summaryrefslogtreecommitdiffstats
path: root/debian/patches/suexec-CVE-2007-1742.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:31 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:31 +0000
commitc9cf025fadfe043f0f2f679e10d1207d8a158bb6 (patch)
tree3a94effe0bdc0a6814d8134f4ed840d7cc6b6f19 /debian/patches/suexec-CVE-2007-1742.patch
parentAdding upstream version 2.4.57. (diff)
downloadapache2-debian/2.4.57-2.tar.xz
apache2-debian/2.4.57-2.zip
Adding debian version 2.4.57-2.debian/2.4.57-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/suexec-CVE-2007-1742.patch')
-rw-r--r--debian/patches/suexec-CVE-2007-1742.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
new file mode 100644
index 0000000..159c2c9
--- /dev/null
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -0,0 +1,66 @@
+Description: Fix race condition with chdir
+ Fix /var/www* being accepted as docroot instead of /var/www/*
+ (the same for public_html* instead of public_html/* )
+Author: Stefan Fritsch <sf@debian.org>
+Last-Update: 2014-05-29
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
+--- a/support/suexec.c
++++ b/support/suexec.c
+@@ -42,6 +42,7 @@
+ #if APR_HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
++#include <fcntl.h>
+
+ #include <stdio.h>
+ #include <stdarg.h>
+@@ -279,11 +280,12 @@
+ char *actual_gname; /* actual group name */
+ char *cmd; /* command to be executed */
+ char cwd[AP_MAXPATH]; /* current working directory */
+- char dwd[AP_MAXPATH]; /* docroot working directory */
++ char dwd[AP_MAXPATH+1]; /* docroot working directory */
+ struct passwd *pw; /* password entry holder */
+ struct group *gr; /* group entry holder */
+ struct stat dir_info; /* directory info holder */
+ struct stat prg_info; /* program info holder */
++ int cwdh; /* handle to cwd */
+
+ /*
+ * Start with a "clean" environment
+@@ -529,11 +531,16 @@
+ exit(111);
+ }
+
++ if ( (cwdh = open(".", O_RDONLY)) == -1 ) {
++ log_err("cannot open current working directory\n");
++ exit(111);
++ }
++
+ if (userdir) {
+ if (((chdir(target_homedir)) != 0) ||
+ ((chdir(AP_USERDIR_SUFFIX)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+- ((chdir(cwd)) != 0)) {
++ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", target_homedir);
+ exit(112);
+ }
+@@ -541,12 +548,16 @@
+ else {
+ if (((chdir(AP_DOC_ROOT)) != 0) ||
+ ((getcwd(dwd, AP_MAXPATH)) == NULL) ||
+- ((chdir(cwd)) != 0)) {
++ ((fchdir(cwdh)) != 0)) {
+ log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT);
+ exit(113);
+ }
+ }
+
++ close(cwdh);
++
++ if (strlen(cwd) > strlen(dwd))
++ strncat(dwd, "/", 1);
+ if ((strncmp(cwd, dwd, strlen(dwd))) != 0) {
+ log_err("command not in docroot (%s/%s)\n", cwd, cmd);
+ exit(114);