diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-07 02:04:07 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-07 02:04:07 +0000 |
commit | 1221c736f9a90756d47ea6d28320b6b83602dd2a (patch) | |
tree | b453ba7b1393205258c9b098a773b4330984672f /debian/patches/suexec-CVE-2007-1742.patch | |
parent | Adding upstream version 2.4.38. (diff) | |
download | apache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.tar.xz apache2-1221c736f9a90756d47ea6d28320b6b83602dd2a.zip |
Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/suexec-CVE-2007-1742.patch')
-rw-r--r-- | debian/patches/suexec-CVE-2007-1742.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch new file mode 100644 index 0000000..a348cbc --- /dev/null +++ b/debian/patches/suexec-CVE-2007-1742.patch @@ -0,0 +1,66 @@ +Description: Fix race condition with chdir + Fix /var/www* being accepted as docroot instead of /var/www/* + (the same for public_html* instead of public_html/* ) +Author: Stefan Fritsch <sf@debian.org> +Last-Update: 2014-05-29 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 +--- a/support/suexec.c ++++ b/support/suexec.c +@@ -42,6 +42,7 @@ + #if APR_HAVE_UNISTD_H + #include <unistd.h> + #endif ++#include <fcntl.h> + + #include <stdio.h> + #include <stdarg.h> +@@ -281,11 +282,12 @@ + char *actual_gname; /* actual group name */ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ +- char dwd[AP_MAXPATH]; /* docroot working directory */ ++ char dwd[AP_MAXPATH+1]; /* docroot working directory */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ + struct stat prg_info; /* program info holder */ ++ int cwdh; /* handle to cwd */ + + /* + * Start with a "clean" environment +@@ -529,11 +531,16 @@ + exit(111); + } + ++ if ( (cwdh = open(".", O_RDONLY)) == -1 ) { ++ log_err("cannot open current working directory\n"); ++ exit(111); ++ } ++ + if (userdir) { + if (((chdir(target_homedir)) != 0) || + ((chdir(AP_USERDIR_SUFFIX)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", target_homedir); + exit(112); + } +@@ -541,12 +548,16 @@ + else { + if (((chdir(AP_DOC_ROOT)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); + exit(113); + } + } + ++ close(cwdh); ++ ++ if (strlen(cwd) > strlen(dwd)) ++ strncat(dwd, "/", 1); + if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { + log_err("command not in docroot (%s/%s)\n", cwd, cmd); + exit(114); |