From c3f322ca04acbc9bad3ad1d75d4d2048e1e297e9 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Fri, 13 Jan 2012 13:27:46 +0000 Subject: [PATCH] Merge r1230069 from trunk: Submitted by: jorton Reviewed/backported by: jim SECURITY (CVE-2012-0031) patch git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1231058 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 6 +++++- STATUS | 5 ----- server/scoreboard.c | 6 ++++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGES b/CHANGES index 9c8fc293668..6ea1a8a993e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.22 + *) SECURITY (CVE-2012-0031): Fix scoreboard issue which could allow + an unprivileged child process could cause the parent to crash at + shutdown rather than terminate cleanly. [Joe Orton] + *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in @@ -24,7 +28,7 @@ Changes with Apache 2.2.22 *) core: Fix segfault in ap_send_interim_response(). PR 52315. [Stefan Fritsch] - *) mod_log_config: Prevent segfault. PR 50861. [Torsten Förtsch + *) mod_log_config: Prevent segfault. PR 50861. [Torsten F�rtsch ] *) mod_win32: Invert logic for env var UTF-8 fixing. diff --git a/STATUS b/STATUS index 3f459eb51f5..bd3ecccd99a 100644 --- a/STATUS +++ b/STATUS @@ -92,11 +92,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * Fix CVE-2012-0031, scoreboard issue. - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1230065 - 2.2.x patch: use patch in 2.4.x which avoids MMN bump, - http://svn.apache.org/viewvc?view=revision&revision=1230069 - +1: jorton, trawick, covener, jim PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/server/scoreboard.c b/server/scoreboard.c index 85f375579c7..97b67f7a567 100644 --- a/server/scoreboard.c +++ b/server/scoreboard.c @@ -42,6 +42,8 @@ AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL; AP_DECLARE_DATA int ap_extended_status = 0; AP_DECLARE_DATA int ap_mod_status_reqtail = 0; +static ap_scoreboard_e scoreboard_type; + #if APR_HAS_SHARED_MEMORY #include "apr_shm.h" @@ -250,7 +252,7 @@ apr_status_t ap_cleanup_scoreboard(void *d) if (ap_scoreboard_image == NULL) { return APR_SUCCESS; } - if (ap_scoreboard_image->global->sb_type == SB_SHARED) { + if (scoreboard_type == SB_SHARED) { ap_cleanup_shared_mem(NULL); } else { @@ -312,7 +314,7 @@ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type) ap_init_scoreboard(sb_mem); } - ap_scoreboard_image->global->sb_type = sb_type; + ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type; ap_scoreboard_image->global->running_generation = 0; ap_scoreboard_image->global->restart_time = apr_time_now(); -- 2.47.2