Bug#1095523: bookworm-pu: package libapache-mod-jk/1:1.2.48-2+deb12u2

Sat, 08 Feb 2025 12:57:27 -0800 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache-mod...@packages.debian.org, a...@debian.org
Control: affects -1 + src:libapache-mod-jk


[ Reason ]

Fixing CVE-2024-46544 in bookworm via bookworm-pu. Marked as no-dsa by
the security team.

[ Impact ]

bookworm would be the only vulnerable release

[ Tests ]

The fix only involves to change permissions. No automatic tests were
added.

[ Risks ]

This has been fixed in bullseye for some time and no regressions were
reported. The changes are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Adding 0004-CVE-2024-46544.patch to change the default permissions.
Debdiff is attached.

diff -Nru libapache-mod-jk-1.2.48/debian/changelog 
libapache-mod-jk-1.2.48/debian/changelog
--- libapache-mod-jk-1.2.48/debian/changelog    2023-09-24 16:40:59.000000000 
+0200
+++ libapache-mod-jk-1.2.48/debian/changelog    2025-02-08 21:24:47.000000000 
+0100
@@ -1,3 +1,13 @@
+libapache-mod-jk (1:1.2.48-2+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2024-46544:
+    An issue with incorrect default permissions could have allowed local users
+    to view and modify shared memory containing mod_jk's configuration, which
+    may have potentially led to information disclosure and/or a denial of
+    service attack. (Closes: #1082713)
+
+ -- Markus Koschany <a...@debian.org>  Sat, 08 Feb 2025 21:24:47 +0100
+
 libapache-mod-jk (1:1.2.48-2+deb12u1) bookworm; urgency=high
 
   * Fix CVE-2023-41081:
diff -Nru libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch 
libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch
--- libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch    
1970-01-01 01:00:00.000000000 +0100
+++ libapache-mod-jk-1.2.48/debian/patches/0004-CVE-2024-46544.patch    
2025-02-08 21:24:47.000000000 +0100
@@ -0,0 +1,71 @@
+From: Rainer Jung <rainer.j...@kippdata.de>
+Date: Thu, 8 Aug 2024 10:00:13 +0200
+Subject: [PATCH] Improve shared memory handling on non-Windows.
+
+---
+ native/common/jk_shm.c            | 12 ++++++------
+ xdocs/miscellaneous/changelog.xml |  3 +++
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/native/common/jk_shm.c b/native/common/jk_shm.c
+index 58956dc..65d9f62 100644
+--- a/native/common/jk_shm.c
++++ b/native/common/jk_shm.c
+@@ -459,7 +459,7 @@ static int do_shm_open_lock(const char *fname, int 
attached, jk_logger_t *l)
+ 
+     if (attached && jk_shmem.lockname) {
+ #ifdef JK_SHM_LOCK_REOPEN
+-        jk_shmem.fd_lock = open(jk_shmem.lockname, O_RDWR, 0666);
++        jk_shmem.fd_lock = open(jk_shmem.lockname, O_RDWR, 0600);
+ #else
+         errno = EINVAL;
+ #endif
+@@ -483,7 +483,7 @@ static int do_shm_open_lock(const char *fname, int 
attached, jk_logger_t *l)
+         for (i = 0; i < 8; i++) {
+             strcpy(flkname, "/tmp/jkshmlock.XXXXXX");
+             if (mktemp(flkname)) {
+-                jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 
0666);
++                jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 
0600);
+                 if (jk_shmem.fd_lock >= 0)
+                     break;
+             }
+@@ -495,10 +495,10 @@ static int do_shm_open_lock(const char *fname, int 
attached, jk_logger_t *l)
+ #ifdef AS400_UTF8
+         wptr = (char *)malloc(strlen(flkname) + 1);
+         jk_ascii2ebcdic((char *)flkname, wptr);
+-        jk_shmem.fd_lock = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0666);
++        jk_shmem.fd_lock = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0600);
+         free(wptr);
+ #else
+-        jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 0666);
++        jk_shmem.fd_lock = open(flkname, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ #endif
+ #endif
+         if (jk_shmem.fd_lock == -1) {
+@@ -589,10 +589,10 @@ static int do_shm_open(const char *fname, int attached,
+ #ifdef AS400_UTF8
+         wptr = (char *)malloc(strlen(jk_shmem.filename) + 1);
+         jk_ascii2ebcdic((char *)jk_shmem.filename, wptr);
+-        fd = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0666);
++        fd = open(wptr, O_RDWR|O_CREAT|O_TRUNC, 0600);
+         free(wptr);
+ #else
+-        fd = open(jk_shmem.filename, O_RDWR|O_CREAT|O_TRUNC, 0666);
++        fd = open(jk_shmem.filename, O_RDWR|O_CREAT|O_TRUNC, 0600);
+ #endif
+         if (fd == -1) {
+             jk_shmem.size = 0;
+diff --git a/xdocs/miscellaneous/changelog.xml 
b/xdocs/miscellaneous/changelog.xml
+index bb5a8ac..224bb18 100644
+--- a/xdocs/miscellaneous/changelog.xml
++++ b/xdocs/miscellaneous/changelog.xml
+@@ -91,6 +91,9 @@
+         socket_connect_timeout to be interpreted in units of seconds
+         instead of milliseconds on platforms that provide poll(). (rjung)
+       </fix>
++      <fix>
++        Improve shared memory handling on non-Windows. (rjung)
++      </fix>
+     </changelog>
+   </subsection>
+ </section>
diff -Nru libapache-mod-jk-1.2.48/debian/patches/series 
libapache-mod-jk-1.2.48/debian/patches/series
--- libapache-mod-jk-1.2.48/debian/patches/series       2023-09-24 
16:40:59.000000000 +0200
+++ libapache-mod-jk-1.2.48/debian/patches/series       2025-02-08 
21:24:47.000000000 +0100
@@ -1,3 +1,4 @@
 0002-debianize-log-directory.patch
 0003-upgrade-info-to-error-message.patch
 CVE-2023-41081.patch
+0004-CVE-2024-46544.patch

Reply via email to