httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier
Date Thu, 24 May 2012 19:30:17 GMT
On 5/24/2012 12:05 PM, Luke Lozier wrote:
> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues
> described in this CVE:
> 
> Changes with Apache 2.2.23
> 
>   *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
>      current working directory to be searched for DSOs. [Stefan Fritsch]
> 
> Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2

Modify your installed envvars (and envvars-std) script and apachectl (or equivilant
script provided by your application vendor) to ensure that this code is changed;


@@ -18,6 +18,10 @@
 #
 # This file is generated from envvars-std.in
 #
-LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
+if test "x$LD_LIBRARY_PATH" != "x" ; then
+  LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
+else
+  LD_LIBRARY_PATH="/path/to/httpd/lib"
+fi
 export LD_LIBRARY_PATH
 #

On oddball platforms this may be LIBPATH or SHLIB_PATH instead of LD_LIBRARY_PATH.
If your platform's apachectl script invokes envvars, you are done.  If it doesn't,
there may be an insecure LD_LIBRARY_PATH assignment, just use the example above.

Upgrading for this defect is frankly silly, although effective.  There is no planned
date yet for 2.2.23 although it will come along sometime in the not too distant
future.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message