apr-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r800870 - in /apr/site/trunk/dist/patches: ./ HEADER.html README.html apr-0.9-CVE-2009-2412.patch apr-1.x-CVE-2009-2412.patch apr-util-0.9-CVE-2009-2412.patch apr-util-1.x-CVE-2009-2412.patch
Date Tue, 04 Aug 2009 16:42:54 GMT
Author: wrowe
Date: Tue Aug  4 16:42:54 2009
New Revision: 800870

URL: http://svn.apache.org/viewvc?rev=800870&view=rev
Log:
Ordinal location of patches shall be

  http://www.apache.org/dist/apr/patches/


Added:
    apr/site/trunk/dist/patches/
    apr/site/trunk/dist/patches/HEADER.html   (with props)
    apr/site/trunk/dist/patches/README.html   (with props)
    apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch   (with props)
    apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch   (with props)
    apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch   (with props)
    apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch   (with props)

Added: apr/site/trunk/dist/patches/HEADER.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/HEADER.html?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/HEADER.html (added)
+++ apr/site/trunk/dist/patches/HEADER.html Tue Aug  4 16:42:54 2009
@@ -0,0 +1,12 @@
+<h1>Index of /dist/apr/patches</h1>
+
+<h2>Apache APR Project Source Code Recommended Patches</h2>
+
+<p>
+    This downloads page includes only patches to the sources strongly
+    recommended for building APR projects, generally using security
+    .
+</p>
+
+<h3><a href="#summary">Summary of patches</a></h3>
+

Propchange: apr/site/trunk/dist/patches/HEADER.html
------------------------------------------------------------------------------
    svn:eol-style = native

Added: apr/site/trunk/dist/patches/README.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/README.html?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/README.html (added)
+++ apr/site/trunk/dist/patches/README.html Tue Aug  4 16:42:54 2009
@@ -0,0 +1,13 @@
+<h2><a name="summary">Summary of Patches</a></h2>
+
+<h2><a name="CVE20092412">CVE-2009-2412</a></h2>
+
+<ul>
+  <li>Apply to APR 0.9.0 - 0.9.18 and 1.0.0 - 1.3.7</li>
+  <li>Apply to APR-util 0.9.0 - 0.9.17 and 1.0.0 - 1.3.8</li>
+</ul>
+
+<p>Overflow flaw in apr_pool and apr_rmm APIs. Additional details 
+forthcoming.</p>
+
+

Propchange: apr/site/trunk/dist/patches/README.html
------------------------------------------------------------------------------
    svn:eol-style = native

Added: apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch (added)
+++ apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch Tue Aug  4 16:42:54 2009
@@ -0,0 +1,67 @@
+SECURITY: CVE-2009-2412 (cve.mitre.org)
+Fix overflow in pools, where size alignment was taking place.
+
+Reported by: Matt Lewis <mattlewis@google.com>
+
+* memory/unix/apr_pools.c
+  (allocator_alloc, apr_palloc): Check for overflow after aligning size.
+  (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
+
+SEE ALSO: apr-util-0.9-CVE-2009-2412.patch
+
+Index: memory/unix/apr_pools.c
+===================================================================
+--- memory/unix/apr_pools.c	(revision 800657)
++++ memory/unix/apr_pools.c	(working copy)
+@@ -189,15 +189,19 @@
+ }
+ 
+ static APR_INLINE
+-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size)
++apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
+ {
+     apr_memnode_t *node, **ref;
+     apr_uint32_t i, index, max_index;
++    apr_size_t size;
+ 
+     /* Round up the block size to the next boundary, but always
+      * allocate at least a certain size (MIN_ALLOC).
+      */
+-    size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    if (size < in_size) {
++        return NULL;
++    }
+     if (size < MIN_ALLOC)
+         size = MIN_ALLOC;
+ 
+@@ -625,13 +629,19 @@
+  * Memory allocation
+  */
+ 
+-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
++APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
+ {
+     apr_memnode_t *active, *node;
+     void *mem;
+     apr_uint32_t free_index;
++    apr_size_t size;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
++    size = APR_ALIGN_DEFAULT(in_size);
++    if (size < in_size) {
++        if (pool->abort_fn)
++            pool->abort_fn(APR_ENOMEM);
++
++    }
+     active = pool->active;
+ 
+     /* If the active node has enough bytes left, use it. */
+@@ -696,7 +706,6 @@
+ {
+     void *mem;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
+     if ((mem = apr_palloc(pool, size)) != NULL) {
+         memset(mem, 0, size);
+     }

Propchange: apr/site/trunk/dist/patches/apr-0.9-CVE-2009-2412.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch (added)
+++ apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch Tue Aug  4 16:42:54 2009
@@ -0,0 +1,69 @@
+SECURITY: CVE-2009-2412 (cve.mitre.org)
+Fix overflow in pools, where size alignment was taking place.
+
+Reported by: Matt Lewis <mattlewis@google.com>
+
+* memory/unix/apr_pools.c
+  (allocator_alloc, apr_palloc): Check for overflow after aligning size.
+  (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice.
+
+SEE ALSO: apr-util-1.x-CVE-2009-2412.patch
+
+Index: memory/unix/apr_pools.c
+===================================================================
+--- memory/unix/apr_pools.c	(revision 798473)
++++ memory/unix/apr_pools.c	(working copy)
+@@ -191,16 +191,19 @@
+ }
+ 
+ static APR_INLINE
+-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size)
++apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
+ {
+     apr_memnode_t *node, **ref;
+     apr_uint32_t max_index;
+-    apr_size_t i, index;
++    apr_size_t size, i, index;
+ 
+     /* Round up the block size to the next boundary, but always
+      * allocate at least a certain size (MIN_ALLOC).
+      */
+-    size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE);
++    if (size < in_size) {
++        return NULL;
++    }
+     if (size < MIN_ALLOC)
+         size = MIN_ALLOC;
+ 
+@@ -628,13 +631,19 @@
+  * Memory allocation
+  */
+ 
+-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size)
++APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
+ {
+     apr_memnode_t *active, *node;
+     void *mem;
+-    apr_size_t free_index;
++    apr_size_t size, free_index;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
++    size = APR_ALIGN_DEFAULT(in_size);
++    if (size < in_size) {
++        if (pool->abort_fn)
++            pool->abort_fn(APR_ENOMEM);
++
++        return NULL;
++    }
+     active = pool->active;
+ 
+     /* If the active node has enough bytes left, use it. */
+@@ -699,7 +708,6 @@
+ {
+     void *mem;
+ 
+-    size = APR_ALIGN_DEFAULT(size);
+     if ((mem = apr_palloc(pool, size)) != NULL) {
+         memset(mem, 0, size);
+     }

Propchange: apr/site/trunk/dist/patches/apr-1.x-CVE-2009-2412.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch (added)
+++ apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch Tue Aug  4 16:42:54 2009
@@ -0,0 +1,92 @@
+SECURITY: CVE-2009-2412 (cve.mitre.org)
+Fix overflow in rmm, where size alignment was taking place.
+
+Reported by: Matt Lewis <mattlewis@google.com>
+
+* misc/apr_rmm.c
+  (apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
+
+SEE ALSO: apr-0.9-CVE-2009-2412.patch
+ 
+Index: apr-util-0.9/misc/apr_rmm.c
+===================================================================
+--- apr-util-0.9/misc/apr_rmm.c	(revision 800735)
++++ apr-util-0.9/misc/apr_rmm.c	(working copy)
+@@ -277,13 +277,17 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+     
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+@@ -296,18 +300,22 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+         
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+         this += RMM_BLOCK_SIZE;
+-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
++        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
+     }
+ 
+     APR_ANYLOCK_UNLOCK(&rmm->lock);
+@@ -320,16 +328,19 @@
+     apr_rmm_off_t this;
+     apr_rmm_off_t old;
+     struct rmm_block_t *blk;
+-    apr_size_t oldsize;
++    apr_size_t size, oldsize;
+ 
+     if (!entity) {
+         return apr_rmm_malloc(rmm, reqsize);
+     }
+ 
+-    reqsize = APR_ALIGN_DEFAULT(reqsize);
++    size = APR_ALIGN_DEFAULT(reqsize);
++    if (size < reqsize) {
++        return 0;
++    }
+     old = apr_rmm_offset_get(rmm, entity);
+ 
+-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
++    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
+         return 0;
+     }
+ 
+@@ -337,7 +348,7 @@
+     oldsize = blk->size;
+ 
+     memcpy(apr_rmm_addr_get(rmm, this),
+-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
++           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
+     apr_rmm_free(rmm, old);
+ 
+     return this;

Propchange: apr/site/trunk/dist/patches/apr-util-0.9-CVE-2009-2412.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Added: apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch?rev=800870&view=auto
==============================================================================
--- apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch (added)
+++ apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch Tue Aug  4 16:42:54 2009
@@ -0,0 +1,92 @@
+SECURITY: CVE-2009-2412 (cve.mitre.org)
+Fix overflow in rmm, where size alignment was taking place.
+
+Reported by: Matt Lewis <mattlewis@google.com>
+
+* misc/apr_rmm.c
+  (apr_rmm_malloc, apr_rmm_calloc, apr_rmm_realloc): Check for overflow after aligning size.
+
+SEE ALSO: apr-1.x-CVE-2009-2412.patch
+ 
+Index: misc/apr_rmm.c
+===================================================================
+--- misc/apr_rmm.c	(revision 800339)
++++ misc/apr_rmm.c	(working copy)
+@@ -306,13 +306,17 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+     
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+@@ -325,18 +329,22 @@
+ 
+ APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
+ {
++    apr_size_t size;
+     apr_rmm_off_t this;
+         
+-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
++    if (size < reqsize) {
++        return 0;
++    }
+ 
+     APR_ANYLOCK_LOCK(&rmm->lock);
+ 
+-    this = find_block_of_size(rmm, reqsize);
++    this = find_block_of_size(rmm, size);
+ 
+     if (this) {
+         move_block(rmm, this, 0);
+         this += RMM_BLOCK_SIZE;
+-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
++        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
+     }
+ 
+     APR_ANYLOCK_UNLOCK(&rmm->lock);
+@@ -349,16 +357,19 @@
+     apr_rmm_off_t this;
+     apr_rmm_off_t old;
+     struct rmm_block_t *blk;
+-    apr_size_t oldsize;
++    apr_size_t size, oldsize;
+ 
+     if (!entity) {
+         return apr_rmm_malloc(rmm, reqsize);
+     }
+ 
+-    reqsize = APR_ALIGN_DEFAULT(reqsize);
++    size = APR_ALIGN_DEFAULT(reqsize);
++    if (size < reqsize) {
++        return 0;
++    }
+     old = apr_rmm_offset_get(rmm, entity);
+ 
+-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
++    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
+         return 0;
+     }
+ 
+@@ -366,7 +377,7 @@
+     oldsize = blk->size;
+ 
+     memcpy(apr_rmm_addr_get(rmm, this),
+-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
++           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
+     apr_rmm_free(rmm, old);
+ 
+     return this;

Propchange: apr/site/trunk/dist/patches/apr-util-1.x-CVE-2009-2412.patch
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message