httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1230069 - in /httpd/httpd/branches/2.4.x: CHANGES server/scoreboard.c
Date Wed, 11 Jan 2012 14:45:02 GMT
Author: jorton
Date: Wed Jan 11 14:45:02 2012
New Revision: 1230069

URL: http://svn.apache.org/viewvc?rev=1230069&view=rev
Log:
Merge r1230065 from trunk (adapted to avoid MMN change):

SECURITY (CVE-2012-0031): Fix possible crash on shutdown if a child
changes the sb_type field in the scoreboard.  Since unprivileged
children should not be able to affect the parent in this way, this is
treated as a Low severity security issue.

Thanks to "halfdog" <me halfdog.net> for reporting this issue.

* server/scoreboard.c (ap_cleanup_scoreboard, ap_create_scoreboard):
  Use a static global to store an authoritative copy of the scoreboard
  type.

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/server/scoreboard.c

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1230069&r1=1230068&r2=1230069&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Wed Jan 11 14:45:02 2012
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.0
 
+  *) SECURITY (CVE-2012-0031): Fix scoreboard issue which could allow
+     an unprivileged child process could cause the parent to crash at
+     shutdown rather than terminate cleanly.  [Joe Orton]
+
   *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
 
   *) mod_log_config: Fix segfault when trying to log a nameless, valueless

Modified: httpd/httpd/branches/2.4.x/server/scoreboard.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/scoreboard.c?rev=1230069&r1=1230068&r2=1230069&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/scoreboard.c (original)
+++ httpd/httpd/branches/2.4.x/server/scoreboard.c Wed Jan 11 14:45:02 2012
@@ -42,6 +42,7 @@
 
 AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL;
 AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL;
+static ap_scoreboard_e scoreboard_type;
 
 const char * ap_set_scoreboard(cmd_parms *cmd, void *dummy,
                                const char *arg)
@@ -276,7 +277,7 @@ apr_status_t ap_cleanup_scoreboard(void 
     if (ap_scoreboard_image == NULL) {
         return APR_SUCCESS;
     }
-    if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
+    if (scoreboard_type == SB_SHARED) {
         ap_cleanup_shared_mem(NULL);
     }
     else {
@@ -329,7 +330,7 @@ int ap_create_scoreboard(apr_pool_t *p, 
         ap_init_scoreboard(sb_mem);
     }
 
-    ap_scoreboard_image->global->sb_type = sb_type;
+    ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type;
     ap_scoreboard_image->global->running_generation = 0;
     ap_scoreboard_image->global->restart_time = apr_time_now();
 



Mime
View raw message