diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 06:33:51 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 06:33:51 +0000 |
| commit | 4f0770f3df78ecd5dcaefbd214f7a1415366bca6 (patch) | |
| tree | 72661b8f81594b855bcc967b819263f63fa30e17 /debian/patches | |
| parent | Adding upstream version 2.4.56. (diff) | |
| download | apache2-4f0770f3df78ecd5dcaefbd214f7a1415366bca6.tar.xz apache2-4f0770f3df78ecd5dcaefbd214f7a1415366bca6.zip | |
Adding debian version 2.4.56-1~deb11u2.debian/2.4.56-1_deb11u2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/build_suexec-custom.patch | 69 | ||||
| -rw-r--r-- | debian/patches/customize_apxs.patch | 220 | ||||
| -rw-r--r-- | debian/patches/fhs_compliance.patch | 66 | ||||
| -rw-r--r-- | debian/patches/fix-2.4.56-regression-2.patch | 30 | ||||
| -rw-r--r-- | debian/patches/fix-2.4.56-regression.patch | 19 | ||||
| -rw-r--r-- | debian/patches/no_LD_LIBRARY_PATH.patch | 18 | ||||
| -rw-r--r-- | debian/patches/reproducible_builds.diff | 40 | ||||
| -rw-r--r-- | debian/patches/series | 11 | ||||
| -rw-r--r-- | debian/patches/suexec-CVE-2007-1742.patch | 66 | ||||
| -rw-r--r-- | debian/patches/suexec-custom.patch | 190 |
10 files changed, 729 insertions, 0 deletions
diff --git a/debian/patches/build_suexec-custom.patch b/debian/patches/build_suexec-custom.patch new file mode 100644 index 0000000..a509cd5 --- /dev/null +++ b/debian/patches/build_suexec-custom.patch @@ -0,0 +1,69 @@ +Description: add suexec-custom to the build system +Forwarded: not-needed +Author: Stefan Fritsch <sf@debian.org> +Last-Update: 2012-02-25 +--- a/Makefile.in ++++ b/Makefile.in +@@ -293,23 +293,26 @@ + install-suexec: install-suexec-$(INSTALL_SUEXEC) + + install-suexec-binary: +- @if test -f $(builddir)/support/suexec; then \ +- test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ +- $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ ++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \ ++ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ ++ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-pristine $(DESTDIR)$(sbindir); \ ++ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-custom $(DESTDIR)$(sbindir); \ + fi + + install-suexec-setuid: install-suexec-binary +- @if test -f $(builddir)/support/suexec; then \ +- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ ++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \ ++ chmod 4755 $(DESTDIR)$(sbindir)/suexec-pristine; \ ++ chmod 4755 $(DESTDIR)$(sbindir)/suexec-custom; \ + fi + + install-suexec-caps: install-suexec-binary +- @if test -f $(builddir)/support/suexec; then \ +- setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ ++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \ ++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec-pristine; \ ++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec-custom; \ + fi + + suexec: +- cd support && $(MAKE) suexec ++ cd support && $(MAKE) suexec-pristine suexec-custom + + x-local-distclean: + @rm -rf autom4te.cache +--- a/support/Makefile.in ++++ b/support/Makefile.in +@@ -1,7 +1,7 @@ + DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \ + logresolve.pl phf_abuse_log.cgi split-logfile envvars-std + +-CLEAN_TARGETS = suexec ++CLEAN_TARGETS = suexec-pristine suexec-custom + + bin_PROGRAMS = htpasswd htdigest htdbm ab logresolve httxt2dbm + sbin_PROGRAMS = htcacheclean rotatelogs $(NONPORTABLE_SUPPORT) +@@ -72,9 +72,13 @@ + checkgid: $(checkgid_OBJECTS) + $(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD) + +-suexec_OBJECTS = suexec.lo +-suexec: $(suexec_OBJECTS) +- $(LINK) $(suexec_OBJECTS) ++suexec-pristine_OBJECTS = suexec.lo ++suexec-pristine: $(suexec-pristine_OBJECTS) ++ $(LINK) $(suexec-pristine_OBJECTS) ++ ++suexec-custom_OBJECTS = suexec-custom.lo ++suexec-custom: $(suexec-custom_OBJECTS) ++ $(LINK) $(suexec-custom_OBJECTS) + + htcacheclean_OBJECTS = htcacheclean.lo + htcacheclean: $(htcacheclean_OBJECTS) diff --git a/debian/patches/customize_apxs.patch b/debian/patches/customize_apxs.patch new file mode 100644 index 0000000..281b910 --- /dev/null +++ b/debian/patches/customize_apxs.patch @@ -0,0 +1,220 @@ +Description: Adapt apxs to Debian specific changes + - Make apxs2 use a2enmod and /etc/apache2/mods-available + - Make libtool happier + - Use LDFLAGS from config_vars.mk, allows one to override them +Forwarded: not-needed +Author: Stefan Fritsch <sf@debian.org> +Last-Update: 2012-03-17 + +--- a/support/apxs.in ++++ b/support/apxs.in +@@ -48,7 +48,7 @@ + my $CFG_TARGET = get_vars("progname"); + my $CFG_SYSCONFDIR = get_vars("sysconfdir"); + my $CFG_CFLAGS = join ' ', map { get_vars($_) } +- qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS); ++ qw(SHLTCFLAGS CFLAGS CPPFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS); + my $CFG_LDFLAGS = join ' ', map { get_vars($_) } + qw(LDFLAGS NOTEST_LDFLAGS SH_LDFLAGS); + my $includedir = $destdir . get_vars("includedir"); +@@ -59,7 +59,7 @@ + my $sbindir = get_vars("sbindir"); + my $CFG_SBINDIR = eval qq("$sbindir"); + my $ltflags = $ENV{'LTFLAGS'}; +-$ltflags or $ltflags = "--silent"; ++$ltflags or $ltflags = ""; + + my %internal_vars = map {$_ => 1} + qw(TARGET CC CFLAGS CFLAGS_SHLIB LD_SHLIB LDFLAGS_SHLIB LIBS_SHLIB +@@ -286,6 +286,7 @@ + $data =~ s|%TARGET%|$CFG_TARGET|sg; + $data =~ s|%PREFIX%|$prefix|sg; + $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; ++ $data =~ s|%DATADIR%|$datadir|sg; + + my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); + +@@ -438,7 +439,7 @@ + $la =~ s|\.c$|.la|; + my $o = $s; + $o =~ s|\.c$|.o|; +- push(@cmds, "$libtool $ltflags --mode=compile $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); ++ push(@cmds, "$libtool $ltflags --mode=compile --tag=disable-static $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); + unshift(@objs, $lo); + } + +@@ -479,7 +480,7 @@ + $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags"; + } + +- push(@cmds, "$libtool $ltflags --mode=link $CFG_CC $ldflags -o $dso_file $opt $lo"); ++ push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static $CFG_CC $ldflags -o $dso_file $opt $lo"); + + # execute the commands + &execute_cmds(@cmds); +@@ -513,7 +514,7 @@ + if ($opt_i) { + push(@cmds, $destdir . "$installbuilddir/instdso.sh SH_LIBTOOL='" . + "$libtool' $f $CFG_LIBEXECDIR"); +- push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t"); ++ push(@cmds, "chmod 644 $CFG_LIBEXECDIR/$t"); + } + + # determine module symbolname and filename +@@ -549,10 +550,11 @@ + $filename = "mod_${name}.c"; + } + my $dir = $CFG_LIBEXECDIR; +- $dir =~ s|^$CFG_PREFIX/?||; ++ # Debian doesn't have a CFG_PREFIX, so this stuffs up: ++ # $dir =~ s|^$CFG_PREFIX/?||; + $dir =~ s|(.)$|$1/|; + $t =~ s|\.la$|.so|; +- push(@lmd, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t")); ++ push(@lmd, [ $name, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t") ] ); + } + + # execute the commands +@@ -560,108 +562,35 @@ + + # activate module via LoadModule/AddModule directive + if ($opt_a or $opt_A) { +- if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") { +- error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found"); ++ if (not -d "$CFG_SYSCONFDIR/mods-available") { ++ error("Config file $CFG_SYSCONFDIR/mods-available not found"); + exit(1); + } + +- open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die; +- my $content = join('', <FP>); +- close(FP); +- +- if ($content !~ m|\n#?\s*LoadModule\s+|) { +- error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file."); +- error("At least one `LoadModule' directive already has to exist."); +- exit(1); +- } +- +- my $lmd; +- my $c = ''; +- $c = '#' if ($opt_A); +- foreach $lmd (@lmd) { +- my $what = $opt_A ? "preparing" : "activating"; +- my $lmd_re = $lmd; +- $lmd_re =~ s/\s+/\\s+/g; +- +- if ($content !~ m|\n#?\s*$lmd_re|) { +- # check for open <containers>, so that the new LoadModule +- # directive always appears *outside* of an <container>. +- +- my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0]; +- +- # the '()=' trick forces list context and the scalar +- # assignment counts the number of list members (aka number +- # of matches) then +- my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg); +- my $cntclose = () = ($before =~ m|^\s*</.*$|mg); +- +- if ($cntopen == $cntclose) { +- # fine. Last LoadModule is contextless. +- $content =~ s|^(.*\n#?\s*LoadModule\s+[^\n]+\n)|$1$c$lmd\n|s; ++ my $entry; ++ foreach $entry (@lmd) { ++ my ($name, $lmd) = @{$entry}; ++ my $filename = "$CFG_SYSCONFDIR/mods-available/$name.load"; ++ if (-f $filename) { ++ my $cmd = "mv $filename $filename.bak~"; ++ if (system($cmd) != 0) { ++ die "'$cmd' failed\n"; + } +- elsif ($cntopen < $cntclose) { +- error('Configuration file is not valid. There are sections' +- . ' closed before opened.'); +- exit(1); +- } +- else { +- # put our cmd after the section containing the last +- # LoadModule. +- my $found = +- $content =~ s!\A ( # string and capture start +- (?:(?: +- ^\s* # start of conf line with a +- (?:[^<]|<[^/]) # directive which does not +- # start with '</' +- +- .*(?:$)\n # rest of the line. +- # the '$' is in parentheses +- # to avoid misinterpreting +- # the string "$\" as +- # perl variable. +- +- )* # catch as much as possible +- # of such lines. (including +- # zero) +- +- ^\s*</.*(?:$)\n? # after the above, we +- # expect a config line with +- # a closing container (</) +- +- ) {$cntopen} # the whole pattern (bunch +- # of lines that end up with +- # a closing directive) must +- # be repeated $cntopen +- # times. That's it. +- # Simple, eh? ;-) +- +- ) # capture end +- !$1$c$lmd\n!mx; +- +- unless ($found) { +- error('Configuration file is not valid. There are ' +- . 'sections opened and not closed.'); +- exit(1); +- } ++ } ++ ++ notice("[preparing module `$name' in $filename]"); ++ open(FP, ">$filename") || die; ++ print FP "$lmd\n"; ++ close(FP); ++ ++ if ($opt_a) { ++ my $cmd = "a2enmod $name"; ++ if (system($cmd) != 0) { ++ die "'$cmd' failed\n"; + } +- } else { +- # replace already existing LoadModule line +- $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s; +- } +- $lmd =~ m|LoadModule\s+(.+?)_module.*|; +- notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]"); +- } +- if (@lmd) { +- if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) { +- print FP $content; +- close(FP); +- system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " . +- "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " . +- "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new"); +- } else { +- notice("unable to open configuration file"); + } +- } ++ ++ } + } + } + +@@ -681,8 +610,8 @@ + ## + + builddir=. +-top_srcdir=%PREFIX% +-top_builddir=%PREFIX% ++top_srcdir=%DATADIR% ++top_builddir=%DATADIR% + include %INSTALLBUILDDIR%/special.mk + + # the used tools diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch new file mode 100644 index 0000000..e6522c1 --- /dev/null +++ b/debian/patches/fhs_compliance.patch @@ -0,0 +1,66 @@ +Description: Fix up FHS file locations for apache2 droppings. +Forwarded: not-needed +Author: Adam Conrad <adconrad@0c3.net> +Reviewed-By: Yadd <yadd@debian.org> +Last-Update: 2023-01-18 + +--- a/configure ++++ b/configure +@@ -42075,13 +42075,13 @@ + ap_prefix="${ap_cur}" + + +-printf "%s\n" "#define HTTPD_ROOT \"${ap_prefix}\"" >>confdefs.h ++printf "%s\n" "#define HTTPD_ROOT \"/etc/apache2\"" >>confdefs.h + + +-printf "%s\n" "#define SERVER_CONFIG_FILE \"${rel_sysconfdir}/${progname}.conf\"" >>confdefs.h ++printf "%s\n" "#define SERVER_CONFIG_FILE \"${progname}.conf\"" >>confdefs.h + + +-printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h ++printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"mime.types\"" >>confdefs.h + + + perlbin=`$ac_aux_dir/PrintPath perl` +--- a/configure.in ++++ b/configure.in +@@ -901,11 +901,11 @@ + echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c + + APR_EXPAND_VAR(ap_prefix, $prefix) +-AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_prefix}", ++AC_DEFINE_UNQUOTED(HTTPD_ROOT, "/etc/apache2", + [Root directory of the Apache install area]) +-AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", ++AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${progname}.conf", + [Location of the config file, relative to the Apache root directory]) +-AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", ++AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "mime.types", + [Location of the MIME types config file, relative to the Apache root directory]) + + perlbin=`$ac_aux_dir/PrintPath perl` +--- a/include/ap_config_layout.h.in ++++ b/include/ap_config_layout.h.in +@@ -60,5 +60,6 @@ + #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" + #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" + #define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@" ++#define DEFAULT_PIDLOG "/var/run/apache2.pid" + + #endif /* AP_CONFIG_LAYOUT_H */ +--- a/include/httpd.h ++++ b/include/httpd.h +@@ -107,10 +107,10 @@ + #ifndef DOCUMENT_LOCATION + #ifdef OS2 + /* Set default for OS/2 file system */ +-#define DOCUMENT_LOCATION HTTPD_ROOT "/docs" ++#define DOCUMENT_LOCATION "/var/www/html" + #else + /* Set default for non OS/2 file system */ +-#define DOCUMENT_LOCATION HTTPD_ROOT "/htdocs" ++#define DOCUMENT_LOCATION "/var/www/html" + #endif + #endif /* DOCUMENT_LOCATION */ + diff --git a/debian/patches/fix-2.4.56-regression-2.patch b/debian/patches/fix-2.4.56-regression-2.patch new file mode 100644 index 0000000..d19373c --- /dev/null +++ b/debian/patches/fix-2.4.56-regression-2.patch @@ -0,0 +1,30 @@ +Description: h2 request headers clone instead of copy +Author: Stefan Eissing +Origin: upstream, https://bz.apache.org/bugzilla/attachment.cgi?id=38527&action=diff +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=66539 +Bug-Debian: https://bugs.debian.org/1033408 +Forwarded: not-needed +Applied-Upstream: 2.4.57 +Reviewed-By: Yadd <yadd@debian.org> +Last-Update: 2023-04-02 + +--- a/modules/http2/h2_request.c ++++ b/modules/http2/h2_request.c +@@ -279,7 +279,7 @@ + apr_bucket *h2_request_create_bucket(const h2_request *req, request_rec *r) + { + conn_rec *c = r->connection; +- apr_table_t *headers = apr_table_copy(r->pool, req->headers); ++ apr_table_t *headers = apr_table_clone(r->pool, req->headers); + const char *uri = req->path; + + AP_DEBUG_ASSERT(req->authority); +@@ -303,7 +303,7 @@ + { + const char *cl; + +- r->headers_in = apr_table_copy(r->pool, req->headers); ++ r->headers_in = apr_table_clone(r->pool, req->headers); + if (req->authority) { + /* for internal handling, we have to simulate that :authority + * came in as Host:, RFC 9113 ch. says that mismatches between diff --git a/debian/patches/fix-2.4.56-regression.patch b/debian/patches/fix-2.4.56-regression.patch new file mode 100644 index 0000000..0203491 --- /dev/null +++ b/debian/patches/fix-2.4.56-regression.patch @@ -0,0 +1,19 @@ +Description: fix 2.4.56 regression +Author: covener +Bug-Debian: https://bugs.debian.org/1033284 +Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=1908813&r2=1908812&pathrev=1908813 +Forwarded: not-needed +Applied-Upstream: 2.4.57 +Reviewed-By: Yadd <yadd@debian.org> +Last-Update: 2023-04-01 + +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -3854,6 +3854,7 @@ + if (*(a2_end-1) == '?') { + /* a literal ? at the end of the unsubstituted rewrite rule */ + newrule->flags |= RULEFLAG_QSNONE; ++ *(a2_end-1) = '\0'; /* trailing ? has done its job */ + } + else if (newrule->flags & RULEFLAG_QSDISCARD) { + if (NULL == ap_strchr(newrule->output, '?')) { diff --git a/debian/patches/no_LD_LIBRARY_PATH.patch b/debian/patches/no_LD_LIBRARY_PATH.patch new file mode 100644 index 0000000..85966fd --- /dev/null +++ b/debian/patches/no_LD_LIBRARY_PATH.patch @@ -0,0 +1,18 @@ +Description: Remove LD_LIBRARY_PATH from envvars-std +Forwarded: no +Author: Adam Conrad <adconrad@0c3.net> +Last-Update: 2012-04-15 +--- a/support/envvars-std.in ++++ b/support/envvars-std.in +@@ -18,11 +18,4 @@ + # + # This file is generated from envvars-std.in + # +-if test "x$@SHLIBPATH_VAR@" != "x" ; then +- @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" +-else +- @SHLIBPATH_VAR@="@exp_libdir@" +-fi +-export @SHLIBPATH_VAR@ +-# + @OS_SPECIFIC_VARS@ diff --git a/debian/patches/reproducible_builds.diff b/debian/patches/reproducible_builds.diff new file mode 100644 index 0000000..36f71e2 --- /dev/null +++ b/debian/patches/reproducible_builds.diff @@ -0,0 +1,40 @@ +Description: Make builds reproducible + Don't use __DATE__ __TIME__. Use changelog date instead. + Sort exported symbols. +Author: Jean-Michel Vourgère <nirgal@debian.org> +Forwarded: no +Last-Update: 2015-08-11 + +--- a/server/buildmark.c ++++ b/server/buildmark.c +@@ -17,11 +17,7 @@ + #include "ap_config.h" + #include "httpd.h" + +-#if defined(__DATE__) && defined(__TIME__) +-static const char server_built[] = __DATE__ " " __TIME__; +-#else +-static const char server_built[] = "unknown"; +-#endif ++static const char server_built[] = BUILD_DATETIME; + + AP_DECLARE(const char *) ap_get_server_built() + { +--- a/server/Makefile.in ++++ b/server/Makefile.in +@@ -1,3 +1,4 @@ ++export LC_ALL = C + + CLEAN_TARGETS = gen_test_char test_char.h \ + ApacheCoreOS2.def httpd.exp export_files \ +@@ -82,8 +83,8 @@ + @echo "#! ." > $@ + @echo "* This file was AUTOGENERATED at build time." >> $@ + @echo "* Please do not edit by hand." >> $@ +- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' >> $@ +- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' >> $@ ++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' | sort >> $@ ++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' | sort >> $@ + + + # developer stuff diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..6d73824 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,11 @@ +fhs_compliance.patch +no_LD_LIBRARY_PATH.patch +suexec-CVE-2007-1742.patch +customize_apxs.patch +build_suexec-custom.patch +reproducible_builds.diff +fix-2.4.56-regression.patch +fix-2.4.56-regression-2.patch + +# This patch is applied manually +#suexec-custom.patch diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch new file mode 100644 index 0000000..159c2c9 --- /dev/null +++ b/debian/patches/suexec-CVE-2007-1742.patch @@ -0,0 +1,66 @@ +Description: Fix race condition with chdir + Fix /var/www* being accepted as docroot instead of /var/www/* + (the same for public_html* instead of public_html/* ) +Author: Stefan Fritsch <sf@debian.org> +Last-Update: 2014-05-29 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 +--- a/support/suexec.c ++++ b/support/suexec.c +@@ -42,6 +42,7 @@ + #if APR_HAVE_UNISTD_H + #include <unistd.h> + #endif ++#include <fcntl.h> + + #include <stdio.h> + #include <stdarg.h> +@@ -279,11 +280,12 @@ + char *actual_gname; /* actual group name */ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ +- char dwd[AP_MAXPATH]; /* docroot working directory */ ++ char dwd[AP_MAXPATH+1]; /* docroot working directory */ + struct passwd *pw; /* password entry holder */ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ + struct stat prg_info; /* program info holder */ ++ int cwdh; /* handle to cwd */ + + /* + * Start with a "clean" environment +@@ -529,11 +531,16 @@ + exit(111); + } + ++ if ( (cwdh = open(".", O_RDONLY)) == -1 ) { ++ log_err("cannot open current working directory\n"); ++ exit(111); ++ } ++ + if (userdir) { + if (((chdir(target_homedir)) != 0) || + ((chdir(AP_USERDIR_SUFFIX)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", target_homedir); + exit(112); + } +@@ -541,12 +548,16 @@ + else { + if (((chdir(AP_DOC_ROOT)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); + exit(113); + } + } + ++ close(cwdh); ++ ++ if (strlen(cwd) > strlen(dwd)) ++ strncat(dwd, "/", 1); + if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { + log_err("command not in docroot (%s/%s)\n", cwd, cmd); + exit(114); diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch new file mode 100644 index 0000000..37b761d --- /dev/null +++ b/debian/patches/suexec-custom.patch @@ -0,0 +1,190 @@ +Description: the actual patch to make suexec-custom read a config file +Forwarded: not-needed +Author: Stefan Fritsch <sf@debian.org> +Last-Update: 2018-07-17 +--- a/support/suexec-custom.c ++++ b/support/suexec-custom.c +@@ -29,6 +29,7 @@ + * + * + */ ++#define SUEXEC_CONFIG_DIR "/etc/apache2/suexec/" + + #include "apr.h" + #include "ap_config.h" +@@ -39,6 +40,7 @@ + #include <sys/types.h> + #include <string.h> + #include <time.h> ++#include <ctype.h> + #if APR_HAVE_UNISTD_H + #include <unistd.h> + #endif +@@ -222,6 +224,26 @@ + return; + } + ++static int read_line(char *buf, FILE *file) { ++ char *p; ++ p = fgets(buf, AP_MAXPATH+1, file); ++ if (!p) return 0; ++ if (*p == '\0') return 1; ++ ++ p = buf; ++ while (*p) ++ p++; ++ p--; ++ ++ /* remove trailing space and slash */ ++ while ( isspace(*p) && p >= buf ) ++ *p-- = '\0'; ++ while ( *p == '/' && p >= buf ) ++ *p-- = '\0'; ++ ++ return 1; ++} ++ + static void clean_env(void) + { + char **cleanenv; +@@ -286,6 +308,11 @@ + struct stat dir_info; /* directory info holder */ + struct stat prg_info; /* program info holder */ + int cwdh; /* handle to cwd */ ++ char *suexec_docroot = NULL; ++ char *suexec_userdir_suffix = NULL; ++ char *filename = NULL; ++ FILE *configfile; ++ + + /* + * Start with a "clean" environment +@@ -315,15 +342,10 @@ + || (! strcmp(AP_HTTPD_USER, pw->pw_name))) + #endif /* _OSD_POSIX */ + ) { +-#ifdef AP_DOC_ROOT +- fprintf(stderr, " -D AP_DOC_ROOT=\"%s\"\n", AP_DOC_ROOT); +-#endif ++ fprintf(stderr, " -D SUEXEC_CONFIG_DIR=%s\n", SUEXEC_CONFIG_DIR); + #ifdef AP_GID_MIN + fprintf(stderr, " -D AP_GID_MIN=%d\n", AP_GID_MIN); + #endif +-#ifdef AP_HTTPD_USER +- fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); +-#endif + #if defined(AP_LOG_SYSLOG) + fprintf(stderr, " -D AP_LOG_SYSLOG\n"); + #elif defined(AP_LOG_EXEC) +@@ -338,9 +360,6 @@ + #ifdef AP_UID_MIN + fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN); + #endif +-#ifdef AP_USERDIR_SUFFIX +- fprintf(stderr, " -D AP_USERDIR_SUFFIX=\"%s\"\n", AP_USERDIR_SUFFIX); +-#endif + exit(0); + } + /* +@@ -355,23 +374,6 @@ + target_gname = argv[2]; + cmd = argv[3]; + +- /* +- * Check to see if the user running this program +- * is the user allowed to do so as defined in +- * suexec.h. If not the allowed user, error out. +- */ +-#ifdef _OSD_POSIX +- /* User name comparisons are case insensitive on BS2000/OSD */ +- if (strcasecmp(AP_HTTPD_USER, pw->pw_name)) { +- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); +- exit(103); +- } +-#else /*_OSD_POSIX*/ +- if (strcmp(AP_HTTPD_USER, pw->pw_name)) { +- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER); +- exit(103); +- } +-#endif /*_OSD_POSIX*/ + + /* + * Check for a leading '/' (absolute path) in the command to be executed, +@@ -396,6 +398,59 @@ + } + + /* ++ * Check to see if the user running this program ++ * is the user allowed to do so as defined in ++ * SUEXEC_CONFIG_DIR/username ++ * If not, error out. ++ */ ++ suexec_docroot = malloc(AP_MAXPATH+1); ++ suexec_userdir_suffix = malloc(AP_MAXPATH+1); ++ if (!suexec_docroot || !suexec_userdir_suffix || ++ asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) { ++ log_err("malloc failed\n"); ++ exit(120); ++ } ++ ++ configfile = fopen(filename, "r"); ++ if (!configfile) { ++ log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename); ++ exit(123); ++ } ++ ++ if (!read_line(suexec_docroot, configfile)) { ++ log_err("Could not read docroot from %s\n", filename); ++ exit(124); ++ } ++ ++ if (!read_line(suexec_userdir_suffix, configfile)) { ++ log_err("Could not read userdir suffix from %s\n", filename); ++ exit(125); ++ } ++ ++ fclose(configfile); ++ ++ if (userdir) { ++ if ( !isalnum(*suexec_userdir_suffix) && suexec_userdir_suffix[0] != '.') { ++ log_err("userdir suffix disabled in %s\n", filename); ++ exit(126); ++ } ++ } ++ else { ++ if (suexec_docroot[0] != '/') { ++ log_err("docroot disabled in %s\n", filename); ++ exit(127); ++ } ++ ++ if (suexec_docroot[1] == '/' || ++ suexec_docroot[1] == '.' || ++ suexec_docroot[1] == '\0' ) ++ { ++ log_err("invalid docroot %s in %s\n", suexec_docroot, filename); ++ exit(128); ++ } ++ } ++ ++ /* + * Error out if the target username is invalid. + */ + if (strspn(target_uname, "1234567890") != strlen(target_uname)) { +@@ -538,7 +593,7 @@ + + if (userdir) { + if (((chdir(target_homedir)) != 0) || +- ((chdir(AP_USERDIR_SUFFIX)) != 0) || ++ ((chdir(suexec_userdir_suffix)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || + ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", target_homedir); +@@ -546,7 +601,7 @@ + } + } + else { +- if (((chdir(AP_DOC_ROOT)) != 0) || ++ if (((chdir(suexec_docroot)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || + ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); |