Attachment 192689 Details for Bug 271470 – Patch against 2.2.11 from RedHat's bugzilla

[patch] Patch against 2.2.11 from RedHat's bugzilla

apache-CVE-2009-1195.patch (text/plain), 6.14 KB, created by Alex Legler (RETIRED) on 2009-05-28 09:35:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alex Legler (RETIRED)

Created: 2009-05-28 09:35:43 UTC

Size: 6.14 KB

patch

obsolete

>
>Property changes on: .
>___________________________________________________________________
>Modified: svn:mergeinfo
>   Merged /httpd/httpd/trunk:r772997,773322,773342
>
>Index: STATUS
>===================================================================
>Index: server/config.c
>===================================================================
>--- server/config.c	(revision 773036)
>+++ server/config.c	(working copy)
>@@ -1510,7 +1510,7 @@
>     parms.temp_pool = ptemp;
>     parms.server = s;
>     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
>-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
>+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
> 
>     parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
>                                             &arr_parms, NULL,
>@@ -1617,7 +1617,7 @@
>     parms.temp_pool = ptemp;
>     parms.server = s;
>     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
>-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
>+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
> 
>     rv = ap_pcfg_openfile(&cfp, p, fname);
>     if (rv != APR_SUCCESS) {
>@@ -1755,7 +1755,7 @@
>     parms.temp_pool = ptemp;
>     parms.server = s;
>     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
>-    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
>+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
>     parms.limited = -1;
> 
>     errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
>Index: server/core.c
>===================================================================
>--- server/core.c	(revision 773036)
>+++ server/core.c	(working copy)
>@@ -108,8 +108,7 @@
>     conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
>     conf->opts_add = conf->opts_remove = OPT_NONE;
>     conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
>-    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
>-                          | OPT_MULTI;
>+    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
> 
>     conf->content_md5 = 2;
>     conf->accept_path_info = 3;
>@@ -242,8 +241,15 @@
>         conf->opts_remove = (conf->opts_remove & ~new->opts_add)
>                             | new->opts_remove;
>         conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
>-        if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
>-            conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
>+
>+        /* If Includes was enabled with exec in the base config, but
>+         * was enabled without exec in the new config, then disable
>+         * exec in the merged set. */
>+        if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
>+             == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
>+            && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
>+                == OPT_INCLUDES)) {
>+            conf->opts &= ~OPT_INC_WITH_EXEC;
>         }
>     }
>     else {
>@@ -1304,10 +1310,12 @@
>             opt = OPT_INDEXES;
>         }
>         else if (!strcasecmp(w, "Includes")) {
>-            opt = OPT_INCLUDES;
>+            /* If Includes is permitted, both Includes and
>+             * IncludesNOEXEC may be changed. */
>+            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
>         }
>         else if (!strcasecmp(w, "IncludesNOEXEC")) {
>-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
>+            opt = OPT_INCLUDES;
>         }
>         else if (!strcasecmp(w, "FollowSymLinks")) {
>             opt = OPT_SYM_LINKS;
>@@ -1428,10 +1436,10 @@
>             opt = OPT_INDEXES;
>         }
>         else if (!strcasecmp(w, "Includes")) {
>-            opt = OPT_INCLUDES;
>+            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
>         }
>         else if (!strcasecmp(w, "IncludesNOEXEC")) {
>-            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
>+            opt = OPT_INCLUDES;
>         }
>         else if (!strcasecmp(w, "FollowSymLinks")) {
>             opt = OPT_SYM_LINKS;
>Index: CHANGES
>===================================================================
>--- CHANGES	(revision 773036)
>+++ CHANGES	(working copy)
>@@ -5,6 +5,12 @@
>      mod_proxy_ajp: Avoid delivering content from a previous request which
>      failed to send a request body. PR 46949 [Ruediger Pluem]
> 
>+  *) SECURITY: CVE-2009-1195 (cve.mitre.org)
>+     Prevent the "Includes" Option from being enabled in an .htaccess 
>+     file if the AllowOverride restrictions do not permit it.
>+     [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
>+      Ruediger Pluem]
>+
>   *) mod_proxy_ajp: Check more strictly that the backend follows the AJP
>      protocol. [Mladen Turk]
> 
>Index: modules/filters/mod_include.c
>===================================================================
>--- modules/filters/mod_include.c	(revision 773036)
>+++ modules/filters/mod_include.c	(working copy)
>@@ -3574,7 +3574,7 @@
>         intern->seen_eos = 0;
>         intern->state = PARSE_PRE_HEAD;
>         ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
>-        if (ap_allow_options(r) & OPT_INCNOEXEC) {
>+        if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
>             ctx->flags |= SSI_FLAG_NO_EXEC;
>         }
>         intern->accessenable = conf->accessenable;
>Index: include/http_core.h
>===================================================================
>--- include/http_core.h	(revision 773036)
>+++ include/http_core.h	(working copy)
>@@ -65,7 +65,7 @@
> #define OPT_NONE 0
> /** Indexes directive */
> #define OPT_INDEXES 1
>-/**  Includes directive */
>+/** SSI is enabled without exec= permission  */
> #define OPT_INCLUDES 2
> /**  FollowSymLinks directive */
> #define OPT_SYM_LINKS 4
>@@ -73,14 +73,14 @@
> #define OPT_EXECCGI 8
> /**  directive unset */
> #define OPT_UNSET 16
>-/**  IncludesNOEXEC directive */
>-#define OPT_INCNOEXEC 32
>+/**  SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
>+#define OPT_INC_WITH_EXEC 32
> /** SymLinksIfOwnerMatch directive */
> #define OPT_SYM_OWNER 64
> /** MultiViews directive */
> #define OPT_MULTI 128
> /**  All directives */
>-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
>+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
> /** @} */
> 
> /**

Actions: View | Diff

Attachments on bug 271470: 192689 | 195624