Bug#542623: apache2: segfaults when using mod_deflate
Package: apache2.2-common
Version: 2.2.12-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu karmic ubuntu-patch
The fix for CVE-2009-1891 that is included in upstream's 2.2.12 release
causes segfaults when using mod_deflate.
*** /tmp/tmpajcHE_
In Ubuntu, we've applied the attached patch to achieve the following:
* debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch:
- Fix potential segfaults with the use of the legacy ap_rputs() etc
interfaces, in cases where an output filter fails. This happens
frequently after CVE-2009-1891 got fixed. (LP: #409987)
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers karmic-updates
APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31-6-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.12-1ubuntu2 utility programs for webservers
ii apache2.2-bin 2.2.12-1ubuntu2 Apache HTTP Server common binary f
ii libmagic1 5.03-1ubuntu1 File type determination library us
ii lsb-base 4.0-0ubuntu2 Linux Standard Base 4.0 init scrip
ii mime-support 3.46-1 MIME files 'mime.types' & 'mailcap
ii perl 5.10.0-24ubuntu2 Larry Wall's Practical Extraction
ii procps 1:3.2.8-1ubuntu2 /proc file system utilities
diff -u apache2-2.2.12/debian/changelog apache2-2.2.12/debian/changelog
diff -u apache2-2.2.12/debian/patches/00list apache2-2.2.12/debian/patches/00list
--- apache2-2.2.12/debian/patches/00list
+++ apache2-2.2.12/debian/patches/00list
@@ -25,0 +26 @@
+203_fix_legacy_ap_rputs_segfaults
only in patch2:
unchanged:
--- apache2-2.2.12.orig/debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch
+++ apache2-2.2.12/debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 203_fix_legacy_ap_rputs_segfaults.dpatch by Marc Deslauriers <marc.deslauriers@ubuntu.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Description: Fix potential segfaults with the use of the legacy ap_rputs() etc
+## DP: interfaces, in cases where an output filter fails. This happens
+## DP: frequently after CVE-2009-1891 got fixed.
+## DP: Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/409987
+## DP: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537665
+## DP: Upstream: https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
+## DP: Patch: http://svn.apache.org/viewvc?view=rev&revision=800333
+
+@DPATCH@
+diff -urNad apache2-2.2.12~/server/util_filter.c apache2-2.2.12/server/util_filter.c
+--- apache2-2.2.12~/server/util_filter.c 2006-07-11 23:38:44.000000000 -0400
++++ apache2-2.2.12/server/util_filter.c 2009-08-17 15:37:59.000000000 -0400
+@@ -578,8 +578,18 @@
+ void *ctx)
+ {
+ ap_filter_t *f = ctx;
++ apr_status_t rv;
+
+- return ap_pass_brigade(f, bb);
++ rv = ap_pass_brigade(f, bb);
++
++ /* Before invocation of the flush callback, apr_brigade_write et
++ * al may place transient buckets in the brigade, which will fall
++ * out of scope after returning. Empty the brigade here, to avoid
++ * issues with leaving such buckets in the brigade if some filter
++ * fails and leaves a non-empty brigade. */
++ apr_brigade_cleanup(bb);
++
++ return rv;
+ }
+
+ AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb)
Reply to: