From 5fac30f680d5494fd2a4af287270ac7e397414e3 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Jun 06 2012 14:23:31 +0000
Subject: fix htdbm/htpasswd crash on crypt() failure (#818684)


Resolves: rhbz#818684

---

diff --git a/httpd-2.4.2-r1346905.patch b/httpd-2.4.2-r1346905.patch
new file mode 100644
index 0000000..e94558e
--- /dev/null
+++ b/httpd-2.4.2-r1346905.patch
@@ -0,0 +1,65 @@
+# ./pullrev.sh 1346905
+
+https://bugzilla.redhat.com/show_bug.cgi?id=818684
+
+http://svn.apache.org/viewvc?view=revision&revision=1346905
+
+--- httpd-2.4.2/support/htdbm.c
++++ httpd-2.4.2/support/htdbm.c
+@@ -288,6 +288,9 @@
+ {
+     char cpw[MAX_STRING_LEN];
+     char salt[9];
++#if (!(defined(WIN32) || defined(NETWARE)))
++    char *cbuf;
++#endif
+ 
+     switch (htdbm->alg) {
+         case ALG_APSHA:
+@@ -315,7 +318,15 @@
+             (void) srand((int) time((time_t *) NULL));
+             to64(&salt[0], rand(), 8);
+             salt[8] = '\0';
+-            apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
++            cbuf = crypt(htdbm->userpass, salt);
++            if (cbuf == NULL) {
++                char errbuf[128];
++                
++                fprintf(stderr, "crypt() failed: %s\n", 
++                        apr_strerror(errno, errbuf, sizeof errbuf));
++                exit(ERR_PWMISMATCH);
++            }
++            apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+             fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
+ #endif
+         default:
+--- httpd-2.4.2/support/htpasswd.c
++++ httpd-2.4.2/support/htpasswd.c
+@@ -174,6 +174,9 @@
+     char pwv[MAX_STRING_LEN];
+     char salt[9];
+     apr_size_t bufsize;
++#if CRYPT_ALGO_SUPPORTED
++    char *cbuf;
++#endif
+ 
+     if (passwd != NULL) {
+         pw = passwd;
+@@ -226,7 +229,16 @@
+         to64(&salt[0], rand(), 8);
+         salt[8] = '\0';
+ 
+-        apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
++        cbuf = crypt(pw, salt);
++        if (cbuf == NULL) {
++            char errbuf[128];
++
++            apr_snprintf(record, rlen-1, "crypt() failed: %s", 
++                         apr_strerror(errno, errbuf, sizeof errbuf));
++            return ERR_PWMISMATCH;
++        }
++
++        apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
+         if (strlen(pw) > 8) {
+             char *truncpw = strdup(pw);
+             truncpw[8] = '\0';
diff --git a/httpd.spec b/httpd.spec
index 9a07862..16682b2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.2
-Release: 13%{?dist}
+Release: 14%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -50,6 +50,7 @@ Patch40: httpd-2.4.2-restart.patch
 Patch41: httpd-2.4.2-r1327036+.patch
 Patch42: httpd-2.4.2-r1326980+.patch
 Patch43: httpd-2.4.2-r1332643+.patch
+Patch44: httpd-2.4.2-r1346905.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -161,6 +162,7 @@ authentication to the Apache HTTP Server.
 %patch41 -p1 -b .r1327036+
 %patch42 -p1 -b .r1326980+
 %patch43 -p1 -b .r1332643+
+%patch44 -p1 -b .r1346905
 
 # Patch in vendor/release string
 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@@ -565,6 +567,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
+* Wed Jun  6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-14
+- fix htdbm/htpasswd crash on crypt() failure (#818684)
+
 * Wed Jun  6 2012 Joe Orton <jorton@redhat.com> - 2.4.2-13
 - pull fix for NPN patch from upstream (r1345599)