[mod_fcgid/el5/master] Security (CVE-2010-3872) and bug fix update
Paul Howarth
pghmcfc at fedoraproject.org
Fri Nov 5 20:51:06 UTC 2010
commit d49434b12095cd28fcbc0b2184a4de7268900a66
Author: Paul Howarth <paul at city-fan.org>
Date: Fri Nov 5 20:49:38 2010 +0000
Security (CVE-2010-3872) and bug fix update
- Fix possible stack buffer overwrite (CVE-2010-3872)
- Return 500 instead of segfaulting if application returns no data
- Explicitly use /var/run/mod_fcgid as "run" directory rather than following
/etc/httpd/run symlink
- Conflict with selinux-policy versions prior to EL 5.5 as earlier ones didn't
work properly
- Re-order sources
- Minor documentation updates
fcgid.conf | 4 +-
mod_fcgid-2.1-README.RPM | 13 +++------
mod_fcgid-2.1-README.SELinux | 3 +-
mod_fcgid.2.2-svn1030894.patch | 15 ++++++++++
mod_fcgid.2.2-svn905031.patch | 23 ++++++++++++++++
mod_fcgid.spec | 58 +++++++++++++++++++++++++++------------
6 files changed, 85 insertions(+), 31 deletions(-)
---
diff --git a/fcgid.conf b/fcgid.conf
index e9d886e..bf04642 100644
--- a/fcgid.conf
+++ b/fcgid.conf
@@ -12,5 +12,5 @@ LoadModule fcgid_module modules/mod_fcgid.so
</IfModule>
# Sane place to put sockets and shared memory file
-SocketPath run/mod_fcgid
-SharememPath run/mod_fcgid/fcgid_shm
+SocketPath /var/run/mod_fcgid
+SharememPath /var/run/mod_fcgid/fcgid_shm
diff --git a/mod_fcgid-2.1-README.RPM b/mod_fcgid-2.1-README.RPM
index 18891e0..89165c5 100644
--- a/mod_fcgid-2.1-README.RPM
+++ b/mod_fcgid-2.1-README.RPM
@@ -3,15 +3,10 @@ Using the mod_fcgid RPM Package
This mod_fcgid package includes a configuration file
/etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
-added as the handler for .fcg, .fcgi, and .fpl applications (provided
-mod_fastcgi in not already loaded, in which case you will need to decide which
-module should handle which types of application).
+added as the handler for .fcg, .fcgi, and .fpl applications.
-So far the module package has only been tested in conjunction with the "moin"
-wiki application. Further feedback regarding other applications is welcome.
-
-Setting up moin with mod_fcgid
-==============================
+Example: setting up moin with mod_fcgid
+=======================================
Setting up moin with mod_fcgid is very similar to setting it up as a regular
CGI application.
@@ -37,7 +32,7 @@ CGI application.
/etc/httpd/conf.d/mywiki.conf
# Wiki application data common to all wiki instances
- Alias /moin_static182 "/usr/share/moin/htdocs/"
+ Alias /moin_static185 "/usr/share/moin/htdocs/"
<Directory "/usr/share/moin/htdocs/">
Options Indexes FollowSymLinks
AllowOverride None
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux
index 1d4ff71..981cf59 100644
--- a/mod_fcgid-2.1-README.SELinux
+++ b/mod_fcgid-2.1-README.SELinux
@@ -4,8 +4,7 @@ Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
policy module to support FastCGI applications. Later Fedora releases and Red
Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
-package and do not require the separate module. This has only been tested so
-far with moin, so feedback from other applications is welcome.
+package and do not require the separate module.
The module source (fastcgi.{fc,te}) is included for reference as documentation
in the package.
diff --git a/mod_fcgid.2.2-svn1030894.patch b/mod_fcgid.2.2-svn1030894.patch
new file mode 100644
index 0000000..c935378
--- /dev/null
+++ b/mod_fcgid.2.2-svn1030894.patch
@@ -0,0 +1,15 @@
+SECURITY: CVE-2010-3872 (cve.mitre.org)
+Fix possible stack buffer overwrite. Diagnosed by the reporter.
+PR 49406. [Edgar Frank <ef-lists email.de>]
+
+--- mod_fcgid.2.2/fcgid_bucket.c 2007-07-31 10:09:20.000000000 +0100
++++ mod_fcgid.2.2/fcgid_bucket.c 2010-11-05 16:30:19.146160542 +0000
+@@ -83,7 +83,7 @@
+
+ /* Initialize header */
+ putsize = fcgid_min(bufferlen, sizeof(header) - hasread);
+- memcpy(&header + hasread, buffer, putsize);
++ memcpy((apr_byte_t *)&header + hasread, buffer, putsize);
+ hasread += putsize;
+
+ /* Ignore the bytes that have read */
diff --git a/mod_fcgid.2.2-svn905031.patch b/mod_fcgid.2.2-svn905031.patch
new file mode 100644
index 0000000..b77cdaf
--- /dev/null
+++ b/mod_fcgid.2.2-svn905031.patch
@@ -0,0 +1,23 @@
+Return 500 instead of segfaulting when the application returns no output.
+[Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]
+
+--- mod_fcgid.2.2/fcgid_bridge.c 2007-07-31 10:09:19.000000000 +0100
++++ mod_fcgid.2.2/fcgid_bridge.c 2010-11-05 15:57:35.023098155 +0000
+@@ -203,7 +203,7 @@
+ int getLF = 0;
+ int getColon = 0;
+
+- while ((dst < dst_end) && !done && !APR_BUCKET_IS_EOS(e)) {
++ while ((dst < dst_end) && !done && e != APR_BRIGADE_SENTINEL(bb)) {
+ const char *bucket_data;
+ apr_size_t bucket_data_len;
+ const char *src;
+@@ -264,7 +264,7 @@
+ e = next;
+ }
+ *dst = 0;
+- return 1;
++ return done;
+ }
+
+ static int
diff --git a/mod_fcgid.spec b/mod_fcgid.spec
index 8e38304..fa878ae 100644
--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@@ -1,8 +1,8 @@
# Fedora 5, 6, and 7 versions includes SELinux policy module package
# Fedora 8 and 9 versions include policy in errata selinux-policy releases
# Fedora 10 onwards include policy in standard selinux-policy releases
-# RHEL 5.3 onwards include policy in standard selinux-policy releases
-%if 0%{?fedora} < 5 || 0%{?fedora} > 7
+# RHEL 5.5 onwards include policy in standard selinux-policy releases
+%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel}
%global selinux_module 0
%global selinux_types %{nil}
%global selinux_variants %{nil}
@@ -16,28 +16,31 @@
Name: mod_fcgid
Version: 2.2
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: Apache2 module for high-performance server-side scripting
Group: System Environment/Daemons
License: GPL+
URL: http://fastcgi.coremail.cn/
Source0: http://downloads.sf.net/mod-fcgid/mod_fcgid.%{version}.tar.gz
Source1: fcgid.conf
-Source2: fastcgi.te
-Source3: fastcgi.fc
-Source4: mod_fcgid-2.1-README.RPM
+Source2: mod_fcgid-2.1-README.RPM
+Source3: mod_fcgid-2.1-README.SELinux
Source5: http://fastcgi.coremail.cn/doc.htm
Source6: http://fastcgi.coremail.cn/configuration.htm
-Source7: mod_fcgid-2.1-README.SELinux
-Source8: fastcgi-2.5.te
+Source10: fastcgi.te
+Source11: fastcgi-2.5.te
+Source12: fastcgi.fc
Patch0: mod_fcgid.2.1-docurls.patch
+Patch1: mod_fcgid.2.2-svn905031.patch
+Patch2: mod_fcgid.2.2-svn1030894.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gawk, httpd-devel >= 2.0, pkgconfig
Requires: httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && %{__cat} %{_includedir}/httpd/.mmn || echo missing)
# Make sure that selinux-policy is sufficiently up-to-date if it's installed
+# FastCGI policy properly incorporated into EL 5.5
%if "%{?rhel}" == "5"
-Conflicts: selinux-policy < 2.4.6-203.el5
-# No provide here because selinux-policy >= 2.4.6-203.el5 does the providing
+Conflicts: selinux-policy < 2.4.6-279.el5
+# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
%endif
%if "%{?fedora}" == "8"
@@ -63,7 +66,7 @@ as possible.
Summary: SELinux policy module supporting FastCGI applications with mod_fcgid
Group: System Environment/Base
BuildRequires: %{selinux_buildreqs}
-# selinux-policy is required for directory ownership of %{_datadir}/selinux/*
+# selinux-policy is required for directory ownership of %%{_datadir}/selinux/*
# Modules built against one version of a policy may not work with older policy
# versions, as noted on fedora-selinux-list:
# http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
@@ -81,17 +84,26 @@ SELinux policy module supporting FastCGI applications with mod_fcgid.
%prep
%setup -q -n mod_fcgid.%{version}
%{__cp} -p %{SOURCE1} fcgid.conf
+%{__cp} -p %{SOURCE2} README.RPM
+%{__cp} -p %{SOURCE3} README.SELinux
+%{__cp} -p %{SOURCE5} directives.htm
+%{__cp} -p %{SOURCE6} configuration.htm
%if 0%{?selinux_policynum} < 20501
-%{__cp} -p %{SOURCE2} fastcgi.te
+%{__cp} -p %{SOURCE10} fastcgi.te
%else
-%{__cp} -p %{SOURCE8} fastcgi.te
+%{__cp} -p %{SOURCE11} fastcgi.te
%endif
-%{__cp} -p %{SOURCE3} fastcgi.fc
-%{__cp} -p %{SOURCE4} README.RPM
-%{__cp} -p %{SOURCE5} directives.htm
-%{__cp} -p %{SOURCE6} configuration.htm
-%{__cp} -p %{SOURCE7} README.SELinux
+%{__cp} -p %{SOURCE12} fastcgi.fc
+
+# Fix URLs in documentation
%patch0 -p1
+
+# Return 500 instead of segfaulting if application returns no data
+%patch1 -p1
+
+# Fix possible stack buffer overwrite (CVE-2010-3872)
+%patch2 -p1
+
%{__sed} -i -e 's/\r$//' directives.htm configuration.htm
/usr/bin/iconv -f gb2312 -t utf8 < configuration.htm > configuration.htm.utf8
%{__mv} -f configuration.htm.utf8 configuration.htm
@@ -175,6 +187,16 @@ exit 0
%endif
%changelog
+* Fri Nov 5 2010 Paul Howarth <paul at city-fan.org> 2.2-11
+- Fix possible stack buffer overwrite (CVE-2010-3872)
+- Return 500 instead of segfaulting if application returns no data
+- Explicitly use /var/run/mod_fcgid as "run" directory rather than following
+ /etc/httpd/run symlink
+- Conflict with selinux-policy versions prior to EL 5.5 as earlier ones didn't
+ work properly
+- Re-order sources
+- Minor documentation updates
+
* Mon Apr 6 2009 Paul Howarth <paul at city-fan.org> 2.2-10
- EL 5.3 now has SELinux support in the main selinux-policy package so handle
that release as per Fedora >= 8, except that the RHEL selinux-policy package
More information about the scm-commits
mailing list