!11 Fix CVE-2016-1000104

From: @starlet-dx Reviewed-by: @ruebb Signed-off-by: @ruebb
Fix CVE-2016-1000104
2022-07-14 02:02:15 +00:00 · 2022-07-13 16:36:04 +08:00 · 2022-04-07 02:52:45 +00:00 · 2022-03-30 16:24:33 +08:00 · 2021-02-24 15:26:38 +08:00 · 2021-02-24 14:55:16 +08:00
8 changed files with 108 additions and 75 deletions
--- a/CVE-2016-1000104.patch
+++ b/CVE-2016-1000104.patch
@ -0,0 +1,23 @@
+Index: mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+===================================================================
+--- mod_fcgid-2.3.9.orig/modules/fcgid/mod_fcgid.c
+++ mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+@@ -155,9 +155,15 @@ static void fcgid_add_cgi_vars(request_r
+                  * consistent with legacy mod_fcgid behavior and mod_fastcgi
+                  * prior to 2.4.7
+                  */
+-                apr_table_setn(r->subprocess_env, *hdr, val);
+-                /* standard munging of header name (upcase, HTTP_, etc.) */
+-                apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "HTTP_PROXY") != 0 && strcasecmp(*hdr, "HTTP-PROXY") != 0) {
+                    apr_table_setn(r->subprocess_env, *hdr, val);
+                }
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "PROXY") != 0 ) {
+                    /* standard munging of header name (upcase, HTTP_, etc.) */
+                    apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                }
+             }
+         }
+     }
--- a/README.en.md
+++ b/README.en.md
@ -1,36 +0,0 @@
-# mod_fcgid
-
-#### Description
-{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
-
-#### Software Architecture
-Software architecture description
-
-#### Installation
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Instructions
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### Contribution
-
-1.  Fork the repository
-2.  Create Feat_xxx branch
-3.  Commit your code
-4.  Create Pull Request
-
-
-#### Gitee Feature
-
-1.  You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
-2.  Gitee blog [blog.gitee.com](https://blog.gitee.com)
-3.  Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
-4.  The most valuable open source project [GVP](https://gitee.com/gvp)
-5.  The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
-6.  The most popular members  [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/README.md
+++ b/README.md
@ -1,39 +0,0 @@
-# mod_fcgid
-
-#### 介绍
-{**以下是码云平台说明，您可以替换此简介**
-码云是 OSCHINA 推出的基于 Git 的代码托管平台（同时支持 SVN）。专为开发者提供稳定、高效、安全的云端软件开发协作平台
-无论是个人、团队、或是企业，都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
-
-#### 软件架构
-软件架构说明
-
-
-#### 安装教程
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 使用说明
-
-1.  xxxx
-2.  xxxx
-3.  xxxx
-
-#### 参与贡献
-
-1.  Fork 本仓库
-2.  新建 Feat_xxx 分支
-3.  提交代码
-4.  新建 Pull Request
-
-
-#### 码云特技
-
-1.  使用 Readme\_XXX.md 来支持不同的语言，例如 Readme\_en.md, Readme\_zh.md
-2.  码云官方博客 [blog.gitee.com](https://blog.gitee.com)
-3.  你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
-4.  [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目，是码云综合评定出的优秀开源项目
-5.  码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
-6.  码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
--- a/fcgid24.conf
+++ b/fcgid24.conf
@ -0,0 +1,12 @@
+# This is the Apache server configuration file for providing FastCGI support
+# through mod_fcgid
+#
+# Documentation is available at
+# http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
+
+# Use FastCGI to process .fcg .fcgi & .fpl scripts
+AddHandler fcgid-script fcg fcgi fpl
+
+# Sane place to put sockets and shared memory file
+FcgidIPCDir /run/mod_fcgid
+FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
--- a/mod_fcgid-2.3.9.tar.bz2
+++ b/mod_fcgid-2.3.9.tar.bz2
--- a/mod_fcgid-tmpfs.conf
+++ b/mod_fcgid-tmpfs.conf
@ -0,0 +1 @@
+d	/run/mod_fcgid		0775	root	apache
--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@ -0,0 +1,68 @@
+Name:           mod_fcgid
+Version:        2.3.9
+Release:        21
+Summary:        High performance alternative to mod_cgi or mod_cgid
+License:        ASL 2.0
+URL:            http://httpd.apache.org/mod_fcgid/
+Source0:        http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
+Source1:        mod_fcgid-tmpfs.conf
+Source2:        fcgid24.conf
+Patch0:         CVE-2016-1000104.patch
+BuildRequires:  coreutils gcc httpd-devel >= 2.0 make pkgconfig sed perl
+Requires:       httpd-mmn = %{_httpd_mmn}
+Requires:       systemd
+
+%description
+Mod_fcgid is an Apache module providing a FastCGI interface. It's an alternative to mod_fastcgi
+that is specifically tuned for the dynamic FastCGI configuration used on DreamHost servers.
+
+%package help
+Summary: Help document for the %{name} package
+
+%description help
+Help document for the %{name} package.
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+cp -p %{SOURCE2} fcgid24.conf
+
+%build
+APXS=%{_httpd_apxs} ./configure.apxs
+%make_build
+
+%install
+%make_install MKINSTALLDIRS="mkdir -p"
+install -d %{buildroot}{%{_httpd_confdir},%{_httpd_modconfdir}}
+echo "LoadModule fcgid_module modules/mod_fcgid.so" > %{buildroot}%{_httpd_modconfdir}/10-fcgid.conf
+install -D -m644 fcgid24.conf %{buildroot}%{_httpd_confdir}/fcgid.conf
+install -d -m755 %{buildroot}/run/mod_fcgid
+install -d -m755 %{buildroot}%{_tmpfilesdir}
+install -p -m644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf
+
+%files
+%license LICENSE-FCGID
+%{_libdir}/httpd/modules/mod_fcgid.so
+%config(noreplace) %{_httpd_modconfdir}/10-fcgid.conf
+%config(noreplace) %{_httpd_confdir}/fcgid.conf
+%{_tmpfilesdir}/mod_fcgid.conf
+%dir %attr(0775,root,apache) /run/mod_fcgid/
+%exclude %{_httpd_contentdir}/manual
+
+%files help
+%doc docs/manual/mod/mod_fcgid.html.en
+%doc CHANGES-FCGID NOTICE-FCGID README-FCGID STATUS-FCGID
+%doc modules/fcgid/ChangeLog
+%doc build/fixconf.sed
+
+%changelog
+* Wed Jul 13 2022 yaoxin <yaoxin30@h-partners.com> - 2.3.9-21
+- Fix CVE-2016-1000104
+
+* Fri Jan 7 2022 liyanan <liyanan32@huawei.com> - 2.3.9-20
+- Add the perl dependency
+
+* Wed Feb 24 2021 lingsheng<lingsheng@huawei.com> - 2.3.9-19
+- Add requires httpd-mmn to fix group apache missing
+
+* Thu Nov 14 2019 shijian<shijian16@huawei.com> - 2.3.9-18
+- Package init
--- a/mod_fcgid.yaml
+++ b/mod_fcgid.yaml
@ -0,0 +1,4 @@
+version_control: svn
+src_repo: http://svn.apache.org/repos/asf/httpd/mod_fcgid/
+tag_prefix: "^"
+seperator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	3777de1045	!11 Fix CVE-2016-1000104 From: @starlet-dx Reviewed-by: @ruebb Signed-off-by: @ruebb	2022-07-14 02:02:15 +00:00
starlet-dx	f55c301537	Fix CVE-2016-1000104	2022-07-13 16:36:04 +08:00
openeuler-ci-bot	d456a4eb20	!10 [sync] PR-9: Add the perl dependency From: @openeuler-sync-bot Reviewed-by: @ruebb Signed-off-by: @ruebb	2022-04-07 02:52:45 +00:00
lyn1001	4fd7ee2ffb	Add the perl dependency (cherry picked from commit 38c465aa546a8244a13eb5ed5f23785f5936c9d4)	2022-03-30 16:24:33 +08:00
openeuler-ci-bot	6631148e3b	!3 Add requires httpd-mmn to fix group apache missing From: @ultra_planet Reviewed-by: @si-gui,@small_leek Signed-off-by: @small_leek	2021-02-24 15:26:38 +08:00
lingsheng	175ab696e2	Add requires httpd-mmn to fix group apache missing	2021-02-24 14:55:16 +08:00
openeuler-ci-bot	7de06bd58c	!2 add yaml file Merge pull request !2 from ultra_planet/master	2020-05-11 20:24:54 +08:00
ultra_planet	17f927eae9	add yaml file	2020-05-09 09:33:19 +08:00
openeuler-ci-bot	c9d5eb9667	!1 package init Merge pull request !1 from fun_yang/master	2020-02-17 20:32:51 +08:00
fun_yang	dd226ef8d7	package init	2020-02-14 11:24:09 +08:00