summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/build_suexec-custom.patch69
-rw-r--r--debian/patches/customize_apxs.patch220
-rw-r--r--debian/patches/fhs_compliance.patch66
-rw-r--r--debian/patches/fix-2.4.56-regression-2.patch30
-rw-r--r--debian/patches/fix-2.4.56-regression.patch19
-rw-r--r--debian/patches/no_LD_LIBRARY_PATH.patch18
-rw-r--r--debian/patches/reproducible_builds.diff40
-rw-r--r--debian/patches/series11
-rw-r--r--debian/patches/suexec-CVE-2007-1742.patch66
-rw-r--r--debian/patches/suexec-custom.patch190
10 files changed, 729 insertions, 0 deletions
diff --git a/debian/patches/build_suexec-custom.patch b/debian/patches/build_suexec-custom.patch
new file mode 100644
index 0000000..a509cd5
--- /dev/null
+++ b/debian/patches/build_suexec-custom.patch
@@ -0,0 +1,69 @@
+Description: add suexec-custom to the build system
+Forwarded: not-needed
+Author: Stefan Fritsch <sf@debian.org>
+Last-Update: 2012-02-25
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -293,23 +293,26 @@
+ install-suexec: install-suexec-$(INSTALL_SUEXEC)
+
+ install-suexec-binary:
+- @if test -f $(builddir)/support/suexec; then \
+- test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
+- $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \
++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \
++ test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \
++ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-pristine $(DESTDIR)$(sbindir); \
++ $(INSTALL_PROGRAM) $(top_builddir)/support/suexec-custom $(DESTDIR)$(sbindir); \
+ fi
+
+ install-suexec-setuid: install-suexec-binary
+- @if test -f $(builddir)/support/suexec; then \
+- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \
++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \
++ chmod 4755 $(DESTDIR)$(sbindir)/suexec-pristine; \
++ chmod 4755 $(DESTDIR)$(sbindir)/suexec-custom; \
+ fi
+
+ install-suexec-caps: install-suexec-binary
+- @if test -f $(builddir)/support/suexec; then \
+- setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \
++ @if test -f $(builddir)/support/suexec-pristine && test -f $(builddir)/support/suexec-custom; then \
++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec-pristine; \
++ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec-custom; \
+ fi
+
+ suexec:
+- cd support && $(MAKE) suexec
++ cd support && $(MAKE) suexec-pristine suexec-custom
+
+ x-local-distclean:
+ @rm -rf autom4te.cache
+--- a/support/Makefile.in
++++ b/support/Makefile.in
+@@ -1,7 +1,7 @@
+ DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \
+ logresolve.pl phf_abuse_log.cgi split-logfile envvars-std
+
+-CLEAN_TARGETS = suexec
++CLEAN_TARGETS = suexec-pristine suexec-custom
+
+ bin_PROGRAMS = htpasswd htdigest htdbm ab logresolve httxt2dbm
+ sbin_PROGRAMS = htcacheclean rotatelogs $(NONPORTABLE_SUPPORT)
+@@ -72,9 +72,13 @@
+ checkgid: $(checkgid_OBJECTS)
+ $(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD)
+
+-suexec_OBJECTS = suexec.lo
+-suexec: $(suexec_OBJECTS)
+- $(LINK) $(suexec_OBJECTS)
++suexec-pristine_OBJECTS = suexec.lo
++suexec-pristine: $(suexec-pristine_OBJECTS)
++ $(LINK) $(suexec-pristine_OBJECTS)
++
++suexec-custom_OBJECTS = suexec-custom.lo
++suexec-custom: $(suexec-custom_OBJECTS)
++ $(LINK) $(suexec-custom_OBJECTS)
+
+ htcacheclean_OBJECTS = htcacheclean.lo
+ htcacheclean: $(htcacheclean_OBJECTS)
diff --git a/debian/patches/customize_apxs.patch b/debian/patches/customize_apxs.patch
new file mode 100644
index 0000000..281b910
--- /dev/null
+++ b/debian/patches/customize_apxs.patch
@@ -0,0 +1,220 @@
+Description: Adapt apxs to Debian specific changes
+ - Make apxs2 use a2enmod and /etc/apache2/mods-available
+ - Make libtool happier
+ - Use LDFLAGS from config_vars.mk, allows one to override them
+Forwarded: not-needed
+Author: Stefan Fritsch <sf@debian.org>
+Last-Update: 2012-03-17
+
+--- a/support/apxs.in
++++ b/support/apxs.in
+@@ -48,7 +48,7 @@
+ my $CFG_TARGET = get_vars("progname");
+ my $CFG_SYSCONFDIR = get_vars("sysconfdir");
+ my $CFG_CFLAGS = join ' ', map { get_vars($_) }
+- qw(SHLTCFLAGS CFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS);
++ qw(SHLTCFLAGS CFLAGS CPPFLAGS NOTEST_CPPFLAGS EXTRA_CPPFLAGS EXTRA_CFLAGS);
+ my $CFG_LDFLAGS = join ' ', map { get_vars($_) }
+ qw(LDFLAGS NOTEST_LDFLAGS SH_LDFLAGS);
+ my $includedir = $destdir . get_vars("includedir");
+@@ -59,7 +59,7 @@
+ my $sbindir = get_vars("sbindir");
+ my $CFG_SBINDIR = eval qq("$sbindir");
+ my $ltflags = $ENV{'LTFLAGS'};
+-$ltflags or $ltflags = "--silent";
++$ltflags or $ltflags = "";
+
+ my %internal_vars = map {$_ => 1}
+ qw(TARGET CC CFLAGS CFLAGS_SHLIB LD_SHLIB LDFLAGS_SHLIB LIBS_SHLIB
+@@ -286,6 +286,7 @@
+ $data =~ s|%TARGET%|$CFG_TARGET|sg;
+ $data =~ s|%PREFIX%|$prefix|sg;
+ $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
++ $data =~ s|%DATADIR%|$datadir|sg;
+
+ my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
+
+@@ -438,7 +439,7 @@
+ $la =~ s|\.c$|.la|;
+ my $o = $s;
+ $o =~ s|\.c$|.o|;
+- push(@cmds, "$libtool $ltflags --mode=compile $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo");
++ push(@cmds, "$libtool $ltflags --mode=compile --tag=disable-static $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo");
+ unshift(@objs, $lo);
+ }
+
+@@ -479,7 +480,7 @@
+ $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags";
+ }
+
+- push(@cmds, "$libtool $ltflags --mode=link $CFG_CC $ldflags -o $dso_file $opt $lo");
++ push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static $CFG_CC $ldflags -o $dso_file $opt $lo");
+
+ # execute the commands
+ &execute_cmds(@cmds);
+@@ -513,7 +514,7 @@
+ if ($opt_i) {
+ push(@cmds, $destdir . "$installbuilddir/instdso.sh SH_LIBTOOL='" .
+ "$libtool' $f $CFG_LIBEXECDIR");
+- push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t");
++ push(@cmds, "chmod 644 $CFG_LIBEXECDIR/$t");
+ }
+
+ # determine module symbolname and filename
+@@ -549,10 +550,11 @@
+ $filename = "mod_${name}.c";
+ }
+ my $dir = $CFG_LIBEXECDIR;
+- $dir =~ s|^$CFG_PREFIX/?||;
++ # Debian doesn't have a CFG_PREFIX, so this stuffs up:
++ # $dir =~ s|^$CFG_PREFIX/?||;
+ $dir =~ s|(.)$|$1/|;
+ $t =~ s|\.la$|.so|;
+- push(@lmd, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t"));
++ push(@lmd, [ $name, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t") ] );
+ }
+
+ # execute the commands
+@@ -560,108 +562,35 @@
+
+ # activate module via LoadModule/AddModule directive
+ if ($opt_a or $opt_A) {
+- if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") {
+- error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found");
++ if (not -d "$CFG_SYSCONFDIR/mods-available") {
++ error("Config file $CFG_SYSCONFDIR/mods-available not found");
+ exit(1);
+ }
+
+- open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die;
+- my $content = join('', <FP>);
+- close(FP);
+-
+- if ($content !~ m|\n#?\s*LoadModule\s+|) {
+- error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file.");
+- error("At least one `LoadModule' directive already has to exist.");
+- exit(1);
+- }
+-
+- my $lmd;
+- my $c = '';
+- $c = '#' if ($opt_A);
+- foreach $lmd (@lmd) {
+- my $what = $opt_A ? "preparing" : "activating";
+- my $lmd_re = $lmd;
+- $lmd_re =~ s/\s+/\\s+/g;
+-
+- if ($content !~ m|\n#?\s*$lmd_re|) {
+- # check for open <containers>, so that the new LoadModule
+- # directive always appears *outside* of an <container>.
+-
+- my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0];
+-
+- # the '()=' trick forces list context and the scalar
+- # assignment counts the number of list members (aka number
+- # of matches) then
+- my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg);
+- my $cntclose = () = ($before =~ m|^\s*</.*$|mg);
+-
+- if ($cntopen == $cntclose) {
+- # fine. Last LoadModule is contextless.
+- $content =~ s|^(.*\n#?\s*LoadModule\s+[^\n]+\n)|$1$c$lmd\n|s;
++ my $entry;
++ foreach $entry (@lmd) {
++ my ($name, $lmd) = @{$entry};
++ my $filename = "$CFG_SYSCONFDIR/mods-available/$name.load";
++ if (-f $filename) {
++ my $cmd = "mv $filename $filename.bak~";
++ if (system($cmd) != 0) {
++ die "'$cmd' failed\n";
+ }
+- elsif ($cntopen < $cntclose) {
+- error('Configuration file is not valid. There are sections'
+- . ' closed before opened.');
+- exit(1);
+- }
+- else {
+- # put our cmd after the section containing the last
+- # LoadModule.
+- my $found =
+- $content =~ s!\A ( # string and capture start
+- (?:(?:
+- ^\s* # start of conf line with a
+- (?:[^<]|<[^/]) # directive which does not
+- # start with '</'
+-
+- .*(?:$)\n # rest of the line.
+- # the '$' is in parentheses
+- # to avoid misinterpreting
+- # the string "$\" as
+- # perl variable.
+-
+- )* # catch as much as possible
+- # of such lines. (including
+- # zero)
+-
+- ^\s*</.*(?:$)\n? # after the above, we
+- # expect a config line with
+- # a closing container (</)
+-
+- ) {$cntopen} # the whole pattern (bunch
+- # of lines that end up with
+- # a closing directive) must
+- # be repeated $cntopen
+- # times. That's it.
+- # Simple, eh? ;-)
+-
+- ) # capture end
+- !$1$c$lmd\n!mx;
+-
+- unless ($found) {
+- error('Configuration file is not valid. There are '
+- . 'sections opened and not closed.');
+- exit(1);
+- }
++ }
++
++ notice("[preparing module `$name' in $filename]");
++ open(FP, ">$filename") || die;
++ print FP "$lmd\n";
++ close(FP);
++
++ if ($opt_a) {
++ my $cmd = "a2enmod $name";
++ if (system($cmd) != 0) {
++ die "'$cmd' failed\n";
+ }
+- } else {
+- # replace already existing LoadModule line
+- $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s;
+- }
+- $lmd =~ m|LoadModule\s+(.+?)_module.*|;
+- notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]");
+- }
+- if (@lmd) {
+- if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {
+- print FP $content;
+- close(FP);
+- system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
+- "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
+- "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
+- } else {
+- notice("unable to open configuration file");
+ }
+- }
++
++ }
+ }
+ }
+
+@@ -681,8 +610,8 @@
+ ##
+
+ builddir=.
+-top_srcdir=%PREFIX%
+-top_builddir=%PREFIX%
++top_srcdir=%DATADIR%
++top_builddir=%DATADIR%
+ include %INSTALLBUILDDIR%/special.mk
+
+ # the used tools
diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch
new file mode 100644
index 0000000..e6522c1
--- /dev/null
+++ b/debian/patches/fhs_compliance.patch
@@ -0,0 +1,66 @@
+Description: Fix up FHS file locations for apache2 droppings.
+Forwarded: not-needed
+Author: Adam Conrad <adconrad@0c3.net>
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-01-18
+
+--- a/configure
++++ b/configure
+@@ -42075,13 +42075,13 @@
+ ap_prefix="${ap_cur}"
+
+
+-printf "%s\n" "#define HTTPD_ROOT \"${ap_prefix}\"" >>confdefs.h
++printf "%s\n" "#define HTTPD_ROOT \"/etc/apache2\"" >>confdefs.h
+
+
+-printf "%s\n" "#define SERVER_CONFIG_FILE \"${rel_sysconfdir}/${progname}.conf\"" >>confdefs.h
++printf "%s\n" "#define SERVER_CONFIG_FILE \"${progname}.conf\"" >>confdefs.h
+
+
+-printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"${rel_sysconfdir}/mime.types\"" >>confdefs.h
++printf "%s\n" "#define AP_TYPES_CONFIG_FILE \"mime.types\"" >>confdefs.h
+
+
+ perlbin=`$ac_aux_dir/PrintPath perl`
+--- a/configure.in
++++ b/configure.in
+@@ -901,11 +901,11 @@
+ echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
+
+ APR_EXPAND_VAR(ap_prefix, $prefix)
+-AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_prefix}",
++AC_DEFINE_UNQUOTED(HTTPD_ROOT, "/etc/apache2",
+ [Root directory of the Apache install area])
+-AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",
++AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${progname}.conf",
+ [Location of the config file, relative to the Apache root directory])
+-AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types",
++AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "mime.types",
+ [Location of the MIME types config file, relative to the Apache root directory])
+
+ perlbin=`$ac_aux_dir/PrintPath perl`
+--- a/include/ap_config_layout.h.in
++++ b/include/ap_config_layout.h.in
+@@ -60,5 +60,6 @@
+ #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@"
+ #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@"
+ #define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@"
++#define DEFAULT_PIDLOG "/var/run/apache2.pid"
+
+ #endif /* AP_CONFIG_LAYOUT_H */
+--- a/include/httpd.h
++++ b/include/httpd.h
+@@ -107,10 +107,10 @@
+ #ifndef DOCUMENT_LOCATION
+ #ifdef OS2
+ /* Set default for OS/2 file system */
+-#define DOCUMENT_LOCATION HTTPD_ROOT "/docs"
++#define DOCUMENT_LOCATION "/var/www/html"
+ #else
+ /* Set default for non OS/2 file system */
+-#define DOCUMENT_LOCATION HTTPD_ROOT "/htdocs"
++#define DOCUMENT_LOCATION "/var/www/html"
+ #endif
+ #endif /* DOCUMENT_LOCATION */
+
diff --git a/debian/patches/fix-2.4.56-regression-2.patch b/debian/patches/fix-2.4.56-regression-2.patch
new file mode 100644
index 0000000..d19373c
--- /dev/null
+++ b/debian/patches/fix-2.4.56-regression-2.patch
@@ -0,0 +1,30 @@
+Description: h2 request headers clone instead of copy
+Author: Stefan Eissing
+Origin: upstream, https://bz.apache.org/bugzilla/attachment.cgi?id=38527&action=diff
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=66539
+Bug-Debian: https://bugs.debian.org/1033408
+Forwarded: not-needed
+Applied-Upstream: 2.4.57
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-04-02
+
+--- a/modules/http2/h2_request.c
++++ b/modules/http2/h2_request.c
+@@ -279,7 +279,7 @@
+ apr_bucket *h2_request_create_bucket(const h2_request *req, request_rec *r)
+ {
+ conn_rec *c = r->connection;
+- apr_table_t *headers = apr_table_copy(r->pool, req->headers);
++ apr_table_t *headers = apr_table_clone(r->pool, req->headers);
+ const char *uri = req->path;
+
+ AP_DEBUG_ASSERT(req->authority);
+@@ -303,7 +303,7 @@
+ {
+ const char *cl;
+
+- r->headers_in = apr_table_copy(r->pool, req->headers);
++ r->headers_in = apr_table_clone(r->pool, req->headers);
+ if (req->authority) {
+ /* for internal handling, we have to simulate that :authority
+ * came in as Host:, RFC 9113 ch. says that mismatches between
diff --git a/debian/patches/fix-2.4.56-regression.patch b/debian/patches/fix-2.4.56-regression.patch
new file mode 100644
index 0000000..0203491
--- /dev/null
+++ b/debian/patches/fix-2.4.56-regression.patch
@@ -0,0 +1,19 @@
+Description: fix 2.4.56 regression
+Author: covener
+Bug-Debian: https://bugs.debian.org/1033284
+Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=1908813&r2=1908812&pathrev=1908813
+Forwarded: not-needed
+Applied-Upstream: 2.4.57
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-04-01
+
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -3854,6 +3854,7 @@
+ if (*(a2_end-1) == '?') {
+ /* a literal ? at the end of the unsubstituted rewrite rule */
+ newrule->flags |= RULEFLAG_QSNONE;
++ *(a2_end-1) = '\0'; /* trailing ? has done its job */
+ }
+ else if (newrule->flags & RULEFLAG_QSDISCARD) {
+ if (NULL == ap_strchr(newrule->output, '?')) {
diff --git a/debian/patches/no_LD_LIBRARY_PATH.patch b/debian/patches/no_LD_LIBRARY_PATH.patch
new file mode 100644
index 0000000..85966fd
--- /dev/null
+++ b/debian/patches/no_LD_LIBRARY_PATH.patch
@@ -0,0 +1,18 @@
+Description: Remove LD_LIBRARY_PATH from envvars-std
+Forwarded: no
+Author: Adam Conrad <adconrad@0c3.net>
+Last-Update: 2012-04-15
+--- a/support/envvars-std.in
++++ b/support/envvars-std.in
+@@ -18,11 +18,4 @@
+ #
+ # This file is generated from envvars-std.in
+ #
+-if test "x$@SHLIBPATH_VAR@" != "x" ; then
+- @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+-else
+- @SHLIBPATH_VAR@="@exp_libdir@"
+-fi
+-export @SHLIBPATH_VAR@
+-#
+ @OS_SPECIFIC_VARS@
diff --git a/debian/patches/reproducible_builds.diff b/debian/patches/reproducible_builds.diff
new file mode 100644
index 0000000..36f71e2
--- /dev/null
+++ b/debian/patches/reproducible_builds.diff
@@ -0,0 +1,40 @@
+Description: Make builds reproducible
+ Don't use __DATE__ __TIME__. Use changelog date instead.
+ Sort exported symbols.
+Author: Jean-Michel Vourgère <nirgal@debian.org>
+Forwarded: no
+Last-Update: 2015-08-11
+
+--- a/server/buildmark.c
++++ b/server/buildmark.c
+@@ -17,11 +17,7 @@
+ #include "ap_config.h"
+ #include "httpd.h"
+
+-#if defined(__DATE__) && defined(__TIME__)
+-static const char server_built[] = __DATE__ " " __TIME__;
+-#else
+-static const char server_built[] = "unknown";
+-#endif
++static const char server_built[] = BUILD_DATETIME;
+
+ AP_DECLARE(const char *) ap_get_server_built()
+ {
+--- a/server/Makefile.in
++++ b/server/Makefile.in
+@@ -1,3 +1,4 @@
++export LC_ALL = C
+
+ CLEAN_TARGETS = gen_test_char test_char.h \
+ ApacheCoreOS2.def httpd.exp export_files \
+@@ -82,8 +83,8 @@
+ @echo "#! ." > $@
+ @echo "* This file was AUTOGENERATED at build time." >> $@
+ @echo "* Please do not edit by hand." >> $@
+- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' >> $@
+- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' >> $@
++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' | sort >> $@
++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' | sort >> $@
+
+
+ # developer stuff
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6d73824
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,11 @@
+fhs_compliance.patch
+no_LD_LIBRARY_PATH.patch
+suexec-CVE-2007-1742.patch
+customize_apxs.patch
+build_suexec-custom.patch
+reproducible_builds.diff
+fix-2.4.56-regression.patch
+fix-2.4.56-regression-2.patch
+
+# This patch is applied manually
+#suexec-custom.patch
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
new file mode 100644
index 0000000..159c2c9
--- /dev/null
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -0,0 +1,66 @@
+Description: Fix race condition with chdir
+ Fix /var/www* being accepted as docroot instead of /var/www/*
+ (the same for public_html* instead of public_html/* )
+Author: Stefan Fritsch <sf@debian.org>
+Last-Update: 2014-05-29
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
+--- a/support/suexec.c
++++ b/support/suexec.c
+@@ -42,6 +42,7 @@
+ #if APR_HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
++#include <fcntl.h>
+
+ #include <stdio.h>
+ #include <stdarg.h>
+@@ -279,11 +280,12 @@
+ char *actual_gname; /* actual group name */
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+- char dwd[AP_MAXPATH]; /* docroot working directory */
++ char dwd[AP_MAXPATH+1]; /* docroot working directory */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+ struct stat prg_info; /* program info holder */
++ int cwdh; /* handle to cwd */
+
+ /*
+ * Start with a "clean" environment
+@@ -529,11 +531,16 @@
+ exit(111);
+ }
+
++ if ( (cwdh = open(".", O_RDONLY)) == -1 ) {
++ log_err("cannot open current working directory\n");
++ exit(111);
++ }
++
+ if (userdir) {
+ if (((chdir(target_homedir)) != 0) ||
+ ((chdir(AP_USERDIR_SUFFIX)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+- ((chdir(cwd)) != 0)) {
++ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", target_homedir);
+ exit(112);
+ }
+@@ -541,12 +548,16 @@
+ else {
+ if (((chdir(AP_DOC_ROOT)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+- ((chdir(cwd)) != 0)) {
++ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT);
+ exit(113);
+ }
+ }
+
++ close(cwdh);
++
++ if (strlen(cwd) > strlen(dwd))
++ strncat(dwd, "/", 1);
+ if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
+ log_err("command not in docroot (%s/%s)\n", cwd, cmd);
+ exit(114);
diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch
new file mode 100644
index 0000000..37b761d
--- /dev/null
+++ b/debian/patches/suexec-custom.patch
@@ -0,0 +1,190 @@
+Description: the actual patch to make suexec-custom read a config file
+Forwarded: not-needed
+Author: Stefan Fritsch <sf@debian.org>
+Last-Update: 2018-07-17
+--- a/support/suexec-custom.c
++++ b/support/suexec-custom.c
+@@ -29,6 +29,7 @@
+ *
+ *
+ */
++#define SUEXEC_CONFIG_DIR "/etc/apache2/suexec/"
+
+ #include "apr.h"
+ #include "ap_config.h"
+@@ -39,6 +40,7 @@
+ #include <sys/types.h>
+ #include <string.h>
+ #include <time.h>
++#include <ctype.h>
+ #if APR_HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
+@@ -222,6 +224,26 @@
+ return;
+ }
+
++static int read_line(char *buf, FILE *file) {
++ char *p;
++ p = fgets(buf, AP_MAXPATH+1, file);
++ if (!p) return 0;
++ if (*p == '\0') return 1;
++
++ p = buf;
++ while (*p)
++ p++;
++ p--;
++
++ /* remove trailing space and slash */
++ while ( isspace(*p) && p >= buf )
++ *p-- = '\0';
++ while ( *p == '/' && p >= buf )
++ *p-- = '\0';
++
++ return 1;
++}
++
+ static void clean_env(void)
+ {
+ char **cleanenv;
+@@ -286,6 +308,11 @@
+ struct stat dir_info; /* directory info holder */
+ struct stat prg_info; /* program info holder */
+ int cwdh; /* handle to cwd */
++ char *suexec_docroot = NULL;
++ char *suexec_userdir_suffix = NULL;
++ char *filename = NULL;
++ FILE *configfile;
++
+
+ /*
+ * Start with a "clean" environment
+@@ -315,15 +342,10 @@
+ || (! strcmp(AP_HTTPD_USER, pw->pw_name)))
+ #endif /* _OSD_POSIX */
+ ) {
+-#ifdef AP_DOC_ROOT
+- fprintf(stderr, " -D AP_DOC_ROOT=\"%s\"\n", AP_DOC_ROOT);
+-#endif
++ fprintf(stderr, " -D SUEXEC_CONFIG_DIR=%s\n", SUEXEC_CONFIG_DIR);
+ #ifdef AP_GID_MIN
+ fprintf(stderr, " -D AP_GID_MIN=%d\n", AP_GID_MIN);
+ #endif
+-#ifdef AP_HTTPD_USER
+- fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER);
+-#endif
+ #if defined(AP_LOG_SYSLOG)
+ fprintf(stderr, " -D AP_LOG_SYSLOG\n");
+ #elif defined(AP_LOG_EXEC)
+@@ -338,9 +360,6 @@
+ #ifdef AP_UID_MIN
+ fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN);
+ #endif
+-#ifdef AP_USERDIR_SUFFIX
+- fprintf(stderr, " -D AP_USERDIR_SUFFIX=\"%s\"\n", AP_USERDIR_SUFFIX);
+-#endif
+ exit(0);
+ }
+ /*
+@@ -355,23 +374,6 @@
+ target_gname = argv[2];
+ cmd = argv[3];
+
+- /*
+- * Check to see if the user running this program
+- * is the user allowed to do so as defined in
+- * suexec.h. If not the allowed user, error out.
+- */
+-#ifdef _OSD_POSIX
+- /* User name comparisons are case insensitive on BS2000/OSD */
+- if (strcasecmp(AP_HTTPD_USER, pw->pw_name)) {
+- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER);
+- exit(103);
+- }
+-#else /*_OSD_POSIX*/
+- if (strcmp(AP_HTTPD_USER, pw->pw_name)) {
+- log_err("user mismatch (%s instead of %s)\n", pw->pw_name, AP_HTTPD_USER);
+- exit(103);
+- }
+-#endif /*_OSD_POSIX*/
+
+ /*
+ * Check for a leading '/' (absolute path) in the command to be executed,
+@@ -396,6 +398,59 @@
+ }
+
+ /*
++ * Check to see if the user running this program
++ * is the user allowed to do so as defined in
++ * SUEXEC_CONFIG_DIR/username
++ * If not, error out.
++ */
++ suexec_docroot = malloc(AP_MAXPATH+1);
++ suexec_userdir_suffix = malloc(AP_MAXPATH+1);
++ if (!suexec_docroot || !suexec_userdir_suffix ||
++ asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) {
++ log_err("malloc failed\n");
++ exit(120);
++ }
++
++ configfile = fopen(filename, "r");
++ if (!configfile) {
++ log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename);
++ exit(123);
++ }
++
++ if (!read_line(suexec_docroot, configfile)) {
++ log_err("Could not read docroot from %s\n", filename);
++ exit(124);
++ }
++
++ if (!read_line(suexec_userdir_suffix, configfile)) {
++ log_err("Could not read userdir suffix from %s\n", filename);
++ exit(125);
++ }
++
++ fclose(configfile);
++
++ if (userdir) {
++ if ( !isalnum(*suexec_userdir_suffix) && suexec_userdir_suffix[0] != '.') {
++ log_err("userdir suffix disabled in %s\n", filename);
++ exit(126);
++ }
++ }
++ else {
++ if (suexec_docroot[0] != '/') {
++ log_err("docroot disabled in %s\n", filename);
++ exit(127);
++ }
++
++ if (suexec_docroot[1] == '/' ||
++ suexec_docroot[1] == '.' ||
++ suexec_docroot[1] == '\0' )
++ {
++ log_err("invalid docroot %s in %s\n", suexec_docroot, filename);
++ exit(128);
++ }
++ }
++
++ /*
+ * Error out if the target username is invalid.
+ */
+ if (strspn(target_uname, "1234567890") != strlen(target_uname)) {
+@@ -538,7 +593,7 @@
+
+ if (userdir) {
+ if (((chdir(target_homedir)) != 0) ||
+- ((chdir(AP_USERDIR_SUFFIX)) != 0) ||
++ ((chdir(suexec_userdir_suffix)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", target_homedir);
+@@ -546,7 +601,7 @@
+ }
+ }
+ else {
+- if (((chdir(AP_DOC_ROOT)) != 0) ||
++ if (((chdir(suexec_docroot)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-19 13:17:29 +0000