Commit 7f86ba85 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/apache2: security fix (CVE-2011-3607)

fixes #972
(cherry picked from commit e2e255c0)

Conflicts:

	main/apache2/APKBUILD
(cherry picked from commit a29a6fe0)
parent aeaa1439
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=apache2
pkgver=2.2.21
pkgrel=1
pkgrel=2
pkgdesc="A high performance Unix-based HTTP server"
url="http://httpd.apache.org/"
arch="all"
......@@ -33,6 +33,7 @@ source="http://archive.apache.org/dist/httpd/httpd-$pkgver.tar.bz2
ssl.conf
ldap.conf
alpine.layout
CVE-2011-3607.patch
CVE-2011-4317.patch"
prepare() {
......@@ -253,4 +254,5 @@ e322b5211e49511cac6e40c86af1b1da apache2.confd
5d0d024ca43571b863874ab871b2c109 ssl.conf
b70fe826486043e3953cfe21f9e6fa16 ldap.conf
c66ff5f70260d5266e6803a59b39bd7f alpine.layout
54632bd52a9c0e4c68626b4a442edae7 CVE-2011-3607.patch
4c9b33458e4c8dea1be39f811da39be3 CVE-2011-4317.patch"
--- 2.2.x/server/util.c 2012/01/04 19:42:04 1227279
+++ 2.2.x/server/util.c 2012/01/04 19:45:22 1227280
@@ -82,6 +82,8 @@
#define IS_SLASH(s) (s == '/')
#endif
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
/*
* Examine a field value (such as a media-/content-type) string and return
@@ -366,7 +368,7 @@
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
@@ -391,6 +393,11 @@
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment