Bug#725942: libapache2-mod-fcgid: CVE-2013-4365

Felix Geyer Thu, 10 Oct 2013 13:04:07 -0700

On 10.10.2013 09:06, Moritz Muehlenhoff wrote:
> Package: libapache2-mod-fcgid
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> This was assigned CVE-2013-4365:
> http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html
> 
> Isolated patch:
> https://mail-archives.apache.org/mod_mbox/httpd-cvs/201309.mbox/%3c20130929174048.13b962388...@eris.apache.org%3E
> 
> Can you prepare updated packages for oldstable/stable and contact 
> t...@security.debian.org ?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security


I've prepared updates for wheezy and squeeze, see the attached debdiffs.
Please let me know if I should upload these.

Cheers,
Felix

diff -u libapache2-mod-fcgid-2.3.6/debian/changelog 
libapache2-mod-fcgid-2.3.6/debian/changelog
--- libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,10 @@
+libapache2-mod-fcgid (1:2.3.6-1+squeeze2) squeeze-security; urgency=high
+
+  * Fix CVE-2013-4365: heap buffer overwrite. (Closes: #725942)
+    - Add debian/patches/30_CVE-2013-4365.dpatch
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 10 Oct 2013 21:21:29 +0200
+
 libapache2-mod-fcgid (1:2.3.6-1+squeeze1) stable-security; urgency=high
 
   * Non-maintainer upload.
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list 
libapache2-mod-fcgid-2.3.6/debian/patches/00list
--- libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -2,0 +3 @@
+30_CVE-2013-4365.dpatch
only in patch2:
unchanged:
--- libapache2-mod-fcgid-2.3.6.orig/debian/patches/30_CVE-2013-4365.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/30_CVE-2013-4365.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: Fix CVE-2013-4365: heap buffer overwrite
+## DP: Origin: https://svn.apache.org/viewvc?view=revision&revision=r1527362
+
+@DPATCH@
+
+--- a/modules/fcgid/fcgid_bucket.c
++++ b/modules/fcgid/fcgid_bucket.c
+@@ -112,10 +112,12 @@
+     if (header.type == FCGI_STDERR) {
+         char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b->list);
+         char *line;
++        apr_size_t hasput;
+ 
+         memset(logbuf, 0, APR_BUCKET_BUFF_SIZE);
+ 
+         hasread = 0;
++        hasput = 0;
+         while (hasread < bodysize) {
+             char *buffer;
+             apr_size_t bufferlen, canput, willput;
+@@ -130,9 +132,10 @@
+ 
+             canput = fcgid_min(bufferlen, bodysize - hasread);
+             willput =
+-                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1);
+-            memcpy(logbuf + hasread, buffer, willput);
++                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1);
++            memcpy(logbuf + hasput, buffer, willput);
+             hasread += canput;
++            hasput += willput;
+ 
+             /* Ignore the "canput" bytes */
+             fcgid_ignore_bytes(ctx, canput);

diff -u libapache2-mod-fcgid-2.3.6/debian/changelog 
libapache2-mod-fcgid-2.3.6/debian/changelog
--- libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,10 @@
+libapache2-mod-fcgid (1:2.3.6-1.2+deb7u1) wheezy-security; urgency=high
+
+  * Fix CVE-2013-4365: heap buffer overwrite. (Closes: #725942)
+    - Add debian/patches/40_CVE-2013-4365.dpatch
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 10 Oct 2013 20:02:54 +0200
+
 libapache2-mod-fcgid (1:2.3.6-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list 
libapache2-mod-fcgid-2.3.6/debian/patches/00list
--- libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -3,0 +4 @@
+40_CVE-2013-4365.dpatch
only in patch2:
unchanged:
--- libapache2-mod-fcgid-2.3.6.orig/debian/patches/40_CVE-2013-4365.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/40_CVE-2013-4365.dpatch
@@ -0,0 +1,35 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## DP: Fix CVE-2013-4365: heap buffer overwrite
+## DP: Origin: https://svn.apache.org/viewvc?view=revision&revision=r1527362
+
+@DPATCH@
+
+--- a/modules/fcgid/fcgid_bucket.c
++++ b/modules/fcgid/fcgid_bucket.c
+@@ -112,10 +112,12 @@
+     if (header.type == FCGI_STDERR) {
+         char *logbuf = apr_bucket_alloc(APR_BUCKET_BUFF_SIZE, b->list);
+         char *line;
++        apr_size_t hasput;
+ 
+         memset(logbuf, 0, APR_BUCKET_BUFF_SIZE);
+ 
+         hasread = 0;
++        hasput = 0;
+         while (hasread < bodysize) {
+             char *buffer;
+             apr_size_t bufferlen, canput, willput;
+@@ -130,9 +132,10 @@
+ 
+             canput = fcgid_min(bufferlen, bodysize - hasread);
+             willput =
+-                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasread - 1);
+-            memcpy(logbuf + hasread, buffer, willput);
++                fcgid_min(canput, APR_BUCKET_BUFF_SIZE - hasput - 1);
++            memcpy(logbuf + hasput, buffer, willput);
+             hasread += canput;
++            hasput += willput;
+ 
+             /* Ignore the "canput" bytes */
+             fcgid_ignore_bytes(ctx, canput);

signature.asc
Description: OpenPGP digital signature

Bug#725942: libapache2-mod-fcgid: CVE-2013-4365

Reply via email to