Fix CVE-2016-1000104

(cherry picked from commit 1593988c28b02901fda3982bede177ea6ece033c)
2022-07-13 16:38:38 +08:00 · 2022-07-13 16:38:38 +08:00 · 294d665df4
commit 294d665df4
parent 5990b625af
2 changed files with 28 additions and 1 deletions
--- a/CVE-2016-1000104.patch
+++ b/CVE-2016-1000104.patch
@ -0,0 +1,23 @@
+Index: mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+===================================================================
+--- mod_fcgid-2.3.9.orig/modules/fcgid/mod_fcgid.c
+++ mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c
+@@ -155,9 +155,15 @@ static void fcgid_add_cgi_vars(request_r
+                  * consistent with legacy mod_fcgid behavior and mod_fastcgi
+                  * prior to 2.4.7
+                  */
+-                apr_table_setn(r->subprocess_env, *hdr, val);
+-                /* standard munging of header name (upcase, HTTP_, etc.) */
+-                apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "HTTP_PROXY") != 0 && strcasecmp(*hdr, "HTTP-PROXY") != 0) {
+                    apr_table_setn(r->subprocess_env, *hdr, val);
+                }
+                /* boo#988492 httpoxy don't set HTTP_PROXY */
+                if ( strcasecmp(*hdr, "PROXY") != 0 ) {
+                    /* standard munging of header name (upcase, HTTP_, etc.) */
+                    apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val);
+                }
+             }
+         }
+     }
--- a/mod_fcgid.spec
+++ b/mod_fcgid.spec
@ -1,12 +1,13 @@
 Name:           mod_fcgid
 Version:        2.3.9
-Release:        19
+Release:        20
 Summary:        High performance alternative to mod_cgi or mod_cgid
 License:        ASL 2.0
 URL:            http://httpd.apache.org/mod_fcgid/
 Source0:        http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2
 Source1:        mod_fcgid-tmpfs.conf
 Source2:        fcgid24.conf
+Patch0:         CVE-2016-1000104.patch
 BuildRequires:  coreutils gcc httpd-devel >= 2.0 make pkgconfig sed
 Requires:       httpd-mmn = %{_httpd_mmn}
 Requires:       systemd
@ -54,6 +55,9 @@ install -p -m644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf
 %doc build/fixconf.sed

 %changelog
+* Wed Jul 13 2022 yaoxin <yaoxin30@h-partners.com> - 2.3.9-20
+- Fix CVE-2016-1000104
+
 * Wed Feb 24 2021 lingsheng<lingsheng@huawei.com> - 2.3.9-19
 - Add requires httpd-mmn to fix group apache missing