[httpd] fix htdbm/htpasswd crash on crypt() failure (#818684)
jorton
jorton at fedoraproject.org
Wed Jun 6 14:23:34 UTC 2012
commit 5fac30f680d5494fd2a4af287270ac7e397414e3
Author: Joe Orton <jorton at redhat.com>
Date: Wed Jun 6 15:23:31 2012 +0100
fix htdbm/htpasswd crash on crypt() failure (#818684)
Resolves: rhbz#818684
httpd-2.4.2-r1346905.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++
httpd.spec | 7 ++++-
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/httpd-2.4.2-r1346905.patch b/httpd-2.4.2-r1346905.patch
new file mode 100644
index 0000000..e94558e
--- /dev/null
+++ b/httpd-2.4.2-r1346905.patch
@@ -0,0 +1,65 @@
+# ./pullrev.sh 1346905
+
+https://bugzilla.redhat.com/show_bug.cgi?id=818684
+
+http://svn.apache.org/viewvc?view=revision&revision=1346905
+
+--- httpd-2.4.2/support/htdbm.c
++++ httpd-2.4.2/support/htdbm.c
+@@ -288,6 +288,9 @@
+ {
+ char cpw[MAX_STRING_LEN];
+ char salt[9];
++#if (!(defined(WIN32) || defined(NETWARE)))
++ char *cbuf;
++#endif
+
+ switch (htdbm->alg) {
+ case ALG_APSHA:
+@@ -315,7 +318,15 @@
+ (void) srand((int) time((time_t *) NULL));
+ to64(&salt[0], rand(), 8);
+ salt[8] = '\0';
+- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
++ cbuf = crypt(htdbm->userpass, salt);
++ if (cbuf == NULL) {
++ char errbuf[128];
++
++ fprintf(stderr, "crypt() failed: %s\n",
++ apr_strerror(errno, errbuf, sizeof errbuf));
++ exit(ERR_PWMISMATCH);
++ }
++ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+ fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
+ #endif
+ default:
+--- httpd-2.4.2/support/htpasswd.c
++++ httpd-2.4.2/support/htpasswd.c
+@@ -174,6 +174,9 @@
+ char pwv[MAX_STRING_LEN];
+ char salt[9];
+ apr_size_t bufsize;
++#if CRYPT_ALGO_SUPPORTED
++ char *cbuf;
++#endif
+
+ if (passwd != NULL) {
+ pw = passwd;
+@@ -226,7 +229,16 @@
+ to64(&salt[0], rand(), 8);
+ salt[8] = '\0';
+
+- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
++ cbuf = crypt(pw, salt);
++ if (cbuf == NULL) {
++ char errbuf[128];
++
++ apr_snprintf(record, rlen-1, "crypt() failed: %s",
++ apr_strerror(errno, errbuf, sizeof errbuf));
++ return ERR_PWMISMATCH;
++ }
++
++ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+ if (strlen(pw) > 8) {
+ char *truncpw = strdup(pw);
+ truncpw[8] = '\0';
diff --git a/httpd.spec b/httpd.spec
index 9a07862..16682b2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.2
-Release: 13%{?dist}
+Release: 14%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -50,6 +50,7 @@ Patch40: httpd-2.4.2-restart.patch
Patch41: httpd-2.4.2-r1327036+.patch
Patch42: httpd-2.4.2-r1326980+.patch
Patch43: httpd-2.4.2-r1332643+.patch
+Patch44: httpd-2.4.2-r1346905.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -161,6 +162,7 @@ authentication to the Apache HTTP Server.
%patch41 -p1 -b .r1327036+
%patch42 -p1 -b .r1326980+
%patch43 -p1 -b .r1332643+
+%patch44 -p1 -b .r1346905
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@@ -565,6 +567,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Wed Jun 6 2012 Joe Orton <jorton at redhat.com> - 2.4.2-14
+- fix htdbm/htpasswd crash on crypt() failure (#818684)
+
* Wed Jun 6 2012 Joe Orton <jorton at redhat.com> - 2.4.2-13
- pull fix for NPN patch from upstream (r1345599)
More information about the scm-commits
mailing list