--- libapache2-mod-fcgid-2.3.4.orig/debian/libapache2-mod-fcgid.prerm +++ libapache2-mod-fcgid-2.3.4/debian/libapache2-mod-fcgid.prerm @@ -0,0 +1,20 @@ +#!/bin/sh + +set -e + +case "$1" in + remove) + test -e /etc/apache2/mods-enabled/fcgid.load && a2dismod fcgid + ;; + upgrade|deconfigure|failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + + +#DEBHELPER# + +exit 0 --- libapache2-mod-fcgid-2.3.4.orig/debian/docs +++ libapache2-mod-fcgid-2.3.4/debian/docs @@ -0,0 +1,7 @@ +debian/README.source +README-FCGID +STATUS-FCGID +docs/manual/mod/mod_fcgid.xml.meta +docs/manual/mod/mod_fcgid.xml +docs/manual/mod/mod_fcgid.html +docs/manual/mod/mod_fcgid.html.en --- libapache2-mod-fcgid-2.3.4.orig/debian/rules +++ libapache2-mod-fcgid-2.3.4/debian/rules @@ -0,0 +1,26 @@ +#!/usr/bin/make -f +# -*- makefile -*- +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/dpatch.mk + +DEB_FIXPERMS_EXCLUDE = var/lib/apache2/fcgid/sock +CUR_PKGDEST=$(CURDIR)/debian/$(cdbs_curpkg) +DEB_INSTALL_CHANGELOGS_ALL=CHANGES-FCGID +DEB_DH_STRIP_ARGS := --dbg-package=libapache2-mod-fcgid-dbg -k + +configure/libapache2-mod-fcgid:: + APXS=apxs2 ./configure.apxs + +build/libapache2-mod-fcgid:: + make + +install/libapache2-mod-fcgid:: + make install DESTDIR=$(CUR_PKGDEST) + rm -r $(CUR_PKGDEST)/usr/share/apache2 $(CUR_PKGDEST)/etc + +binary-install/libapache2-mod-fcgid:: + mkdir -p $(CUR_PKGDEST)/etc/apache2/mods-available + install -m 644 debian/fcgid.load debian/fcgid.conf $(CUR_PKGDEST)/etc/apache2/mods-available + mkdir -p $(CUR_PKGDEST)/var/lib/apache2/fcgid/sock + chown www-data:www-data $(CUR_PKGDEST)/var/lib/apache2/fcgid/sock + chmod 755 $(CUR_PKGDEST)/var/lib/apache2/fcgid/sock --- libapache2-mod-fcgid-2.3.4.orig/debian/copyright +++ libapache2-mod-fcgid-2.3.4/debian/copyright @@ -0,0 +1,9 @@ +This package was debianized by Tatsuki Sugiura on +Wed, 21 Jul 2004 06:38:33 +0900. + +It was downloaded from http://httpd.apache.org/download.cgi#mod_fcgid + +Upstream Author: Pan qingfeng + +Copyright: Copyright 2009 The Apache Software Foundation under Apache License 2.0, +details for /usr/share/common-licenses/Apache-2.0 --- libapache2-mod-fcgid-2.3.4.orig/debian/README.source +++ libapache2-mod-fcgid-2.3.4/debian/README.source @@ -0,0 +1,38 @@ +This package uses dpatch to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To get the fully patched source after unpacking the source package, cd +to the root level of the source package and run: + + debian/rules patch + +Removing a patch is as simple as removing its entry from the +debian/patches/00list file, and please also remove the patch file +itself. + +Creating a new patch is done with "dpatch-edit-patch patch XX_patchname" +where you should replace XX with a new number and patchname with a +descriptive shortname of the patch. You can then simply edit all the +files your patch wants to edit, and then simply "exit 0" from the shell +to actually create the patch file. + +To tweak an already existing patch, call "dpatch-edit-patch XX_patchname" +and replace XX_patchname with the actual filename from debian/patches +you want to use. + +To clean up afterwards again, "debian/rules unpatch" will do the +work for you - or you can of course choose to call +"fakeroot debian/rules clean" all together. + + +--- + +this documentation is part of dpatch package, and may be used by +packages using dpatch to comply with policy on README.source. This +documentation is meant to be useful to users who are not proficient in +dpatch in doing work with dpatch-based packages. Please send any +improvements to the BTS of dpatch package. + +original text by Gerfried Fuchs, edited by Junichi Uekawa +10 Aug 2008. --- libapache2-mod-fcgid-2.3.4.orig/debian/README.Debian +++ libapache2-mod-fcgid-2.3.4/debian/README.Debian @@ -0,0 +1,10 @@ +libapache2-mod-fcgid for Debian +------------------------------ + + On Debian System, just put a file has .fcgi suffix in directory with ExecCGI, + and you can run the scripts as FastCGI. + + If you need more information, visit website of upstream author; + http://fastcgi.coremail.cn/ + + -- Tatsuki Sugiura , Wed, 21 Jul 2004 06:38:33 +0900 --- libapache2-mod-fcgid-2.3.4.orig/debian/fcgid.conf +++ libapache2-mod-fcgid-2.3.4/debian/fcgid.conf @@ -0,0 +1,4 @@ + + AddHandler fcgid-script .fcgi + FcgidConnectTimeout 20 + --- libapache2-mod-fcgid-2.3.4.orig/debian/changelog +++ libapache2-mod-fcgid-2.3.4/debian/changelog @@ -0,0 +1,179 @@ +libapache2-mod-fcgid (1:2.3.4-2ubuntu0.2) lucid-security; urgency=low + + * SECURITY UPDATE: possible stack buffer overwrite (LP: #698060) + - modules/fcgid/fcgid_bucket.c: patch from upstream + - CVE-2010-3872 + + -- Felix Geyer Thu, 06 Jan 2011 13:04:02 +0100 + +libapache2-mod-fcgid (1:2.3.4-2ubuntu0.1) lucid-proposed; urgency=low + + * Add 30_fix-request-body-truncation.dpatch to fix corruption of requests + that exceed the FcgidMaxRequestInMem size. (LP: #573591) + + -- Felix Geyer Sun, 16 May 2010 13:07:54 +0200 + +libapache2-mod-fcgid (1:2.3.4-2) unstable; urgency=medium + + * Fix segfault with empty outout from fcgi process (Closes: #468559) + * Add -dbg package + * Update package description from official site. + + -- Tatsuki Sugiura Thu, 28 Jan 2010 04:59:12 +0900 + +libapache2-mod-fcgid (1:2.3.4-1) unstable; urgency=low + + * New upstream release (Closes: #561913, #531851) + + -- Tatsuki Sugiura Sat, 23 Jan 2010 12:20:20 +0900 + +libapache2-mod-fcgid (1:2.2-1) unstable; urgency=medium + + * New upstream release (Closes: #446585) + * fixed debian/watch to new version (Closes: #446586) + + -- Tatsuki Sugiura Sun, 14 Oct 2007 17:37:02 +0900 + +libapache2-mod-fcgid (1:2.1-3) unstable; urgency=low + + * Built-in default settings was changed to compat with Debian policy. + Now, you don't need to specify SocketPath and SharememPath in config. + (Closes: #431215) + + -- Tatsuki Sugiura Sun, 01 Jul 2007 05:00:25 +0900 + +libapache2-mod-fcgid (1:2.1-2) unstable; urgency=medium + + * Add proper dependency by shlibs:Depends (Closes: #427046, #427120) + + -- Tatsuki Sugiura Sat, 02 Jun 2007 18:01:15 +0900 + +libapache2-mod-fcgid (1:2.1-1) unstable; urgency=low + + * New upstream release (Closes: #420910) + * Add SharememPath to default config. Thanks to Philipp Wollermann. + + -- Tatsuki Sugiura Mon, 14 May 2007 02:53:56 +0900 + +libapache2-mod-fcgid (1:1.10-2) unstable; urgency=high + + * rewind upstream version temporary for etch release. (Related: #401938) + + -- Tatsuki Sugiura Wed, 31 Jan 2007 18:25:18 +0900 + +libapache2-mod-fcgid (2.0-1) unstable; urgency=high + + * New upstream release + * Apply NMU Update (Closes: #394473) + + -- Tatsuki Sugiura Wed, 1 Nov 2006 13:28:02 +0900 + +libapache2-mod-fcgid (1.10-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Update for apache 2.2 (Closes: #391757). + * Stop overriding what libtool to use (Closes: #393020). + + -- Luk Claes Sat, 21 Oct 2006 15:36:56 +0200 + +libapache2-mod-fcgid (1.10-1.1~smcv0) unstable; urgency=low + + * Non-maintainer upload. + * Compile against Apache 2.2 and APR 1.0 (Closes: #391757, #393020). + + -- Simon McVittie Sun, 15 Oct 2006 15:17:28 +0100 + +libapache2-mod-fcgid (1.10-1) unstable; urgency=low + + * New upstream release + * Update app kill patch: Rename Directive ErrorTimeout -> ShutdownTimeout + + -- Tatsuki Sugiura Wed, 5 Jul 2006 13:24:02 +0900 + +libapache2-mod-fcgid (1.09-2) UNRELEASED; urgency=low + + * NOT RELEASED YET + + -- Tatsuki Sugiura Mon, 15 May 2006 07:06:17 +0900 + +libapache2-mod-fcgid (1.09-1) unstable; urgency=low + + * New upstream release (Closes: #361975, #361579, #345752) + * Set "IPCConnectTimeout 20" in default config file (Closes: #352498) + + -- Tatsuki Sugiura Mon, 15 May 2006 06:06:03 +0900 + +libapache2-mod-fcgid (1.07-1) unstable; urgency=low + + * New upstream release (Closes: #339604) + * Unnecessary dependency has been removed. Those provied from + apache2-common. (Closes: #334011) + + -- Tatsuki Sugiura Mon, 21 Nov 2005 05:55:39 +0900 + +libapache2-mod-fcgid (1.06-2) UNRELEASED; urgency=low + + * add ErrorTimeout directive for timeout of force kill + + -- Tatsuki Sugiura Wed, 16 Nov 2005 05:47:41 +0900 + +libapache2-mod-fcgid (1.06-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Tue, 16 Aug 2005 07:33:24 +0900 + +libapache2-mod-fcgid (1.05-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Thu, 7 Apr 2005 16:31:07 +0900 + +libapache2-mod-fcgid (1.04-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Sun, 19 Dec 2004 01:43:57 +0900 + +libapache2-mod-fcgid (1.03-2) unstable; urgency=low + + * supports non HTTP_OK status code + + -- Tatsuki Sugiura Thu, 11 Nov 2004 09:37:41 +0900 + +libapache2-mod-fcgid (1.03-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Wed, 10 Nov 2004 17:24:08 +0900 + +libapache2-mod-fcgid (1.02-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Wed, 13 Oct 2004 15:53:34 +0900 + +libapache2-mod-fcgid (1.01-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Sat, 25 Sep 2004 02:20:16 +0900 + +libapache2-mod-fcgid (0.86-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Wed, 25 Aug 2004 15:01:09 +0900 + +libapache2-mod-fcgid (0.80-1) unstable; urgency=low + + * New upstream release + + -- Tatsuki Sugiura Thu, 12 Aug 2004 09:59:01 +0900 + +libapache2-mod-fcgid (0.77-1) unstable; urgency=low + + * Initial Release. + + -- Tatsuki Sugiura Wed, 21 Jul 2004 06:38:33 +0900 + --- libapache2-mod-fcgid-2.3.4.orig/debian/libapache2-mod-fcgid.postinst +++ libapache2-mod-fcgid-2.3.4/debian/libapache2-mod-fcgid.postinst @@ -0,0 +1,21 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + test ! -e /etc/apache2/mods-enabled/fastcgi.load \ + -a ! -e /etc/apache2/mods-enabled/fcgid.load && \ + a2enmod fcgid + ;; + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- libapache2-mod-fcgid-2.3.4.orig/debian/control +++ libapache2-mod-fcgid-2.3.4/debian/control @@ -0,0 +1,39 @@ +Source: libapache2-mod-fcgid +Section: httpd +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Tatsuki Sugiura +Build-Depends: debhelper (>= 5.0.0), apache2-threaded-dev (>= 2.2.3-2), libtool, cdbs, libapr1-dev, pkg-config, dpatch +Standards-Version: 3.8.3 +Uploaders: Taku YASUI +Homepage: http://httpd.apache.org/mod_fcgid/ + +Package: libapache2-mod-fcgid +Architecture: any +Depends: ${shlibs:Depends}, apache2.2-common, ${misc:Depends} +Description: an alternative module compat with mod_fastcgi + mod_fcgid is a high performance alternative to mod_cgi or mod_cgid, + which starts a sufficient number instances of the CGI program to handle + concurrent requests, and these programs remain running to handle further + incoming requests. It is favored by the PHP developers, for example, + as a preferred alternative to running mod_php in-process, delivering + very similar performance. + . + It is a binary compatibility alternative to Apache module mod_fastcgi. + +Package: libapache2-mod-fcgid-dbg +Architecture: any +Section: debug +Priority: extra +Depends: libapache2-mod-fcgid (= ${binary:Version}), ${misc:Depends} +Description: debugging symbols for mod_fcgid + mod_fcgid is a high performance alternative to mod_cgi or mod_cgid, + which starts a sufficient number instances of the CGI program to handle + concurrent requests, and these programs remain running to handle further + incoming requests. It is favored by the PHP developers, for example, + as a preferred alternative to running mod_php in-process, delivering + very similar performance. + . + It is a binary compatibility alternative to Apache module mod_fastcgi. + . + This package contains the debugging symbols for mod_fcgid. --- libapache2-mod-fcgid-2.3.4.orig/debian/fcgid.load +++ libapache2-mod-fcgid-2.3.4/debian/fcgid.load @@ -0,0 +1 @@ +LoadModule fcgid_module /usr/lib/apache2/modules/mod_fcgid.so --- libapache2-mod-fcgid-2.3.4.orig/debian/watch +++ libapache2-mod-fcgid-2.3.4/debian/watch @@ -0,0 +1,6 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# Site Directory Pattern Version Script +version=3 +http://sf.net/mod-fcgid/mod_fcgid.(.*)\.(tgz|tar\.gz) --- libapache2-mod-fcgid-2.3.4.orig/debian/compat +++ libapache2-mod-fcgid-2.3.4/debian/compat @@ -0,0 +1 @@ +5 --- libapache2-mod-fcgid-2.3.4.orig/debian/dirs +++ libapache2-mod-fcgid-2.3.4/debian/dirs @@ -0,0 +1 @@ +usr/lib --- libapache2-mod-fcgid-2.3.4.orig/debian/patches/20_fix-segv-with-empty-output.dpatch +++ libapache2-mod-fcgid-2.3.4/debian/patches/20_fix-segv-with-empty-output.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_fix-segv-with-empty-output.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: fix segv when fcgi process return empty string. + +@DPATCH@ +diff -urNad libapache2-mod-fcgid~/modules/fcgid/fcgid_bridge.c libapache2-mod-fcgid/modules/fcgid/fcgid_bridge.c +--- libapache2-mod-fcgid~/modules/fcgid/fcgid_bridge.c 2010-01-28 05:23:06.000000000 +0900 ++++ libapache2-mod-fcgid/modules/fcgid/fcgid_bridge.c 2010-01-28 05:23:49.435963326 +0900 +@@ -222,7 +222,7 @@ + int getLF = 0; + int getColon = 0; + +- while ((dst < dst_end) && !done && !APR_BUCKET_IS_EOS(e)) { ++ while ((dst < dst_end) && !done && !APR_BUCKET_IS_EOS(e) && e != APR_BRIGADE_SENTINEL(bb)) { + const char *bucket_data; + apr_size_t bucket_data_len; + const char *src; --- libapache2-mod-fcgid-2.3.4.orig/debian/patches/40_CVE-2010-3872.dpatch +++ libapache2-mod-fcgid-2.3.4/debian/patches/40_CVE-2010-3872.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 40_CVE-2010-3872.dpatch by Steve Beattie +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: modules/fcgid/fcgid_bucket.c: Fix buffer overflow in +## DP: fcgid_header_bucket_read() +# Origin: https://svn.apache.org/viewvc?view=revision&revision=1030894 +# Subject: Fix buffer overflow in fcgid_header_bucket_read() + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' libapache2-mod-fcgid-2.3.4~/modules/fcgid/fcgid_bucket.c libapache2-mod-fcgid-2.3.4/modules/fcgid/fcgid_bucket.c +--- libapache2-mod-fcgid-2.3.4~/modules/fcgid/fcgid_bucket.c 2009-09-19 17:10:46.000000000 -0700 ++++ libapache2-mod-fcgid-2.3.4/modules/fcgid/fcgid_bucket.c 2011-01-06 17:17:59.000000000 -0800 +@@ -96,7 +96,7 @@ + + /* Initialize header */ + putsize = fcgid_min(bufferlen, sizeof(header) - hasread); +- memcpy(&header + hasread, buffer, putsize); ++ memcpy((apr_byte_t *)&header + hasread, buffer, putsize); + hasread += putsize; + + /* Ignore the bytes that have read */ --- libapache2-mod-fcgid-2.3.4.orig/debian/patches/30_fix-request-body-truncation.dpatch +++ libapache2-mod-fcgid-2.3.4/debian/patches/30_fix-request-body-truncation.dpatch @@ -0,0 +1,45 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: Fix corruption or truncation of request bodies which exceed FcgidMaxRequestInMem. +# Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=826829 +# Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=48021 +# Bug-Ubuntu: https://bugs.launchpad.net/bugs/573591 + +@DPATCH@ +diff -Nur libapache2-mod-fcgid-2.3.4.orig/modules/fcgid/fcgid_bridge.c libapache2-mod-fcgid-2.3.4/modules/fcgid/fcgid_bridge.c +--- libapache2-mod-fcgid-2.3.4.orig/modules/fcgid/fcgid_bridge.c 2009-10-07 13:37:11.000000000 +0200 ++++ libapache2-mod-fcgid-2.3.4/modules/fcgid/fcgid_bridge.c 2010-05-13 14:02:39.750967589 +0200 +@@ -448,7 +448,6 @@ + int seen_eos; + apr_off_t request_size = 0; + apr_file_t *fd = NULL; +- int need_truncate = 1; + apr_off_t cur_pos = 0; + FCGI_Header *stdin_request_header; + apr_bucket_brigade *output_brigade; +@@ -548,6 +547,15 @@ + apr_pool_userdata_get(&tmp, fd_key, + r->connection->pool); + fd = tmp; ++ ++ if (fd != NULL) { ++ if ((rv = apr_file_trunc(fd, 0)) != APR_SUCCESS) { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, ++ "mod_fcgid: can't truncate existing " ++ "temporary file"); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ } + } + + if (fd == NULL) { +@@ -574,10 +582,6 @@ + apr_pool_userdata_set((const void *) fd, fd_key, + apr_pool_cleanup_null, + r->connection->pool); +- } else if (need_truncate) { +- need_truncate = 0; +- apr_file_trunc(fd, 0); +- cur_pos = 0; + } + // Write request to tmp file + if ((rv = --- libapache2-mod-fcgid-2.3.4.orig/debian/patches/00list +++ libapache2-mod-fcgid-2.3.4/debian/patches/00list @@ -0,0 +1,4 @@ +10_debian_default_path.dpatch +20_fix-segv-with-empty-output.dpatch +30_fix-request-body-truncation.dpatch +40_CVE-2010-3872 --- libapache2-mod-fcgid-2.3.4.orig/debian/patches/10_debian_default_path.dpatch +++ libapache2-mod-fcgid-2.3.4/debian/patches/10_debian_default_path.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10_debian_default_sockprefix.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Change default socket and shm path to compt with debian layout. + +@DPATCH@ +diff -urNad libapache2-mod-fcgid~/modules/fcgid/fcgid_conf.c libapache2-mod-fcgid/modules/fcgid/fcgid_conf.c +--- libapache2-mod-fcgid~/modules/fcgid/fcgid_conf.c 2009-10-07 12:16:08.000000000 +0900 ++++ libapache2-mod-fcgid/modules/fcgid/fcgid_conf.c 2010-01-23 17:14:50.025970063 +0900 +@@ -35,8 +35,8 @@ + #define DEFAULT_ERROR_SCAN_INTERVAL 3 + #define DEFAULT_ZOMBIE_SCAN_INTERVAL 3 + #define DEFAULT_PROC_LIFETIME (60*60) +-#define DEFAULT_SOCKET_PREFIX "logs/fcgidsock" +-#define DEFAULT_SHM_PATH "logs/fcgid_shm" ++#define DEFAULT_SOCKET_PREFIX "/var/lib/apache2/fcgid/sock" ++#define DEFAULT_SHM_PATH "/var/lib/apache2/fcgid/sock/shm" + #define DEFAULT_SPAWNSOCRE_UPLIMIT 10 + #define DEFAULT_SPAWN_SCORE 1 + #define DEFAULT_TERMINATION_SCORE 2