httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: CVE-2013-5704 fix breaks mod_wsgi
Date Mon, 12 Jan 2015 17:05:04 GMT
On Mon, Jan 12, 2015 at 11:25:53AM -0500, Eric Covener wrote:
> On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton <jorton@redhat.com> wrote:
> > Either way, the fix for CVE-2013-5704 ends up breaking backwards
> > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of
> > Bad.  I don't have a good proposal for how to fix or avoid this.  Worst
> > case, we make clear the mod_wsgi case is API/ABI abuse and warn binary
> > distributors they have to handle this by rebuilding.
> 
> Is there anything we can do in 2.4.11 for packagers who haven't picked
> this up yet since we're already picking up a problematic extension of
> the struct?
> 
> What if we stashed away the MMN after these fields, and validated it?
> Or just a request_rec version?

It would be possible to do some hack.  Say, stash something in r->notes 
that this is a "real" request_rec, and check for that before accessing 
r->trailers (which only happens in one place).

There may well be a cheaper way than modifying r->notes.

Mime
View raw message