You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by Joe Orton <jo...@manyfish.co.uk> on 2003/05/28 21:57:27 UTC
Re: cvs commit: apr-util/test testpass.c .cvsignore Makefile.in
On Wed, May 28, 2003 at 04:45:46AM -0000, Justin Erenkrantz wrote:
> jerenkrantz 2003/05/27 21:45:46
>
> Modified: . CHANGES configure.in
> build apu-hints.m4
> crypto apr_md5.c
> test .cvsignore Makefile.in
> Added: test testpass.c
> Log:
> SECURITY [httpd incident CAN-2003-0189] Address a thread safety issue with
> apr_password_validate() on AIX, Linux, Mac OS X, and possibly other platforms.
>
> We didn't move the crypt_r checks from apr to apr-util when we moved
> apr_password_validate. Add testpass.c to ensure we don't regress.
I looked into moving the macro but there was a nasty gotcha, maybe this
is what you found too: the glibc-style crypt_r implementation relies on
-D_GNU_SOURCE being in CPPFLAGS, but any additions to CPPFLAGS made by
the apr-util configure script are dropped on the floor. (since
apr-util/crypto/Makefile just includes apr_rules.mk from APR)
joe
Re: cvs commit: apr-util/test testpass.c .cvsignore Makefile.in
Posted by Jeff Trawick <tr...@attglobal.net>.
Joe Orton wrote:
> On Wed, May 28, 2003 at 04:45:46AM -0000, Justin Erenkrantz wrote:
>
>>jerenkrantz 2003/05/27 21:45:46
>>
>> Modified: . CHANGES configure.in
>> build apu-hints.m4
>> crypto apr_md5.c
>> test .cvsignore Makefile.in
> I looked into moving the macro but there was a nasty gotcha, maybe this
> is what you found too: the glibc-style crypt_r implementation relies on
> -D_GNU_SOURCE being in CPPFLAGS, but any additions to CPPFLAGS made by
> the apr-util configure script are dropped on the floor. (since
> apr-util/crypto/Makefile just includes apr_rules.mk from APR)
I don't recall anybody encountering this, but its a great heads up.
Certainly it is appropriate for aprutil configure to be able to add
stuff to CFLAGS/CPPFLAGS, and that should be fixed, but my own feeling
about feature set selection symbols like _GNU_SOURCE is that they should
be defined in apr_hints.m4. In general, changing at mid-stream which
flavor of system interfaces we want or which set of system interfaces we
want can lead to inconsistencies w.r.t. any config tests done prior to
the point that we start defining the symbol.