ports/152846: [PATCH] www/mod_fcgid - update to the new version with security fix

Marko Njezic mrmax063 at maxempire.com
Sun Dec 5 03:30:12 UTC 2010 

>Number:         152846
>Category:       ports
>Synopsis:       [PATCH] www/mod_fcgid - update to the new version with security fix
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 05 03:30:11 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Marko Njezic
>Release:        8.1-RELEASE
>Organization:
MAX Interactive corp.
>Environment:
FreeBSD vmbsd 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010     root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Update mod_fcgid Apache module to the recently released version 2.3.6, with various improvements and a fix for potential security vulnerability, which can affect sites with untrusted FastCGI applications ( CVE-2010-3872 ).

Patch file "patch-modules-fcgid-fcgid_mutex_unix.c" that was included with previous version of port is no longer necessary and can be removed, since the fix is now included.

However, a new patch file "patch-modules-fcgid-fcgid_spawn_ctl.c" has been added, which fixes one regression introduced in version 2.3.6. This fix has been obtained from download page of mod_fcgid module and can also be seen in mod_fcgid's SVN repository.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -Naur mod_fcgid.original/Makefile mod_fcgid/Makefile
--- mod_fcgid.original/Makefile	2010-12-05 04:01:24.000000000 +0100
+++ mod_fcgid/Makefile	2010-12-05 03:40:37.000000000 +0100
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	mod_fcgid
-PORTVERSION=	2.3.5
+PORTVERSION=	2.3.6
 CATEGORIES=	www
 MASTER_SITES=		${MASTER_SITE_APACHE_HTTPD}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff -Naur mod_fcgid.original/distinfo mod_fcgid/distinfo
--- mod_fcgid.original/distinfo	2010-12-05 04:01:24.000000000 +0100
+++ mod_fcgid/distinfo	2010-12-05 03:40:55.000000000 +0100
@@ -1,3 +1,3 @@
-MD5 (mod_fcgid-2.3.5.tar.gz) = 82b5bec1ed1c0fc106d5271075641ef9
-SHA256 (mod_fcgid-2.3.5.tar.gz) = 3280fd287659539d577fc3c77a975739c06bb9d0a9cef48275d4beb13c64ef39
-SIZE (mod_fcgid-2.3.5.tar.gz) = 97784
+MD5 (mod_fcgid-2.3.6.tar.gz) = fbfc115eb47cd9bda91269743aba5e83
+SHA256 (mod_fcgid-2.3.6.tar.gz) = e831795498d91cf27a519ea1332c2a92a2a9920b0844d817b2ea7f079056d12b
+SIZE (mod_fcgid-2.3.6.tar.gz) = 101883
diff -Naur mod_fcgid.original/files/patch-modules-fcgid-fcgid_mutex_unix.c mod_fcgid/files/patch-modules-fcgid-fcgid_mutex_unix.c
--- mod_fcgid.original/files/patch-modules-fcgid-fcgid_mutex_unix.c	2010-12-05 04:01:24.000000000 +0100
+++ mod_fcgid/files/patch-modules-fcgid-fcgid_mutex_unix.c	1970-01-01 01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-Index: modules/fcgid/fcgid_mutex_unix.c
-===================================================================
---- modules/fcgid/fcgid_mutex_unix.c    (revision 904780)
-+++ modules/fcgid/fcgid_mutex_unix.c    (working copy)
-@@ -56,6 +56,10 @@
-
- #include "ap_mpm.h"
-
-+#if MODULE_MAGIC_NUMBER_MAJOR < 20051115
-+#define AP_NEED_SET_MUTEX_PERMS 1
-+#endif
-+
- #if AP_NEED_SET_MUTEX_PERMS
- #include "unixd.h"
- #endif
-
-
diff -Naur mod_fcgid.original/files/patch-modules-fcgid-fcgid_spawn_ctl.c mod_fcgid/files/patch-modules-fcgid-fcgid_spawn_ctl.c
--- mod_fcgid.original/files/patch-modules-fcgid-fcgid_spawn_ctl.c	1970-01-01 01:00:00.000000000 +0100
+++ mod_fcgid/files/patch-modules-fcgid-fcgid_spawn_ctl.c	2010-11-23 03:09:20.000000000 +0100
@@ -0,0 +1,17 @@
+#
+#  Fix regression in 2.3.6 which broke process controls when using vhost-
+#  specific configuration.
+#
+Index: modules/fcgid/fcgid_spawn_ctl.c
+===================================================================
+--- modules/fcgid/fcgid_spawn_ctl.c	(revision 1037726)
++++ modules/fcgid/fcgid_spawn_ctl.c	(revision 1037727)
+@@ -178,7 +178,7 @@
+         if (current_node->inode == command->inode
+             && current_node->deviceid == command->deviceid
+             && !strcmp(current_node->cmdline, command->cmdline)
+-            && current_node->vhost_id == sconf->vhost_id
++            && current_node->vhost_id == command->vhost_id
+             && current_node->uid == command->uid
+             && current_node->gid == command->gid)
+             break;


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list