Pullup ticket 2425 - requested by tron

security patch for apache22

- pkgsrc/www/apache22/Makefile				1.26
- pkgsrc/www/apache22/distinfo				1.10
- pkgsrc/www/apache22/patches/patch-ab			1.6

   Module Name:		pkgsrc
   Committed By:	tron
   Date:		Thu Jun 12 14:12:19 UTC 2008

   Modified Files:
	   pkgsrc/www/apache22: Makefile distinfo
   Added Files:
	   pkgsrc/www/apache22/patches: patch-ab

   Log Message:
   Add patch for CVE-2008-2364 from the Apache SVN repository.

3 files changed, 87 insertions, 3 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index f19786581cc..42111f239a1 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2008/01/21 15:07:10 xtraeme Exp $
+# $NetBSD: Makefile,v 1.24.2.1 2008/06/16 09:00:02 ghen Exp $
 
 .include "Makefile.common"
 
 PKGNAME=	apache-${APACHE_VERSION}
-#PKGREVISION=	1
+PKGREVISION=	1
 CATEGORIES=	www
 
 HOMEPAGE=	http://httpd.apache.org/
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index dad597e533c..b751639cd9d 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.9 2008/01/21 15:07:11 xtraeme Exp $
+$NetBSD: distinfo,v 1.9.2.1 2008/06/16 09:00:02 ghen Exp $
 
 SHA1 (httpd-2.2.8.tar.bz2) = 5074904435d3d942ce2dc96c44b07294b8eaca77
 RMD160 (httpd-2.2.8.tar.bz2) = 0736ea9617bafaa1c8cd34ce4fc1c7a659afea57
 Size (httpd-2.2.8.tar.bz2) = 4799055 bytes
 SHA1 (patch-aa) = ae5b34058fc6455cfa9e3d52a50829155ce2eb11
+SHA1 (patch-ab) = 55f4dac616fbe47fea7be0aecd1b7be679b9b0e7
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab
new file mode 100644
index 00000000000..1b2b3d7750d
--- /dev/null
+++ b/www/apache22/patches/patch-ab
@@ -0,0 +1,83 @@
+$NetBSD: patch-ab,v 1.5.2.1 2008/06/16 09:00:02 ghen Exp $
+
+Patch for CVE-2008-2364, taken from here:
+
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154
+
+--- modules/proxy/mod_proxy_http.c.orig	2007-12-08 14:01:47.000000000 +0000
++++ modules/proxy/mod_proxy_http.c	2008-06-12 14:44:10.000000000 +0100
+@@ -1309,6 +1309,16 @@
+     return rv;
+ }
+ 
++/*
++ * Limit the number of interim respones we sent back to the client. Otherwise
++ * we suffer from a memory build up. Besides there is NO sense in sending back
++ * an unlimited number of interim responses to the client. Thus if we cross
++ * this limit send back a 502 (Bad Gateway).
++ */
++#ifndef AP_MAX_INTERIM_RESPONSES
++#define AP_MAX_INTERIM_RESPONSES 10
++#endif
++
+ static
+ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
+                                             proxy_conn_rec *backend,
+@@ -1323,8 +1333,8 @@
+     apr_bucket *e;
+     apr_bucket_brigade *bb, *tmp_bb;
+     int len, backasswards;
+-    int interim_response; /* non-zero whilst interim 1xx responses
+-                           * are being read. */
++    int interim_response = 0; /* non-zero whilst interim 1xx responses
++                               * are being read. */
+     int pread_len = 0;
+     apr_table_t *save_table;
+     int backend_broke = 0;
+@@ -1339,6 +1349,7 @@
+      */
+ 
+     rp = ap_proxy_make_fake_req(origin, r);
++    ap_proxy_pre_http_request(origin, rp);
+     /* In case anyone needs to know, this is a fake request that is really a
+      * response.
+      */
+@@ -1469,7 +1480,6 @@
+             if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
+                 ap_set_content_type(r, apr_pstrdup(p, buf));
+             }
+-            ap_proxy_pre_http_request(origin,rp);
+ 
+             /* Clear hop-by-hop headers */
+             for (i=0; hop_by_hop_hdrs[i]; ++i) {
+@@ -1518,7 +1528,12 @@
+             backend->close += 1;
+         }
+ 
+-        interim_response = ap_is_HTTP_INFO(r->status);
++        if (ap_is_HTTP_INFO(r->status)) {
++            interim_response++;
++        }
++        else {
++            interim_response = 0;
++        }
+         if (interim_response) {
+             /* RFC2616 tells us to forward this.
+              *
+@@ -1711,7 +1726,15 @@
+ 
+             apr_brigade_cleanup(bb);
+         }
+-    } while (interim_response);
++    } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
++
++    /* See define of AP_MAX_INTERIM_RESPONSES for why */
++    if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
++        return ap_proxyerror(r, HTTP_BAD_GATEWAY,
++                             apr_psprintf(p, 
++                             "Too many (%d) interim responses from origin server",
++                             interim_response));
++    }
+ 
+     /* If our connection with the client is to be aborted, return DONE. */
+     if (c->aborted || backend_broke) {