summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip M. Gollucci <pgollucci@FreeBSD.org>2009-06-08 05:11:09 +0000
committerPhilip M. Gollucci <pgollucci@FreeBSD.org>2009-06-08 05:11:09 +0000
commitbdd3a866cc3d6067f1ac27e4002935b12464ad32 (patch)
tree07aa9f68074dd4820fc4437edc8e150cd6f357c2
parent719043da101cb943517886d7bbb51ed3f43f083a (diff)
downloadfreebsd-ports-bdd3a866cc3d6067f1ac27e4002935b12464ad32.zip
- Backport apr-util security fixes pending the 2.2.12 release (forthcomming)
Security: http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812 PR: ports/135310 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> With Hat: apache
-rw-r--r--www/apache20/Makefile2
-rw-r--r--www/apache20/files/patch-apr-fix-apr_xml-expat-attack51
-rw-r--r--www/apache20/files/patch-apr-fix-brigade_vprintf_overflow18
-rw-r--r--www/apache20/files/patch-apr-fix-strmatch-underflow21
4 files changed, 91 insertions, 1 deletions
diff --git a/www/apache20/Makefile b/www/apache20/Makefile
index df7739aec8c8..3a4625fe3415 100644
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@@ -9,7 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.0.63
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITE_LOCAL:S/$/:powerlogo/}
diff --git a/www/apache20/files/patch-apr-fix-apr_xml-expat-attack b/www/apache20/files/patch-apr-fix-apr_xml-expat-attack
new file mode 100644
index 000000000000..2040f082ea2d
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-apr_xml-expat-attack
@@ -0,0 +1,51 @@
+Taken from
+ http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
+
+--- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729
++++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403
+@@ -347,6 +347,25 @@
+ return APR_SUCCESS;
+ }
+
++#if XML_MAJOR_VERSION > 1
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++ int is_parameter_entity, const XML_Char *value,
++ int value_length, const XML_Char *base,
++ const XML_Char *systemId, const XML_Char *publicId,
++ const XML_Char *notationName)
++{
++ apr_xml_parser *parser = userData;
++
++ XML_StopParser(parser->xp, XML_FALSE);
++}
++#else
++/* A noop default_handler. */
++static void default_handler(void *userData, const XML_Char *s, int len)
++{
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+ apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,19 @@
+ XML_SetElementHandler(parser->xp, start_handler, end_handler);
+ XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+
++ /* Prevent the "billion laughs" attack against expat by disabling
++ * internal entity expansion. With 2.x, forcibly stop the parser
++ * if an entity is declared - this is safer and a more obvious
++ * failure mode. With older versions, installing a noop
++ * DefaultHandler means that internal entities will be expanded as
++ * the empty string, which is also sufficient to prevent the
++ * attack. */
++#if XML_MAJOR_VERSION > 1
++ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++ XML_SetDefaultHandler(parser->xp, default_handler);
++#endif
++
+ return parser;
+ }
+
diff --git a/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow b/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow
new file mode 100644
index 000000000000..7ac97674b0c7
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow
@@ -0,0 +1,18 @@
+Equal to the fix in the apr-util itself:
+ http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
+
+See discuission about original vulnerability at
+ http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
+
+--- srclib/apr-util/buckets/apr_brigade.c.orig 2009-06-06 12:32:12.000000000 +0400
++++ srclib/apr-util/buckets/apr_brigade.c 2009-06-06 12:35:30.000000000 +0400
+@@ -689,9 +689,6 @@
+ return -1;
+ }
+
+- /* tack on null terminator to remaining string */
+- *(vd.vbuff.curpos) = '\0';
+-
+ /* write out what remains in the buffer */
+ return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
diff --git a/www/apache20/files/patch-apr-fix-strmatch-underflow b/www/apache20/files/patch-apr-fix-strmatch-underflow
new file mode 100644
index 000000000000..c1e252355927
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-strmatch-underflow
@@ -0,0 +1,21 @@
+Fix underflow in apr_strmatch_precompile,
+ http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
+
+--- srclib/apr-util/strmatch/apr_strmatch.c 2009/03/24 11:12:27 757729
++++ srclib/apr-util/strmatch/apr_strmatch.c 2009/05/29 07:47:52 779878
+@@ -103,13 +103,13 @@
+ if (case_sensitive) {
+ pattern->compare = match_boyer_moore_horspool;
+ for (i = 0; i < pattern->length - 1; i++) {
+- shift[(int)s[i]] = pattern->length - i - 1;
++ shift[(unsigned char)s[i]] = pattern->length - i - 1;
+ }
+ }
+ else {
+ pattern->compare = match_boyer_moore_horspool_nocase;
+ for (i = 0; i < pattern->length - 1; i++) {
+- shift[apr_tolower(s[i])] = pattern->length - i - 1;
++ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+ }
+ }
+ pattern->context = shift;