rpms/mod_auth_pgsql/FC-3 mod_auth_pgsql-2.0.1-CVE-2005-3656.patch, NONE, 1.1 mod_auth_pgsql-2.0.1-ruser.patch, NONE, 1.1 mod_auth_pgsql.spec, 1.18, 1.19 mod_auth_pgsql-2.0.1-crasher.patch, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jan 6 08:48:22 UTC 2006
Author: jorton
Update of /cvs/dist/rpms/mod_auth_pgsql/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv6316
Modified Files:
mod_auth_pgsql.spec
Added Files:
mod_auth_pgsql-2.0.1-CVE-2005-3656.patch
mod_auth_pgsql-2.0.1-ruser.patch
Removed Files:
mod_auth_pgsql-2.0.1-crasher.patch
Log Message:
* Fri Jan 6 2006 Joe Orton <jorton at redhat.com> 2.0.1-6.2
- add security fix for CVE-2005-3656
- don't strip .so file so debuginfo works
- fix r->user handling (Mirko Streckenbach, #150087)
mod_auth_pgsql-2.0.1-CVE-2005-3656.patch:
mod_auth_pgsql.c | 16 ++++++++--------
1 files changed, 8 insertions(+), 8 deletions(-)
--- NEW FILE mod_auth_pgsql-2.0.1-CVE-2005-3656.patch ---
--- mod_auth_pgsql-2.0.1/mod_auth_pgsql.c.cve3656
+++ mod_auth_pgsql-2.0.1/mod_auth_pgsql.c
@@ -808,7 +808,7 @@
return DECLINED;
}
}
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
return res;
}
@@ -819,7 +819,7 @@
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - Empty password accepted for user \"%s\"",
user);
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "%s", pg_errstr);
pg_log_auth_user(r, sec, user, sent_pw);
return OK;
};
@@ -831,7 +831,7 @@
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - Empty password rejected for user \"%s\"",
user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
};
@@ -861,7 +861,7 @@
? strcasecmp(real_pw, sent_pw) : strcmp(real_pw, sent_pw)) {
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"PG user %s: password mismatch", user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
@@ -921,7 +921,7 @@
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
ap_note_basic_auth_failure(r);
res = HTTP_UNAUTHORIZED;
} else {
@@ -951,7 +951,7 @@
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"mod_auth_pgsql: user %s denied, no access rules specified (PG-Authoritative)",
user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
@@ -967,7 +967,7 @@
};
if (pg_errstr[0]) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
return HTTP_INTERNAL_SERVER_ERROR;
}
@@ -978,7 +978,7 @@
apr_snprintf(pg_errstr, MAX_STRING_LEN,
"[mod_auth_pgsql.c] - user %s not in right groups (PG-Authoritative)",
user);
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "%s", pg_errstr);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
};
mod_auth_pgsql-2.0.1-ruser.patch:
mod_auth_pgsql.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE mod_auth_pgsql-2.0.1-ruser.patch ---
--- mod_auth_pgsql-2.0.1/mod_auth_pgsql.c.crasher
+++ mod_auth_pgsql-2.0.1/mod_auth_pgsql.c
@@ -757,11 +757,12 @@
char *sent_pw, *real_pw;
int res;
char *user;
- user = r->user;
if ((res = ap_get_basic_auth_pw(r, (const char **) &sent_pw)))
return res;
+ user = r->user;
+
#ifdef DEBUG_AUTH_PGSQL
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[mod_auth_pgsql.c] - pg_authenticate_basic_user - going to auth user \"%s\" pass \"%s\" uri \"%s\"",
Index: mod_auth_pgsql.spec
===================================================================
RCS file: /cvs/dist/rpms/mod_auth_pgsql/FC-3/mod_auth_pgsql.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- mod_auth_pgsql.spec 4 Apr 2005 12:03:48 -0000 1.18
+++ mod_auth_pgsql.spec 6 Jan 2006 08:48:20 -0000 1.19
@@ -11,7 +11,8 @@
Patch0: mod_auth_pgsql-2.0.1-nonpgsql.patch
Patch1: mod_auth_pgsql-2.0.1-pgconn.patch
Patch2: mod_auth_pgsql-2.0.1-static.patch
-Patch3: mod_auth_pgsql-2.0.1-crasher.patch
+Patch3: mod_auth_pgsql-2.0.1-ruser.patch
+Patch4: mod_auth_pgsql-2.0.1-CVE-2005-3656.patch
License: Apache Software License
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildPrereq: httpd-devel >= 2.0.40-6, postgresql-devel
@@ -27,17 +28,16 @@
%patch0 -p1 -b .nonpgsql
%patch1 -p1 -b .pgconn
%patch2 -p1 -b .static
-%patch3 -p1 -b .crasher
+%patch3 -p1 -b .ruser
+%patch4 -p1 -b .cve3656
%build
-%{_sbindir}/apxs -c %{name}.c -lpq
-mv .libs/%{name}.so .
-%{__strip} -g %{name}.so
+%{_sbindir}/apxs -Wc,-Wall -Wc,-Wformat-security -c %{name}.c -lpq
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT%{_libdir}/httpd/modules
-install -m755 %{name}.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules
+install -m755 .libs/%{name}.so $RPM_BUILD_ROOT%{_libdir}/httpd/modules
# Install the config file
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
@@ -59,8 +59,10 @@
%config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf
%changelog
-* Mon Apr 4 2005 Joe Orton <jorton at redhat.com> 2.0.1-6.1
-- fix possible crashes (Mirko Streckenbach, #150087)
+* Fri Jan 6 2006 Joe Orton <jorton at redhat.com> 2.0.1-6.2
+- add security fix for CVE-2005-3656
+- don't strip .so file so debuginfo works
+- fix r->user handling (Mirko Streckenbach, #150087)
* Thu Sep 23 2004 Joe Orton <jorton at redhat.com> 2.0.1-5
- merge from Taroon:
--- mod_auth_pgsql-2.0.1-crasher.patch DELETED ---
More information about the fedora-cvs-commits
mailing list