rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

fix htdbm/htpasswd crash on crypt() failure (#818684)

Browse Source 
Resolves: rhbz#818684
This commit is contained in:
Joe Orton 2012-06-06 15:23:31 +01:00
parent febac1c9c4
commit 5fac30f680
2 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
httpd-2.4.2-r1346905.patch Normal file
View File

@ -0,0 +1,65 @@
# ./pullrev.sh 1346905
https://bugzilla.redhat.com/show_bug.cgi?id=818684
http://svn.apache.org/viewvc?view=revision&revision=1346905
--- httpd-2.4.2/support/htdbm.c
+++ httpd-2.4.2/support/htdbm.c
@@ -288,6 +288,9 @@
{
char cpw[MAX_STRING_LEN];
char salt[9];
+#if (!(defined(WIN32) || defined(NETWARE)))
+ char *cbuf;
+#endif
switch (htdbm->alg) {
case ALG_APSHA:
@@ -315,7 +318,15 @@
(void) srand((int) time((time_t *) NULL));
to64(&salt[0], rand(), 8);
salt[8] = '\0';
- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
+ cbuf = crypt(htdbm->userpass, salt);
+ if (cbuf == NULL) {
+ char errbuf[128];
+
+ fprintf(stderr, "crypt() failed: %s\n",
+ apr_strerror(errno, errbuf, sizeof errbuf));
+ exit(ERR_PWMISMATCH);
+ }
+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
#endif
default:
--- httpd-2.4.2/support/htpasswd.c
+++ httpd-2.4.2/support/htpasswd.c
@@ -174,6 +174,9 @@
char pwv[MAX_STRING_LEN];
char salt[9];
apr_size_t bufsize;
+#if CRYPT_ALGO_SUPPORTED
+ char *cbuf;
+#endif
if (passwd != NULL) {
pw = passwd;
@@ -226,7 +229,16 @@
to64(&salt[0], rand(), 8);
salt[8] = '\0';
- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
+ cbuf = crypt(pw, salt);
+ if (cbuf == NULL) {
+ char errbuf[128];
+
+ apr_snprintf(record, rlen-1, "crypt() failed: %s",
+ apr_strerror(errno, errbuf, sizeof errbuf));
+ return ERR_PWMISMATCH;
+ }
+
+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
if (strlen(pw) > 8) {
char *truncpw = strdup(pw);
truncpw[8] = '\0';

7
httpd.spec
View File

@ -8,7 +8,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.2 Version: 2.4.2
Release: 13%{?dist} Release: 14%{?dist}
URL: http://httpd.apache.org/ URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -50,6 +50,7 @@ Patch40: httpd-2.4.2-restart.patch
Patch41: httpd-2.4.2-r1327036+.patch Patch41: httpd-2.4.2-r1327036+.patch
Patch42: httpd-2.4.2-r1326980+.patch Patch42: httpd-2.4.2-r1326980+.patch
Patch43: httpd-2.4.2-r1332643+.patch Patch43: httpd-2.4.2-r1332643+.patch
Patch44: httpd-2.4.2-r1346905.patch
License: ASL 2.0 License: ASL 2.0
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -161,6 +162,7 @@ authentication to the Apache HTTP Server.
%patch41 -p1 -b .r1327036+ %patch41 -p1 -b .r1327036+
%patch42 -p1 -b .r1326980+ %patch42 -p1 -b .r1326980+
%patch43 -p1 -b .r1332643+ %patch43 -p1 -b .r1332643+
%patch44 -p1 -b .r1346905
# Patch in vendor/release string # Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@ -565,6 +567,9 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd %{_sysconfdir}/rpm/macros.httpd
%changelog %changelog
* Wed Jun 6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-14
- fix htdbm/htpasswd crash on crypt() failure (#818684)
* Wed Jun 6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-13 * Wed Jun 6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-13
- pull fix for NPN patch from upstream (r1345599) - pull fix for NPN patch from upstream (r1345599)