You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/03/08 17:10:52 UTC

svn commit: r1298453 - in /httpd/httpd/branches/2.4.x: CHANGES STATUS support/envvars-std.in

Author: jim
Date: Thu Mar  8 16:10:51 2012
New Revision: 1298453

URL: http://svn.apache.org/viewvc?rev=1298453&view=rev
Log:
Merge r1296428 from trunk:

Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs

CVE-2012-0883

Submitted by: sf
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/support/envvars-std.in

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1298453&r1=1298452&r2=1298453&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Mar  8 16:10:51 2012
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.2
 
+  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
+     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
+     current working directory to be searched for DSOs. [Stefan Fritsch]
+
   *) mod_xml2enc: Fix broken handling of EOS buckets which could lead to
      response headers not being sent. PR 52766. [Stefan Fritsch]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1298453&r1=1298452&r2=1298453&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Thu Mar  8 16:10:51 2012
@@ -89,11 +89,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
- * envvars: Fix handling of LD_LIBRARY_PATH. CVE-2012-0883
-   Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1296428
-   2.4.x patch: Trunk patch works
-   +1: sf, covener, jim
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.4.x/support/envvars-std.in
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/support/envvars-std.in?rev=1298453&r1=1298452&r2=1298453&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/support/envvars-std.in (original)
+++ httpd/httpd/branches/2.4.x/support/envvars-std.in Thu Mar  8 16:10:51 2012
@@ -18,7 +18,11 @@
 #
 # This file is generated from envvars-std.in
 #
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+if test "x$@SHLIBPATH_VAR@" != "x" ; then
+  @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+else
+  @SHLIBPATH_VAR@="@exp_libdir@"
+fi
 export @SHLIBPATH_VAR@
 #
 @OS_SPECIFIC_VARS@