.2.8-1ubuntu2 /proc file system utilities
diff -u apache2-2.2.12/debian/changelog apache2-2.2.12/debian/changelog
diff -u apache2-2.2.12/debian/patches/00list apache2-2.2.12/debian/patches/00list
--- apache2-2.2.12/debian/patches/00list
+++ apache2-2.2.12/debian/patches/00list
@@ -25,0 +26 @@
only in patch2:
--- apache2-2.2.12.orig/debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch
+++ apache2-2.2.12/debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 203_fix_legacy_ap_rputs_segfaults.dpatch by Marc Deslauriers <marc.deslauriers@ubuntu.com>
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix potential segfaults with the use of the legacy ap_rputs() etc
+## DP:              interfaces, in cases where an output filter fails. This happens
+## DP:              frequently after CVE-2009-1891 got fixed.
+## DP: Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/409987
+## DP: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537665
+## DP: Upstream: https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
+## DP: Patch: http://svn.apache.org/viewvc?view=rev&revision=800333
+diff -urNad apache2-2.2.12~/server/util_filter.c apache2-2.2.12/server/util_filter.c
+--- apache2-2.2.12~/server/util_filter.c	2006-07-11 23:38:44.000000000 -0400
++++ apache2-2.2.12/server/util_filter.c	2009-08-17 15:37:59.000000000 -0400
+@@ -578,8 +578,18 @@
+                                                 void *ctx)
+ {
+     ap_filter_t *f = ctx;
++    apr_status_t rv;
+-    return ap_pass_brigade(f, bb);
++    rv = ap_pass_brigade(f, bb);
++    /* Before invocation of the flush callback, apr_brigade_write et
++     * al may place transient buckets in the brigade, which will fall
++     * out of scope after returning.  Empty the brigade here, to avoid
++     * issues with leaving such buckets in the brigade if some filter
++     * fails and leaves a non-empty brigade. */
++    apr_brigade_cleanup(bb);
++    return rv;
+ }
+ AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb)

Reply to: