Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 192689 Details for
Bug 271470
<www-servers/apache-2.2.11-r1 AllowOverride/Options Security Bypass (CVE-2009-1195)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch against 2.2.11 from RedHat's bugzilla
apache-CVE-2009-1195.patch (text/plain), 6.14 KB, created by
Alex Legler (RETIRED)
on 2009-05-28 09:35:43 UTC
(
hide
)
Description:
Patch against 2.2.11 from RedHat's bugzilla
Filename:
MIME Type:
Creator:
Alex Legler (RETIRED)
Created:
2009-05-28 09:35:43 UTC
Size:
6.14 KB
patch
obsolete
> >Property changes on: . >___________________________________________________________________ >Modified: svn:mergeinfo > Merged /httpd/httpd/trunk:r772997,773322,773342 > >Index: STATUS >=================================================================== >Index: server/config.c >=================================================================== >--- server/config.c (revision 773036) >+++ server/config.c (working copy) >@@ -1510,7 +1510,7 @@ > parms.temp_pool = ptemp; > parms.server = s; > parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); >- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; >+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; > > parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", > &arr_parms, NULL, >@@ -1617,7 +1617,7 @@ > parms.temp_pool = ptemp; > parms.server = s; > parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); >- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; >+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; > > rv = ap_pcfg_openfile(&cfp, p, fname); > if (rv != APR_SUCCESS) { >@@ -1755,7 +1755,7 @@ > parms.temp_pool = ptemp; > parms.server = s; > parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); >- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; >+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; > parms.limited = -1; > > errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults); >Index: server/core.c >=================================================================== >--- server/core.c (revision 773036) >+++ server/core.c (working copy) >@@ -108,8 +108,7 @@ > conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; > conf->opts_add = conf->opts_remove = OPT_NONE; > conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; >- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER >- | OPT_MULTI; >+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; > > conf->content_md5 = 2; > conf->accept_path_info = 3; >@@ -242,8 +241,15 @@ > conf->opts_remove = (conf->opts_remove & ~new->opts_add) > | new->opts_remove; > conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; >- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { >- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; >+ >+ /* If Includes was enabled with exec in the base config, but >+ * was enabled without exec in the new config, then disable >+ * exec in the merged set. */ >+ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) >+ == (OPT_INCLUDES|OPT_INC_WITH_EXEC)) >+ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) >+ == OPT_INCLUDES)) { >+ conf->opts &= ~OPT_INC_WITH_EXEC; > } > } > else { >@@ -1304,10 +1310,12 @@ > opt = OPT_INDEXES; > } > else if (!strcasecmp(w, "Includes")) { >- opt = OPT_INCLUDES; >+ /* If Includes is permitted, both Includes and >+ * IncludesNOEXEC may be changed. */ >+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); > } > else if (!strcasecmp(w, "IncludesNOEXEC")) { >- opt = (OPT_INCLUDES | OPT_INCNOEXEC); >+ opt = OPT_INCLUDES; > } > else if (!strcasecmp(w, "FollowSymLinks")) { > opt = OPT_SYM_LINKS; >@@ -1428,10 +1436,10 @@ > opt = OPT_INDEXES; > } > else if (!strcasecmp(w, "Includes")) { >- opt = OPT_INCLUDES; >+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); > } > else if (!strcasecmp(w, "IncludesNOEXEC")) { >- opt = (OPT_INCLUDES | OPT_INCNOEXEC); >+ opt = OPT_INCLUDES; > } > else if (!strcasecmp(w, "FollowSymLinks")) { > opt = OPT_SYM_LINKS; >Index: CHANGES >=================================================================== >--- CHANGES (revision 773036) >+++ CHANGES (working copy) >@@ -5,6 +5,12 @@ > mod_proxy_ajp: Avoid delivering content from a previous request which > failed to send a request body. PR 46949 [Ruediger Pluem] > >+ *) SECURITY: CVE-2009-1195 (cve.mitre.org) >+ Prevent the "Includes" Option from being enabled in an .htaccess >+ file if the AllowOverride restrictions do not permit it. >+ [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton, >+ Ruediger Pluem] >+ > *) mod_proxy_ajp: Check more strictly that the backend follows the AJP > protocol. [Mladen Turk] > >Index: modules/filters/mod_include.c >=================================================================== >--- modules/filters/mod_include.c (revision 773036) >+++ modules/filters/mod_include.c (working copy) >@@ -3574,7 +3574,7 @@ > intern->seen_eos = 0; > intern->state = PARSE_PRE_HEAD; > ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE); >- if (ap_allow_options(r) & OPT_INCNOEXEC) { >+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) { > ctx->flags |= SSI_FLAG_NO_EXEC; > } > intern->accessenable = conf->accessenable; >Index: include/http_core.h >=================================================================== >--- include/http_core.h (revision 773036) >+++ include/http_core.h (working copy) >@@ -65,7 +65,7 @@ > #define OPT_NONE 0 > /** Indexes directive */ > #define OPT_INDEXES 1 >-/** Includes directive */ >+/** SSI is enabled without exec= permission */ > #define OPT_INCLUDES 2 > /** FollowSymLinks directive */ > #define OPT_SYM_LINKS 4 >@@ -73,14 +73,14 @@ > #define OPT_EXECCGI 8 > /** directive unset */ > #define OPT_UNSET 16 >-/** IncludesNOEXEC directive */ >-#define OPT_INCNOEXEC 32 >+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ >+#define OPT_INC_WITH_EXEC 32 > /** SymLinksIfOwnerMatch directive */ > #define OPT_SYM_OWNER 64 > /** MultiViews directive */ > #define OPT_MULTI 128 > /** All directives */ >-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) >+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) > /** @} */ > > /**
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 271470
: 192689 |
195624