!11 Fix CVE-2016-1000104

From: @starlet-dx Reviewed-by: @ruebb Signed-off-by: @ruebb
2022-07-14 02:02:15 +00:00 · 2022-07-14 02:02:15 +00:00 · 3777de1045
commit 3777de1045
parent d456a4eb20 f55c301537
2 changed files with 28 additions and 1 deletions
--- a/CVE-2016-1000104.patch
+++ b/CVE-2016-1000104.patch
@ -0,0 +1,23 @@
+Index: mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+===================================================================
+--- mod_fcgid-2.3.9.orig/modules/fcgid/mod_fcgid.c
+++ mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+@@ -155,9 +155,15 @@ static void fcgid_add_cgi_vars(request_r
+                  * consistent with legacy mod_fcgid behavior and mod_fastcgi
+                  * prior to 2.4.7
+                  */
+-                apr_table_setn(r->subprocess_env, *hdr, val);
+-                /* standard munging of header name (upcase, HTTP_, etc.) */
+-                apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "HTTP_PROXY") != 0 && strcasecmp(*hdr, "HTTP-PROXY") != 0) {
+                    apr_table_setn(r->subprocess_env, *hdr, val);
+                }
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "PROXY") != 0 ) {
+                    /* standard munging of header name (upcase, HTTP_, etc.) */
+                    apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                }
+             }
+         }
+     }
--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@ -1,12 +1,13 @@
 Name:           mod_fcgid
 Version:        2.3.9
-Release:        20
+Release:        21
 Summary:        High performance alternative to mod_cgi or mod_cgid
 License:        ASL 2.0
 URL:            http://httpd.apache.org/mod_fcgid/
 Source0:        http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
 Source1:        mod_fcgid-tmpfs.conf
 Source2:        fcgid24.conf
+Patch0:         CVE-2016-1000104.patch
 BuildRequires:  coreutils gcc httpd-devel >= 2.0 make pkgconfig sed perl
 Requires:       httpd-mmn = %{_httpd_mmn}
 Requires:       systemd
@ -54,6 +55,9 @@ install -p -m644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf
 %doc build/fixconf.sed

 %changelog
+* Wed Jul 13 2022 yaoxin <yaoxin30@h-partners.com> - 2.3.9-21
+- Fix CVE-2016-1000104
+
 * Fri Jan 7 2022 liyanan <liyanan32@huawei.com> - 2.3.9-20
 - Add the perl dependency