[mod_fcgid/el5/master] Security (CVE-2010-3872) and bug fix update

Fri Nov 5 20:51:06 UTC 2010

commit d49434b12095cd28fcbc0b2184a4de7268900a66
Author: Paul Howarth <paul at city-fan.org>
Date:   Fri Nov 5 20:49:38 2010 +0000

    Security (CVE-2010-3872) and bug fix update
    
    - Fix possible stack buffer overwrite (CVE-2010-3872)
    - Return 500 instead of segfaulting if application returns no data
    - Explicitly use /var/run/mod_fcgid as "run" directory rather than following
      /etc/httpd/run symlink
    - Conflict with selinux-policy versions prior to EL 5.5 as earlier ones didn't
      work properly
    - Re-order sources
    - Minor documentation updates

 fcgid.conf                     |    4 +-
 mod_fcgid-2.1-README.RPM       |   13 +++------
 mod_fcgid-2.1-README.SELinux   |    3 +-
 mod_fcgid.2.2-svn1030894.patch |   15 ++++++++++
 mod_fcgid.2.2-svn905031.patch  |   23 ++++++++++++++++
 mod_fcgid.spec                 |   58 +++++++++++++++++++++++++++------------
 6 files changed, 85 insertions(+), 31 deletions(-)
---

diff --git a/fcgid.conf b/fcgid.conf
index e9d886e..bf04642 100644
--- a/fcgid.conf
+++ b/fcgid.conf
@@ -12,5 +12,5 @@ LoadModule fcgid_module modules/mod_fcgid.so
 </IfModule>
 
 # Sane place to put sockets and shared memory file
-SocketPath run/mod_fcgid
-SharememPath run/mod_fcgid/fcgid_shm
+SocketPath /var/run/mod_fcgid
+SharememPath /var/run/mod_fcgid/fcgid_shm
diff --git a/mod_fcgid-2.1-README.RPM b/mod_fcgid-2.1-README.RPM
index 18891e0..89165c5 100644
--- a/mod_fcgid-2.1-README.RPM
+++ b/mod_fcgid-2.1-README.RPM
@@ -3,15 +3,10 @@ Using the mod_fcgid RPM Package
 
 This mod_fcgid package includes a configuration file
 /etc/httpd/conf.d/fcgid.conf that ensures that the module is loaded and
-added as the handler for .fcg, .fcgi, and .fpl applications (provided
-mod_fastcgi in not already loaded, in which case you will need to decide which
-module should handle which types of application).
+added as the handler for .fcg, .fcgi, and .fpl applications.
 
-So far the module package has only been tested in conjunction with the "moin"
-wiki application. Further feedback regarding other applications is welcome.
-
-Setting up moin with mod_fcgid
-==============================
+Example: setting up moin with mod_fcgid
+=======================================
 
 Setting up moin with mod_fcgid is very similar to setting it up as a regular
 CGI application.
@@ -37,7 +32,7 @@ CGI application.
    /etc/httpd/conf.d/mywiki.conf
 
     # Wiki application data common to all wiki instances
-    Alias /moin_static182 "/usr/share/moin/htdocs/"
+    Alias /moin_static185 "/usr/share/moin/htdocs/"
     <Directory "/usr/share/moin/htdocs/">
       Options Indexes FollowSymLinks
       AllowOverride None
diff --git a/mod_fcgid-2.1-README.SELinux b/mod_fcgid-2.1-README.SELinux
index 1d4ff71..981cf59 100644
--- a/mod_fcgid-2.1-README.SELinux
+++ b/mod_fcgid-2.1-README.SELinux
@@ -4,8 +4,7 @@ Using mod_fcgid with SELinux in Fedora Core 5 / RHEL 5 onwards
 Versions of this package built for Fedora Core 5, 6, or 7 include an SELinux
 policy module to support FastCGI applications. Later Fedora releases and Red
 Hat Enterprise Linux 5.3 onwards include the policy in the main selinux-policy
-package and do not require the separate module. This has only been tested so
-far with moin, so feedback from other applications is welcome.
+package and do not require the separate module.
 
 The module source (fastcgi.{fc,te}) is included for reference as documentation
 in the package.
diff --git a/mod_fcgid.2.2-svn1030894.patch b/mod_fcgid.2.2-svn1030894.patch
new file mode 100644
index 0000000..c935378
--- /dev/null
+++ b/mod_fcgid.2.2-svn1030894.patch
@@ -0,0 +1,15 @@
+SECURITY: CVE-2010-3872 (cve.mitre.org)
+Fix possible stack buffer overwrite.  Diagnosed by the reporter.
+PR 49406.  [Edgar Frank <ef-lists email.de>]
+
+--- mod_fcgid.2.2/fcgid_bucket.c	2007-07-31 10:09:20.000000000 +0100
++++ mod_fcgid.2.2/fcgid_bucket.c	2010-11-05 16:30:19.146160542 +0000
+@@ -83,7 +83,7 @@
+ 
+ 		/* Initialize header */
+ 		putsize = fcgid_min(bufferlen, sizeof(header) - hasread);
+-		memcpy(&header + hasread, buffer, putsize);
++		memcpy((apr_byte_t *)&header + hasread, buffer, putsize);
+ 		hasread += putsize;
+ 
+ 		/* Ignore the bytes that have read */
diff --git a/mod_fcgid.2.2-svn905031.patch b/mod_fcgid.2.2-svn905031.patch
new file mode 100644
index 0000000..b77cdaf
--- /dev/null
+++ b/mod_fcgid.2.2-svn905031.patch
@@ -0,0 +1,23 @@
+Return 500 instead of segfaulting when the application returns no output.
+[Tatsuki Sugiura <sugi nemui.org>, Jeff Trawick]
+
+--- mod_fcgid.2.2/fcgid_bridge.c	2007-07-31 10:09:19.000000000 +0100
++++ mod_fcgid.2.2/fcgid_bridge.c	2010-11-05 15:57:35.023098155 +0000
+@@ -203,7 +203,7 @@
+ 	int getLF = 0;
+ 	int getColon = 0;
+ 
+-	while ((dst < dst_end) && !done && !APR_BUCKET_IS_EOS(e)) {
++	while ((dst < dst_end) && !done && e != APR_BRIGADE_SENTINEL(bb)) {
+ 		const char *bucket_data;
+ 		apr_size_t bucket_data_len;
+ 		const char *src;
+@@ -264,7 +264,7 @@
+ 		e = next;
+ 	}
+ 	*dst = 0;
+-	return 1;
++	return done;
+ }
+ 
+ static int
diff --git a/mod_fcgid.spec b/mod_fcgid.spec
index 8e38304..fa878ae 100644
--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@@ -1,8 +1,8 @@
 # Fedora 5, 6, and 7 versions includes SELinux policy module package
 # Fedora 8 and 9 versions include policy in errata selinux-policy releases
 # Fedora 10 onwards include policy in standard selinux-policy releases
-# RHEL 5.3 onwards include policy in standard selinux-policy releases
-%if 0%{?fedora} < 5 || 0%{?fedora} > 7
+# RHEL 5.5 onwards include policy in standard selinux-policy releases
+%if 0%{?fedora} < 5 || 0%{?fedora} > 7 || 0%{?rhel}
 %global selinux_module 0
 %global selinux_types %{nil}
 %global selinux_variants %{nil}
@@ -16,28 +16,31 @@
 
 Name:		mod_fcgid
 Version:	2.2
-Release:	10%{?dist}
+Release:	11%{?dist}
 Summary:	Apache2 module for high-performance server-side scripting 
 Group:		System Environment/Daemons
 License:	GPL+
 URL:		http://fastcgi.coremail.cn/
 Source0:	http://downloads.sf.net/mod-fcgid/mod_fcgid.%{version}.tar.gz
 Source1:	fcgid.conf
-Source2:	fastcgi.te
-Source3:	fastcgi.fc
-Source4:	mod_fcgid-2.1-README.RPM
+Source2:	mod_fcgid-2.1-README.RPM
+Source3:	mod_fcgid-2.1-README.SELinux
 Source5:	http://fastcgi.coremail.cn/doc.htm
 Source6:	http://fastcgi.coremail.cn/configuration.htm
-Source7:	mod_fcgid-2.1-README.SELinux
-Source8:	fastcgi-2.5.te
+Source10:	fastcgi.te
+Source11:	fastcgi-2.5.te
+Source12:	fastcgi.fc
 Patch0:		mod_fcgid.2.1-docurls.patch
+Patch1:		mod_fcgid.2.2-svn905031.patch
+Patch2:		mod_fcgid.2.2-svn1030894.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:	gawk, httpd-devel >= 2.0, pkgconfig
 Requires:	httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && %{__cat} %{_includedir}/httpd/.mmn || echo missing)
 # Make sure that selinux-policy is sufficiently up-to-date if it's installed
+# FastCGI policy properly incorporated into EL 5.5
 %if "%{?rhel}" == "5"
-Conflicts:	selinux-policy < 2.4.6-203.el5
-# No provide here because selinux-policy >= 2.4.6-203.el5 does the providing
+Conflicts:	selinux-policy < 2.4.6-279.el5
+# No provide here because selinux-policy >= 2.4.6-279.el5 does the providing
 Obsoletes:	mod_fcgid-selinux <= %{version}-%{release}
 %endif
 %if "%{?fedora}" == "8"
@@ -63,7 +66,7 @@ as possible.
 Summary:	  SELinux policy module supporting FastCGI applications with mod_fcgid
 Group:		  System Environment/Base
 BuildRequires:	  %{selinux_buildreqs}
-# selinux-policy is required for directory ownership of %{_datadir}/selinux/*
+# selinux-policy is required for directory ownership of %%{_datadir}/selinux/*
 # Modules built against one version of a policy may not work with older policy
 # versions, as noted on fedora-selinux-list:
 # http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00102.html
@@ -81,17 +84,26 @@ SELinux policy module supporting FastCGI applications with mod_fcgid.
 %prep
 %setup -q -n mod_fcgid.%{version}
 %{__cp} -p %{SOURCE1} fcgid.conf
+%{__cp} -p %{SOURCE2} README.RPM
+%{__cp} -p %{SOURCE3} README.SELinux
+%{__cp} -p %{SOURCE5} directives.htm
+%{__cp} -p %{SOURCE6} configuration.htm
 %if 0%{?selinux_policynum} < 20501
-%{__cp} -p %{SOURCE2} fastcgi.te
+%{__cp} -p %{SOURCE10} fastcgi.te
 %else
-%{__cp} -p %{SOURCE8} fastcgi.te
+%{__cp} -p %{SOURCE11} fastcgi.te
 %endif
-%{__cp} -p %{SOURCE3} fastcgi.fc
-%{__cp} -p %{SOURCE4} README.RPM
-%{__cp} -p %{SOURCE5} directives.htm
-%{__cp} -p %{SOURCE6} configuration.htm
-%{__cp} -p %{SOURCE7} README.SELinux
+%{__cp} -p %{SOURCE12} fastcgi.fc
+
+# Fix URLs in documentation
 %patch0 -p1
+
+# Return 500 instead of segfaulting if application returns no data
+%patch1 -p1
+
+# Fix possible stack buffer overwrite (CVE-2010-3872)
+%patch2 -p1
+
 %{__sed} -i -e 's/\r$//' directives.htm configuration.htm
 /usr/bin/iconv -f gb2312 -t utf8 < configuration.htm > configuration.htm.utf8
 %{__mv} -f configuration.htm.utf8 configuration.htm
@@ -175,6 +187,16 @@ exit 0
 %endif
 
 %changelog
+* Fri Nov  5 2010 Paul Howarth <paul at city-fan.org> 2.2-11
+- Fix possible stack buffer overwrite (CVE-2010-3872)
+- Return 500 instead of segfaulting if application returns no data
+- Explicitly use /var/run/mod_fcgid as "run" directory rather than following
+  /etc/httpd/run symlink
+- Conflict with selinux-policy versions prior to EL 5.5 as earlier ones didn't
+  work properly
+- Re-order sources
+- Minor documentation updates
+
 * Mon Apr  6 2009 Paul Howarth <paul at city-fan.org> 2.2-10
 - EL 5.3 now has SELinux support in the main selinux-policy package so handle
   that release as per Fedora >= 8, except that the RHEL selinux-policy package
