fix htdbm/htpasswd crash on crypt() failure (#818684)

Resolves: rhbz#818684
2012-06-06 15:23:31 +01:00 · 2012-06-06 15:23:31 +01:00 · 5fac30f680
commit 5fac30f680
parent febac1c9c4
2 changed files with 71 additions and 1 deletions
--- a/httpd-2.4.2-r1346905.patch
+++ b/httpd-2.4.2-r1346905.patch
@ -0,0 +1,65 @@
+# ./pullrev.sh 1346905
+
+https://bugzilla.redhat.com/show_bug.cgi?id=818684
+
+http://svn.apache.org/viewvc?view=revision&revision=1346905
+
+--- httpd-2.4.2/support/htdbm.c
+++ httpd-2.4.2/support/htdbm.c
+@@ -288,6 +288,9 @@
+ {
+     char cpw[MAX_STRING_LEN];
+     char salt[9];
+#if (!(defined(WIN32) || defined(NETWARE)))
+    char *cbuf;
+#endif
+ 
+     switch (htdbm->alg) {
+         case ALG_APSHA:
+@@ -315,7 +318,15 @@
+             (void) srand((int) time((time_t *) NULL));
+             to64(&salt[0], rand(), 8);
+             salt[8] = '\0';
+-            apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
+            cbuf = crypt(htdbm->userpass, salt);
+            if (cbuf == NULL) {
+                char errbuf[128];
+                
+                fprintf(stderr, "crypt() failed: %s\n", 
+                        apr_strerror(errno, errbuf, sizeof errbuf));
+                exit(ERR_PWMISMATCH);
+            }
+            apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+             fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
+ #endif
+         default:
+--- httpd-2.4.2/support/htpasswd.c
+++ httpd-2.4.2/support/htpasswd.c
+@@ -174,6 +174,9 @@
+     char pwv[MAX_STRING_LEN];
+     char salt[9];
+     apr_size_t bufsize;
+#if CRYPT_ALGO_SUPPORTED
+    char *cbuf;
+#endif
+ 
+     if (passwd != NULL) {
+         pw = passwd;
+@@ -226,7 +229,16 @@
+         to64(&salt[0], rand(), 8);
+         salt[8] = '\0';
+ 
+-        apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
+        cbuf = crypt(pw, salt);
+        if (cbuf == NULL) {
+            char errbuf[128];
+
+            apr_snprintf(record, rlen-1, "crypt() failed: %s", 
+                         apr_strerror(errno, errbuf, sizeof errbuf));
+            return ERR_PWMISMATCH;
+        }
+
+        apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+         if (strlen(pw) > 8) {
+             char *truncpw = strdup(pw);
+             truncpw[8] = '\0';
--- a/httpd.spec
+++ b/httpd.spec
@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.2
-Release: 13%{?dist}
+Release: 14%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -50,6 +50,7 @@ Patch40: httpd-2.4.2-restart.patch
 Patch41: httpd-2.4.2-r1327036+.patch
 Patch42: httpd-2.4.2-r1326980+.patch
 Patch43: httpd-2.4.2-r1332643+.patch
+Patch44: httpd-2.4.2-r1346905.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -161,6 +162,7 @@ authentication to the Apache HTTP Server.
 %patch41 -p1 -b .r1327036+
 %patch42 -p1 -b .r1326980+
 %patch43 -p1 -b .r1332643+
+%patch44 -p1 -b .r1346905

 # Patch in vendor/release string
 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@ -565,6 +567,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd

 %changelog
+* Wed Jun  6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-14
+- fix htdbm/htpasswd crash on crypt() failure (#818684)
+
 * Wed Jun  6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-13
 - pull fix for NPN patch from upstream (r1345599)