[mongoose/f14] Add upstream patch to fix CVE-2011-2900 (729146)

Rafael Azenha Aquini aquini at fedoraproject.org
Sat Aug 27 22:44:14 UTC 2011 

commit bcadcd8f63fad6681d2c334d78f4e8fc219363d6
Author: Rafael Aquini <aquini at redhat.com>
Date:   Sat Aug 27 19:38:30 2011 -0300

    Add upstream patch to fix CVE-2011-2900 (729146)

 mongoose-2.11.tgz                          |  Bin 99019 -> 0 bytes
 mongoose-fix-buffer-overflow-put_dir.patch |   52 ++++++++++++++++++++++++++++
 mongoose.spec                              |   10 +++++-
 3 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/mongoose-fix-buffer-overflow-put_dir.patch b/mongoose-fix-buffer-overflow-put_dir.patch
new file mode 100644
index 0000000..3b8e804
--- /dev/null
+++ b/mongoose-fix-buffer-overflow-put_dir.patch
@@ -0,0 +1,52 @@
+diff -r 983c674b7cfc -r 556f4de91eae mongoose.c
+--- a/mongoose.c	Tue Jul 26 00:39:05 2011 +0100
++++ b/mongoose.c	Wed Aug 03 11:39:55 2011 +0200
+@@ -3029,26 +3029,31 @@
+   char buf[PATH_MAX];
+   const char *s, *p;
+   struct mgstat st;
+-  size_t len;
+-
+-  for (s = p = path + 2; (p = strchr(s, '/')) != NULL; s = ++p) {
++  int len, res = 1;
++
++  for (s = p = path + 2; (p = strchr(s, DIRSEP)) != NULL; s = ++p) {
+     len = p - path;
+-    assert(len < sizeof(buf));
+-    (void) memcpy(buf, path, len);
++    if (len >= (int) sizeof(buf)) {
++      res = -1;
++      break;
++    }
++    memcpy(buf, path, len);
+     buf[len] = '\0';
+ 
+     // Try to create intermediate directory
++    DEBUG_TRACE(("mkdir(%s)", buf));
+     if (mg_stat(buf, &st) == -1 && mg_mkdir(buf, 0755) != 0) {
+-      return -1;
++      res = -1;
++      break;
+     }
+ 
+     // Is path itself a directory?
+     if (p[1] == '\0') {
+-      return 0;
++      res = 0;
+     }
+   }
+ 
+-  return 1;
++  return res;
+ }
+ 
+ static void put_file(struct mg_connection *conn, const char *path) {
+@@ -3245,7 +3250,7 @@
+     * conn->request_info.query_string++ = '\0';
+   }
+   uri_len = strlen(ri->uri);
+-  (void) url_decode(ri->uri, (size_t)uri_len, ri->uri, (size_t)(uri_len + 1), 0);
++  url_decode(ri->uri, (size_t)uri_len, ri->uri, (size_t)(uri_len + 1), 0);
+   remove_double_dots_and_double_slashes(ri->uri);
+   convert_uri_to_file_name(conn, ri->uri, path, sizeof(path));
+ 
diff --git a/mongoose.spec b/mongoose.spec
index 7288f14..cbdf438 100644
--- a/mongoose.spec
+++ b/mongoose.spec
@@ -2,13 +2,17 @@ Name:      mongoose
 Group:     Applications/System 
 Summary:   An easy-to-use self-sufficient web server
 Version:   3.0
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   MIT
 URL:       http://code.google.com/p/mongoose
 Source0:   http://mongoose.googlecode.com/files/mongoose-%{version}.tgz
 Source1:   mongoose.conf
 BuildRequires: openssl-devel
 
+# FIX CVE-2011-2900
+# https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0#
+Patch0:    mongoose-fix-buffer-overflow-put_dir.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %description
@@ -23,6 +27,7 @@ of demos, quick tests, file sharing, and Web programming.
 
 %prep
 %setup -q -n %{name}
+%patch0 -p1 -b .fixcve
 %{__install} -p -m 0644  %{SOURCE1} .
 
 %build
@@ -46,6 +51,9 @@ LIBV=$(find '%{_libdir}' | grep -E '/libssl.so.[0-9]?[0-9]?$' | sed -e 's!%{_lib
 %{_mandir}/man1/%{name}.1*
 
 %changelog
+* Sat Aug 27 2011 Rafael Azenha Aquini <aquini at linux dot com> - 3.0-2
+- Add upstream patch to fix CVE-2011-2900 (729146)
+
 * Mon Jul 25 2011 Rafael Azenha Aquini <aquini at linux dot com> - 3.0-1
 - Rebuilt for Fedora's inclusion, after scracth-build successful tests.

More information about the scm-commits mailing list