Re: Patch for CVE-2018-7490 in uwsgi

To: Gero Treuner <gt_72_debian.org@innocircle.com>, debian-lts@lists.debian.org
Subject: Re: Patch for CVE-2018-7490 in uwsgi
From: Abhijith PA <abhijith@disroot.org>
Date: Sun, 18 Mar 2018 17:13:53 +0530
Message-id: <[🔎] 37d2f8e4-0d2f-fbd6-9e2e-cf5df487fe4c@disroot.org>
In-reply-to: <[🔎] 20180318090210.GF15811@innocircle.com>
References: <[🔎] 20180318090210.GF15811@innocircle.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi. Gero Treuner

On Sunday 18 March 2018 02:32 PM, Gero Treuner wrote:
> Hi all,
> 
> Attached is a wheezy patch for a security issue: 
> https://security-tracker.debian.org/tracker/CVE-2018-7490
> 

Thanks for the patch :)

> The upstream patch was backported, and source code apparently
> didn't change much. Only a small section (~10 lines) from the
> current uwsgi had to be added additionally.
> 

It look like ( and also you mentioned) you have added following lines
from master branch. But I don't see the point of doing these other
than that the upstream patch applies perfectly now. Can you provide
little more information.

+	// fix docroot
+	if (uphp.docroot) {
+		char *orig_docroot = uphp.docroot;
+		uphp.docroot = uwsgi_expand_path(uphp.docroot,
strlen(uphp.docroot), NULL);
+		if (!uphp.docroot) {
+			uwsgi_log("unable to set php docroot to %s\n", orig_docroot);
+			exit(1);
+		}
+		uwsgi_log("PHP document root set to %s\n", uphp.docroot);
+		uphp.docroot_len = strlen(uphp.docroot);
+	}
+

> It build and runs fine here. But PHP ist not the backend I am
> using, so: Anyone with PHP to test?
> 
> 
> Kind regards, Gero
> 

Regards.
- --abhijith
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlquUPgACgkQhj1N8u2c
KO9FPw//W8JE+wcuQFrBZezAquFdyRiMh7kcT5B0tN9ziY7GqOxn7ennxi1K2qiG
0IELFwjY7E5Qxy1nCY04ipNp4cpNf0p6Ejg4ikfzUwPbMeroTTEz/7l6VG0hQf6P
8gk9UQIcyPxUTE6rY8DXchHkRKlZlgPoOzXVPItKxksa6DNss+0oTRucb65I/EJ1
UYW8DraPzjGHYs3BKU4sOBhta7u2xaSXbyLoNKtdDt9H7xBdRvBPMh2kMG9Ectjy
r4T2bE+uedg2hF7FYUcXLEL7nTZhXAH4MQamVQ3Kj+ba2Gkzh/aKq1gFe1w/ZRsD
0ASf1KmLZxJtvTCoRFla5wg8jccn25/nzPl5+7hfPFouJQ32seDKTNis/NOtmoKn
Y2Mi68IWD4K5qPyhHPDnChTzmAM+or7nVUO9HZ4JnzY8/LEjJHRzBa7k4FRhx3M6
lsIapKWWqQWNp+i9bMGY4mQiRPNPTT1WZZ+R4RuEwpiw/pMGEi4GCM5dgIieopJA
RvMX5nDUK/mFl80ZWg614cfFVwV3ALDQZH62D7MCsqMRASL08BVfd1gJcrwKepfC
qwfhHtngtlVx66Vrr0ypFJy64II3ushcCvz7oFL3DXMuk1RTbluKm3vgyh36Xrx2
3x8T5UWWVAu9r79Gl6ZU0ehc0YsWpyRluzlzc4WMwSKfnQ4bO5o=
=ISzU
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Patch for CVE-2018-7490 in uwsgi
  - From: Gero Treuner <gt_72_debian.org@innocircle.com>

References:
- Patch for CVE-2018-7490 in uwsgi
  - From: Gero Treuner <gt_72_debian.org@innocircle.com>

Prev by Date: Patch for CVE-2018-7490 in uwsgi
Next by Date: Re: Patch for CVE-2018-7490 in uwsgi
Previous by thread: Patch for CVE-2018-7490 in uwsgi
Next by thread: Re: Patch for CVE-2018-7490 in uwsgi
Index(es):
- Date
- Thread