Gentoo Archives: gentoo-commits

From: "Peter Weller (welp)" <welp@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in www-servers/lighttpd/files/1.4.18-r1: 03_all_lighttpd-1.4.11-errorlog-pipe.diff 04_all_lighttpd-1.4.13-deprecated-ldap-api.diff 05_all_lighttpd-fix-DoS.diff
Date: Sun, 24 Feb 2008 16:34:23
Message-Id: E1JTJnw-0005yj-EX@stork.gentoo.org
1 welp 08/02/24 16:34:20
2
3 Added: 03_all_lighttpd-1.4.11-errorlog-pipe.diff
4 04_all_lighttpd-1.4.13-deprecated-ldap-api.diff
5 05_all_lighttpd-fix-DoS.diff
6 Log:
7 Patch and revbump for security; bug 211230
8 (Portage version: 2.1.4.4)
9 (Unsigned Manifest commit)
10
11 Revision Changes Path
12 1.1 www-servers/lighttpd/files/1.4.18-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff
13
14 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff?rev=1.1&view=markup
15 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/03_all_lighttpd-1.4.11-errorlog-pipe.diff?rev=1.1&content-type=text/plain
16
17 Index: 03_all_lighttpd-1.4.11-errorlog-pipe.diff
18 ===================================================================
19 diff -ur lighttpd-1.4.11.orig/src/base.h lighttpd-1.4.11/src/base.h
20 --- lighttpd-1.4.11.orig/src/base.h 2006-01-13 06:51:04.000000000 -0800
21 +++ lighttpd-1.4.11/src/base.h 2006-12-17 18:01:39.000000000 -0800
22 @@ -505,7 +505,7 @@
23
24 /* the errorlog */
25 int errorlog_fd;
26 - enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG } errorlog_mode;
27 + enum { ERRORLOG_STDERR, ERRORLOG_FILE, ERRORLOG_SYSLOG, ERRORLOG_PIPE } errorlog_mode;
28 buffer *errorlog_buf;
29
30 fdevents *ev, *ev_ins;
31 diff -ur lighttpd-1.4.11.orig/src/log.c lighttpd-1.4.11/src/log.c
32 --- lighttpd-1.4.11.orig/src/log.c 2005-13-07 05:01:35.000000000 -0800
33 +++ lighttpd-1.4.11/src/log.c 2006-12-17 18:09:43.000000000 -0800
34 @@ -34,10 +34,11 @@
35 /**
36 * open the errorlog
37 *
38 - * we have 3 possibilities:
39 + * we have 4 possibilities:
40 * - stderr (default)
41 * - syslog
42 * - logfile
43 + * - pipe
44 *
45 * if the open failed, report to the user and die
46 *
47 @@ -57,21 +58,81 @@
48 srv->errorlog_mode = ERRORLOG_SYSLOG;
49 } else if (!buffer_is_empty(srv->srvconf.errorlog_file)) {
50 const char *logfile = srv->srvconf.errorlog_file->ptr;
51 -
52 - if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) {
53 - log_error_write(srv, __FILE__, __LINE__, "SSSS",
54 - "opening errorlog '", logfile,
55 - "' failed: ", strerror(errno));
56 -
57 +
58 + if (logfile[0] == '|') {
59 +#ifdef HAVE_FORK
60 + /* create write pipe and spawn process */
61 +
62 + int to_log_fds[2];
63 + pid_t pid;
64 +
65 + if (pipe(to_log_fds)) {
66 + log_error_write(srv, __FILE__, __LINE__, "ss",
67 + "pipe failed: ", strerror(errno));
68 + return -1;
69 + }
70 +
71 + /* fork, execve */
72 + switch (pid = fork()) {
73 + case 0:
74 + /* child */
75 +
76 + close(STDIN_FILENO);
77 + dup2(to_log_fds[0], STDIN_FILENO);
78 + close(to_log_fds[0]);
79 + /* not needed */
80 + close(to_log_fds[1]);
81 +
82 + /* we don't need the client socket */
83 + for (fd = 3; fd < 256; fd++) {
84 + close(fd);
85 + }
86 +
87 + /* exec the log-process (skip the | )
88 + *
89 + */
90 +
91 + execl("/bin/sh", "sh", "-c", logfile + 1, NULL);
92 +
93 + log_error_write(srv, __FILE__, __LINE__, "sss",
94 + "spawning log-process failed: ",
95 + strerror(errno), logfile + 1);
96 +
97 + exit(-1);
98 + break;
99 + case -1:
100 + /* error */
101 + log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno));
102 + break;
103 + default:
104 + close(to_log_fds[0]);
105 +
106 + srv->errorlog_fd = to_log_fds[1];
107 +
108 + break;
109 + }
110 + srv->errorlog_mode = ERRORLOG_PIPE;
111 +#else
112 + log_error_write(srv, __FILE__, __LINE__, "SSS",
113 + "opening errorlog '", logfile,"' impossible");
114 return -1;
115 - }
116 +#endif
117 + } else {
118 + if (-1 == (srv->errorlog_fd = open(logfile, O_APPEND | O_WRONLY | O_CREAT | O_LARGEFILE, 0644))) {
119 + log_error_write(srv, __FILE__, __LINE__, "SSSS",
120 + "opening errorlog '", logfile,
121 + "' failed: ", strerror(errno));
122 +
123 + return -1;
124 + }
125 + srv->errorlog_mode = ERRORLOG_FILE;
126 + }
127 #ifdef FD_CLOEXEC
128 - /* close fd on exec (cgi) */
129 - fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC);
130 + /* close fd on exec (cgi) */
131 + fcntl(srv->errorlog_fd, F_SETFD, FD_CLOEXEC);
132 #endif
133 - srv->errorlog_mode = ERRORLOG_FILE;
134 - }
135 -
136 + }
137 +
138 log_error_write(srv, __FILE__, __LINE__, "s", "server started");
139
140 #ifdef HAVE_VALGRIND_VALGRIND_H
141 @@ -99,7 +160,7 @@
142 */
143
144 int log_error_cycle(server *srv) {
145 - /* only cycle if we are not in syslog-mode */
146 + /* only cycle if the error log is a file */
147
148 if (srv->errorlog_mode == ERRORLOG_FILE) {
149 const char *logfile = srv->srvconf.errorlog_file->ptr;
150 @@ -135,6 +196,7 @@
151 log_error_write(srv, __FILE__, __LINE__, "s", "server stopped");
152
153 switch(srv->errorlog_mode) {
154 + case ERRORLOG_PIPE: /* fall through */
155 case ERRORLOG_FILE:
156 close(srv->errorlog_fd);
157 break;
158 @@ -154,6 +216,7 @@
159 va_list ap;
160
161 switch(srv->errorlog_mode) {
162 + case ERRORLOG_PIPE:
163 case ERRORLOG_FILE:
164 case ERRORLOG_STDERR:
165 /* cache the generated timestamp */
166 @@ -238,6 +301,7 @@
167 va_end(ap);
168
169 switch(srv->errorlog_mode) {
170 + case ERRORLOG_PIPE: /* fall through */
171 case ERRORLOG_FILE:
172 BUFFER_APPEND_STRING_CONST(srv->errorlog_buf, "\n");
173 write(srv->errorlog_fd, srv->errorlog_buf->ptr, srv->errorlog_buf->used - 1);
174 diff -ur lighttpd-1.4.11.orig/src/mod_cgi.c lighttpd-1.4.11/src/mod_cgi.c
175 --- lighttpd-1.4.11.orig/src/mod_cgi.c 2006-02-22 05:15:10.000000000 -0800
176 +++ lighttpd-1.4.11/src/mod_cgi.c 2006-12-17 18:01:39.000000000 -0800
177 @@ -750,7 +750,7 @@
178 *
179 * we feed the stderr of the CGI to our errorlog, if possible
180 */
181 - if (srv->errorlog_mode == ERRORLOG_FILE) {
182 + if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) {
183 close(STDERR_FILENO);
184 dup2(srv->errorlog_fd, STDERR_FILENO);
185 }
186 diff -ur lighttpd-1.4.11.orig/src/mod_rrdtool.c lighttpd-1.4.11/src/mod_rrdtool.c
187 --- lighttpd-1.4.11.orig/src/mod_rrdtool.c 2005-08-21 15:52:24.000000000 -0700
188 +++ lighttpd-1.4.11/src/mod_rrdtool.c 2006-12-17 18:01:39.000000000 -0800
189 @@ -134,7 +134,7 @@
190
191 close(STDERR_FILENO);
192
193 - if (srv->errorlog_mode == ERRORLOG_FILE) {
194 + if ((srv->errorlog_mode == ERRORLOG_FILE) || (srv->errorlog_mode == ERRORLOG_PIPE)) {
195 dup2(srv->errorlog_fd, STDERR_FILENO);
196 close(srv->errorlog_fd);
197 }
198
199
200
201 1.1 www-servers/lighttpd/files/1.4.18-r1/04_all_lighttpd-1.4.13-deprecated-ldap-api.diff
202
203 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/04_all_lighttpd-1.4.13-deprecated-ldap-api.diff?rev=1.1&view=markup
204 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/04_all_lighttpd-1.4.13-deprecated-ldap-api.diff?rev=1.1&content-type=text/plain
205
206 Index: 04_all_lighttpd-1.4.13-deprecated-ldap-api.diff
207 ===================================================================
208 --- lighttpd-1.4.13.old/src/Makefile.am 2006-10-09 12:19:34.000000000 -0400
209 +++ lighttpd-1.4.13/src/Makefile.am 2007-03-26 10:10:26.000000000 -0400
210 @@ -213,6 +213,7 @@
211 mod_auth_la_SOURCES = mod_auth.c http_auth_digest.c http_auth.c
212 mod_auth_la_LDFLAGS = -module -export-dynamic -avoid-version -no-undefined
213 mod_auth_la_LIBADD = $(CRYPT_LIB) $(LDAP_LIB) $(LBER_LIB) $(common_libadd)
214 +mod_auth_la_CFLAGS = -DLDAP_DEPRECATED
215
216 lib_LTLIBRARIES += mod_rewrite.la
217 mod_rewrite_la_SOURCES = mod_rewrite.c
218
219
220
221 1.1 www-servers/lighttpd/files/1.4.18-r1/05_all_lighttpd-fix-DoS.diff
222
223 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/05_all_lighttpd-fix-DoS.diff?rev=1.1&view=markup
224 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.18-r1/05_all_lighttpd-fix-DoS.diff?rev=1.1&content-type=text/plain
225
226 Index: 05_all_lighttpd-fix-DoS.diff
227 ===================================================================
228 diff -ur lighttpd-1.4.18.orig/src/fdevent_solaris_devpoll.c lighttpd-1.4.18/src/fdevent_solaris_devpoll.c
229 --- lighttpd-1.4.18.orig/src/fdevent_solaris_devpoll.c 2006-10-04 14:26:23.000000000 +0100
230 +++ lighttpd-1.4.18/src/fdevent_solaris_devpoll.c 2008-02-24 15:41:13.000000000 +0000
231 @@ -67,7 +67,7 @@
232 int ret;
233
234 dopoll.dp_timeout = timeout_ms;
235 - dopoll.dp_nfds = ev->maxfds;
236 + dopoll.dp_nfds = ev->maxfds - 1;
237 dopoll.dp_fds = ev->devpollfds;
238
239 ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll);
240 diff -ur lighttpd-1.4.18.orig/src/server.c lighttpd-1.4.18/src/server.c
241 --- lighttpd-1.4.18.orig/src/server.c 2007-09-05 11:39:56.000000000 +0100
242 +++ lighttpd-1.4.18/src/server.c 2008-02-24 15:40:38.000000000 +0000
243 @@ -697,9 +697,6 @@
244 }
245 }
246
247 - /* #372: solaris need some fds extra for devpoll */
248 - if (rlim.rlim_cur > 10) rlim.rlim_cur -= 10;
249 -
250 if (srv->event_handler == FDEVENT_HANDLER_SELECT) {
251 srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200;
252 } else {
253
254
255
256 --
257 gentoo-commits@l.g.o mailing list