Pullup ticket #3626 - requested by tron

www/apache22 security update Revisions pulled up: - www/apache22/Makefile 1.75 - www/apache22/distinfo 1.45 - www/apache22/patches/patch-server_protocol.c 1.2 --- Module Name: pkgsrc Committed By: tron Date: Wed Dec 7 22:58:12 UTC 2011 Modified Files: pkgsrc/www/apache22: Makefile distinfo pkgsrc/www/apache22/patches: patch-server_protocol.c Log Message: Add improved fix for proxy vulnerability reported in CVE-2011-3368. This should also fix CVE-2011-3639 and possibly CVE-2011-4317, both part of SA46987.
author: sbd <sbd@pkgsrc.org> 2011-12-08 04:01:36 +0000
committer: sbd <sbd@pkgsrc.org> 2011-12-08 04:01:36 +0000
commit: 983eef3085e4e6c8a982db41186d409538683eff (patch)
tree: 639ee9a1751ed4f5677c6bc8b4b5f24159131aa0
parent: e4ccb8454ca7a134dee743a7b9a5409717c208a9 (diff)
download: pkgsrc-983eef3085e4e6c8a982db41186d409538683eff.tar.gz
3 files changed, 34 insertions, 8 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 22d4ce1eed6..23e8851ca6d 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.71.2.2 2011/11/12 04:25:37 sbd Exp $
+# $NetBSD: Makefile,v 1.71.2.3 2011/12/08 04:01:36 sbd Exp $
 
 DISTNAME=	httpd-2.2.21
 
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	2
+PKGREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		http://archive.apache.org/dist/httpd/ \
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index c070fc49fad..af60f138a72 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.42.2.2 2011/11/12 04:25:37 sbd Exp $
+$NetBSD: distinfo,v 1.42.2.3 2011/12/08 04:01:36 sbd Exp $
 
 SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4
 RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1
@@ -16,5 +16,5 @@ SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
 SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1
 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1
-SHA1 (patch-server_protocol.c) = 5361b5218d4f2aa22ea79e4ba6534ca0252c6e4e
+SHA1 (patch-server_protocol.c) = fc77c3293f6f2f73a40e88098ba1483d3e605b66
 SHA1 (patch-server_util.c) = b63f73e2a482facd188eecb0864fc612d1b7b3a5
diff --git a/www/apache22/patches/patch-server_protocol.c b/www/apache22/patches/patch-server_protocol.c
index 247c5540432..ddc05ca2ae7 100644
--- a/www/apache22/patches/patch-server_protocol.c
+++ b/www/apache22/patches/patch-server_protocol.c
@@ -1,13 +1,20 @@
-$NetBSD: patch-server_protocol.c,v 1.1.2.2 2011/10/10 18:00:06 tron Exp $
+$NetBSD: patch-server_protocol.c,v 1.1.2.3 2011/12/08 04:01:37 sbd Exp $
 
 revision 1179239 from http://svn.apache.org/:
 	SECURITY (CVE-2011-3368): Prevent unintended pattern expansion
 	in some reverse proxy configurations by strictly validating
 	the request-URI.
 
---- server/protocol.c.orig	2011-10-10 09:11:16.000000000 +0000
-+++ server/protocol.c
-@@ -640,6 +640,25 @@ static int read_request_line(request_rec
+revision 1179525 from http://svn.apache.org/:
+	SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+	reverse proxy configurations by strictly validating the request-URI:
+	* server/protocol.c (read_request_line): Send a 400 response if the
+	  request-URI does not match the grammar from RFC 2616.  This ensures
+	  the input string for RewriteRule et al really is an absolute path.
+
+--- server/protocol.c.orig	2011-05-07 12:39:29.000000000 +0100
++++ server/protocol.c	2011-12-07 22:48:17.000000000 +0000
+@@ -640,6 +640,44 @@
  
      ap_parse_uri(r, uri);
  
@@ -30,6 +37,25 @@ revision 1179239 from http://svn.apache.org/:
 +	    r->uri = apr_pstrdup(r->pool, uri);
 +    }
 +
++    /* RFC 2616:
++     *   Request-URI    = "*" | absoluteURI | abs_path | authority
++     *
++     * authority is a special case for CONNECT.  If the request is not
++     * using CONNECT, and the parsed URI does not have scheme, and
++     * it does not begin with '/', and it is not '*', then, fail
++     * and give a 400 response. */
++    if (r->method_number != M_CONNECT 
++        && !r->parsed_uri.scheme 
++        && uri[0] != '/'
++        && !(uri[0] == '*' && uri[1] == '\0')) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "invalid request-URI %s", uri);
++        r->args = NULL;
++        r->hostname = NULL;
++        r->status = HTTP_BAD_REQUEST;
++        r->uri = apr_pstrdup(r->pool, uri);
++    }
++
      if (ll[0]) {
          r->assbackwards = 0;
          pro = ll;
author	sbd <sbd@pkgsrc.org>	2011-12-08 04:01:36 +0000
committer	sbd <sbd@pkgsrc.org>	2011-12-08 04:01:36 +0000
commit	983eef3085e4e6c8a982db41186d409538683eff (patch)
tree	639ee9a1751ed4f5677c6bc8b4b5f24159131aa0
parent	e4ccb8454ca7a134dee743a7b9a5409717c208a9 (diff)
download	pkgsrc-983eef3085e4e6c8a982db41186d409538683eff.tar.gz