From 53639770b1ff95523c9ed7f2e61e10c0912b058f Mon Sep 17 00:00:00 2001
From: liubo0711 <1191322237@qq.com>
Date: Tue, 8 Oct 2024 10:29:07 +0800
Subject: [PATCH] SECURITY UPDATE

---
 debian/changelog                          |  9 ++++
 debian/patches/0015-SECURITY-UPDATE.patch | 56 +++++++++++++++++++++++
 debian/patches/series                     |  1 +
 3 files changed, 66 insertions(+)
 create mode 100644 debian/patches/0015-SECURITY-UPDATE.patch

diff --git a/debian/changelog b/debian/changelog
index c8100e0..fbbb826 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+apr (1.7.2-ok2) nile; urgency=medium
+
+  * SECURITY UPDATE: local information disclosure via shared memory
+    segments     - debian/patches/CVE-2023-49582.patch: adjust
+    permissions on shared        memory segments to prevent unauthorized
+    access in shmem/unix/shm.c     - CVE-2023-49582
+
+ -- liubo01 <kylin@liubo01-pc>  Tue, 08 Oct 2024 10:29:07 +0800
+
 apr (1.7.2-ok1) nile; urgency=medium
 
   * Build for openKylin.
diff --git a/debian/patches/0015-SECURITY-UPDATE.patch b/debian/patches/0015-SECURITY-UPDATE.patch
new file mode 100644
index 0000000..cc100a6
--- /dev/null
+++ b/debian/patches/0015-SECURITY-UPDATE.patch
@@ -0,0 +1,56 @@
+From: liubo0711 <1191322237@qq.com>
+Date: Tue, 8 Oct 2024 10:29:07 +0800
+Subject: SECURITY UPDATE
+
+---
+ shmem/unix/shm.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c
+index f99afec..0f42f51 100644
+--- a/shmem/unix/shm.c
++++ b/shmem/unix/shm.c
+@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+         status = APR_SUCCESS;
+     
+ #if APR_USE_SHMEM_MMAP_TMP
+-        /* FIXME: Is APR_OS_DEFAULT sufficient? */
+         status = apr_file_open(&file, filename, 
+                                APR_READ | APR_WRITE | APR_CREATE | APR_EXCL,
+-                               APR_OS_DEFAULT, pool);
++                               APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+         if (status != APR_SUCCESS) {
+             return status;
+         }
+@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+         }
+ #endif /* APR_USE_SHMEM_MMAP_TMP */
+ #if APR_USE_SHMEM_MMAP_SHM
+-        /* FIXME: SysV uses 0600... should we? */
+-        tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644);
++        tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600);
+         if (tmpfd == -1) {
+             return errno;
+         }
+@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ #elif APR_USE_SHMEM_SHMGET
+         new_m->realsize = reqsize;
+ 
+-        /* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */
+         status = apr_file_open(&file, filename, 
+                                APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL,
+-                               APR_OS_DEFAULT, pool);
++                               APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+         if (status != APR_SUCCESS) {
+             return status;
+         }
+@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m,
+ #if APR_USE_SHMEM_MMAP_SHM
+         const char *shm_name = make_shm_open_safe_name(filename, pool);
+ 
+-        /* FIXME: SysV uses 0600... should we? */
+-        tmpfd = shm_open(shm_name, O_RDWR, 0644);
++        tmpfd = shm_open(shm_name, O_RDWR, 0600);
+         if (tmpfd == -1) {
+             return errno;
+         }
diff --git a/debian/patches/series b/debian/patches/series
index a8badec..9835af9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ use_fcntl_locking.patch
 python3-hashbang.patch
 fix-atomics.patch
 fix-atomics-some-more.patch
+0015-SECURITY-UPDATE.patch