summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlkundrak <lkundrak@pkgsrc.org>2007-06-28 01:20:52 +0000
committerlkundrak <lkundrak@pkgsrc.org>2007-06-28 01:20:52 +0000
commit31db872355e3c061cecf9a2ce902a043789258a6 (patch)
treedb678a4eb2b548a44a1977b49d99b37ff1b81805
parent4c55c91e649dd9b8fa192a3462378e4fb6e1a75d (diff)
downloadpkgsrc-31db872355e3c061cecf9a2ce902a043789258a6.tar.gz
Fixes for security issues, PKGREVISION bump.
CVE-2007-3304 Denial of Service. CVE-2006-5752 XSS in mod_status with ExtendedStatus on. CVE-2007-1863 remote crash when mod_cache enabled.
-rw-r--r--www/apache22/Makefile4
-rw-r--r--www/apache22/distinfo11
-rw-r--r--www/apache22/patches/patch-ab36
-rw-r--r--www/apache22/patches/patch-ao44
-rw-r--r--www/apache22/patches/patch-ap78
-rw-r--r--www/apache22/patches/patch-aq24
-rw-r--r--www/apache22/patches/patch-ar33
-rw-r--r--www/apache22/patches/patch-as14
-rw-r--r--www/apache22/patches/patch-at15
-rw-r--r--www/apache22/patches/patch-au14
10 files changed, 266 insertions, 7 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 7d9820da025..d3769554e69 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.13 2007/06/08 12:25:06 wiz Exp $
+# $NetBSD: Makefile,v 1.14 2007/06/28 01:20:52 lkundrak Exp $
.include "Makefile.common"
PKGNAME= apache-${APACHE_VERSION}
-PKGREVISION= 5
+PKGREVISION= 6
CATEGORIES= www
HOMEPAGE= http://httpd.apache.org/
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 27209698491..5cd2be48d4c 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.5 2007/06/05 01:43:44 lkundrak Exp $
+$NetBSD: distinfo,v 1.6 2007/06/28 01:20:52 lkundrak Exp $
SHA1 (httpd-2.2.4.tar.bz2) = 64ceae373434a986dc99b8ed953afa0d4fad85ce
RMD160 (httpd-2.2.4.tar.bz2) = bb6e8a7447fa8e8f629010f30b548068de518523
Size (httpd-2.2.4.tar.bz2) = 4930375 bytes
SHA1 (patch-aa) = 233dbabda2bd830c6f0664c42e192e4acd2aff4c
-SHA1 (patch-ab) = 387892276efd49fd081a187c1123de26fb6486ba
+SHA1 (patch-ab) = b8586dea7600febbadbbad5089300336ea695ffb
SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
@@ -13,3 +13,10 @@ SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
SHA1 (patch-an) = 1d02b10e92ad1f613b17b6ebc812d8931b54d3da
+SHA1 (patch-ao) = 85e38b6415ade9b328800b7bf15b9741758d455c
+SHA1 (patch-ap) = 9a25ce74bd355d9eeb2a885f65e19a3ba473ce77
+SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1
+SHA1 (patch-ar) = 536fb47cf750a316c773b1d3153cba52c3fac37c
+SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c
+SHA1 (patch-at) = 114a55493527a87bada21ee192828b5188a5cddd
+SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab
index 93c91dbc77f..1c8d2a3b7ad 100644
--- a/www/apache22/patches/patch-ab
+++ b/www/apache22/patches/patch-ab
@@ -1,8 +1,38 @@
-$NetBSD: patch-ab,v 1.1.1.1 2006/12/08 23:31:52 xtraeme Exp $
+$NetBSD: patch-ab,v 1.2 2007/06/28 01:20:52 lkundrak Exp $
---- server/mpm_common.c.orig 2005-03-30 09:42:15.000000000 +0000
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- server/mpm_common.c.orig 2007-06-28 02:53:52.000000000 +0200
+++ server/mpm_common.c
-@@ -420,7 +420,7 @@ AP_DECLARE(gid_t) ap_gname2id(const char
+@@ -126,6 +126,10 @@ static int reclaim_one_pid(pid_t pid, ac
+ apr_proc_t proc;
+ apr_status_t waitret;
+
++ if (!MPM_VALID_PID(pid)) {
++ return 1;
++ }
++
+ proc.pid = pid;
+ waitret = apr_proc_wait(&proc, NULL, NULL, APR_NOWAIT);
+ if (waitret != APR_CHILD_NOTDONE) {
+@@ -305,6 +309,16 @@ void ap_relieve_child_processes(void)
+ cur_extra = next;
+ }
+ }
++
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig)
++{
++ if (MPM_VALID_PID(pid)) {
++ return kill(pid, sig) ? errno : APR_SUCCESS;
++ }
++ else {
++ return APR_EINVAL;
++ }
++}
+ #endif /* AP_MPM_WANT_RECLAIM_CHILD_PROCESSES */
+
+ #ifdef AP_MPM_WANT_WAIT_OR_TIMEOUT
+@@ -468,7 +482,7 @@ AP_DECLARE(gid_t) ap_gname2id(const char
#ifndef HAVE_INITGROUPS
int initgroups(const char *name, gid_t basegid)
{
diff --git a/www/apache22/patches/patch-ao b/www/apache22/patches/patch-ao
new file mode 100644
index 00000000000..bc54349ac39
--- /dev/null
+++ b/www/apache22/patches/patch-ao
@@ -0,0 +1,44 @@
+$NetBSD: patch-ao,v 1.1 2007/06/28 01:20:52 lkundrak Exp $
+
+Fix for CVE-2006-5752 XSS in mod_status with ExtendedStatus on.
+
+--- modules/generators/mod_status.c.orig 2007-06-28 01:54:44.000000000 +0200
++++ modules/generators/mod_status.c
+@@ -270,7 +270,7 @@ static int status_handler(request_rec *r
+ if (r->method_number != M_GET)
+ return DECLINED;
+
+- ap_set_content_type(r, "text/html");
++ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+
+ /*
+ * Simple table-driven form data set parser that lets you alter the header
+@@ -299,7 +299,7 @@ static int status_handler(request_rec *r
+ no_table_report = 1;
+ break;
+ case STAT_OPT_AUTO:
+- ap_set_content_type(r, "text/plain");
++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+ short_report = 1;
+ break;
+ }
+@@ -673,7 +673,8 @@ static int status_handler(request_rec *r
+ ap_escape_html(r->pool,
+ ws_record->client),
+ ap_escape_html(r->pool,
+- ws_record->request),
++ ap_escape_logitem(r->pool,
++ ws_record->request)),
+ ap_escape_html(r->pool,
+ ws_record->vhost));
+ }
+@@ -763,7 +764,8 @@ static int status_handler(request_rec *r
+ ap_escape_html(r->pool,
+ ws_record->vhost),
+ ap_escape_html(r->pool,
+- ws_record->request));
++ ap_escape_logitem(r->pool,
++ ws_record->request)));
+ } /* no_table_report */
+ } /* for (j...) */
+ } /* for (i...) */
diff --git a/www/apache22/patches/patch-ap b/www/apache22/patches/patch-ap
new file mode 100644
index 00000000000..c112356348c
--- /dev/null
+++ b/www/apache22/patches/patch-ap
@@ -0,0 +1,78 @@
+$NetBSD: patch-ap,v 1.1 2007/06/28 01:20:52 lkundrak Exp $
+
+Fix for CVE-2007-1863 remote crash when mod_cache enabled.
+
+--- modules/cache/cache_util.c.orig 2007-06-28 02:03:05.000000000 +0200
++++ modules/cache/cache_util.c
+@@ -243,7 +243,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn
+ age = ap_cache_current_age(info, age_c, r->request_time);
+
+ /* extract s-maxage */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
++ && val != NULL) {
+ smaxage = apr_atoi64(val);
+ }
+ else {
+@@ -252,7 +253,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn
+
+ /* extract max-age from request */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
++ && val != NULL) {
+ maxage_req = apr_atoi64(val);
+ }
+ else {
+@@ -260,7 +262,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn
+ }
+
+ /* extract max-age from response */
+- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
++ && val != NULL) {
+ maxage_cresp = apr_atoi64(val);
+ }
+ else {
+@@ -282,7 +285,20 @@ CACHE_DECLARE(int) ap_cache_check_freshn
+
+ /* extract max-stale */
+ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
+- maxstale = apr_atoi64(val);
++ if(val != NULL) {
++ maxstale = apr_atoi64(val);
++ }
++ else {
++ /*
++ * If no value is assigned to max-stale, then the client is willing
++ * to accept a stale response of any age (RFC2616 14.9.3). We will
++ * set it to one year in this case as this situation is somewhat
++ * similar to a "never expires" Expires header (RFC2616 14.21)
++ * which is set to a date one year from the time the response is
++ * sent in this case.
++ */
++ maxstale = APR_INT64_C(86400*365);
++ }
+ }
+ else {
+ maxstale = 0;
+@@ -290,7 +306,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn
+
+ /* extract min-fresh */
+ if (!conf->ignorecachecontrol
+- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
++ && val != NULL) {
+ minfresh = apr_atoi64(val);
+ }
+ else {
+@@ -419,6 +436,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_
+ next - val_start);
+ }
+ }
++ else {
++ *val = NULL;
++ }
+ }
+ return 1;
+ }
diff --git a/www/apache22/patches/patch-aq b/www/apache22/patches/patch-aq
new file mode 100644
index 00000000000..45eccc2d043
--- /dev/null
+++ b/www/apache22/patches/patch-aq
@@ -0,0 +1,24 @@
+$NetBSD: patch-aq,v 1.1 2007/06/28 01:20:53 lkundrak Exp $
+
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- include/mpm_common.h.orig 2007-06-28 02:53:26.000000000 +0200
++++ include/mpm_common.h
+@@ -145,6 +145,17 @@ int ap_unregister_extra_mpm_process(pid_
+ #endif
+
+ /**
++ * Safely signal an MPM child process, if the process is in the
++ * current process group. Otherwise fail.
++ * @param pid the process id of a child process to signal
++ * @param sig the signal number to send
++ * @return APR_SUCCESS if signal is sent, otherwise an error as per kill(3)
++ */
++#ifdef AP_MPM_WANT_RECLAIM_CHILD_PROCESSES
++apr_status_t ap_mpm_safe_kill(pid_t pid, int sig);
++#endif
++
++/**
+ * Determine if any child process has died. If no child process died, then
+ * this process sleeps for the amount of time specified by the MPM defined
+ * macro SCOREBOARD_MAINTENANCE_INTERVAL.
diff --git a/www/apache22/patches/patch-ar b/www/apache22/patches/patch-ar
new file mode 100644
index 00000000000..7b3e7323e6d
--- /dev/null
+++ b/www/apache22/patches/patch-ar
@@ -0,0 +1,33 @@
+$NetBSD: patch-ar,v 1.1 2007/06/28 01:20:53 lkundrak Exp $
+
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- server/mpm/prefork/prefork.c.orig 2007-06-28 02:53:26.000000000 +0200
++++ server/mpm/prefork/prefork.c
+@@ -1127,7 +1127,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) {
+ /* Ask each child to close its listeners. */
+- kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL);
+ active_children++;
+ }
+ }
+@@ -1166,7 +1166,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) {
+ active_children = 1;
+ /* Having just one child is enough to stay around */
+ break;
+@@ -1222,7 +1222,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
+ * piped loggers, etc. They almost certainly won't handle
+ * it gracefully.
+ */
+- kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL);
+ }
+ }
+ }
diff --git a/www/apache22/patches/patch-as b/www/apache22/patches/patch-as
new file mode 100644
index 00000000000..a849cb0a6d3
--- /dev/null
+++ b/www/apache22/patches/patch-as
@@ -0,0 +1,14 @@
+$NetBSD: patch-as,v 1.1 2007/06/28 01:20:53 lkundrak Exp $
+
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- server/mpm/prefork/mpm.h.orig 2007-06-28 02:53:26.000000000 +0200
++++ server/mpm/prefork/mpm.h
+@@ -53,6 +53,7 @@
+ #define AP_MPM_USES_POD 1
+ #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid)
+ #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp())
+ #define MPM_ACCEPT_FUNC unixd_accept
+
+ extern int ap_threads_per_child;
diff --git a/www/apache22/patches/patch-at b/www/apache22/patches/patch-at
new file mode 100644
index 00000000000..1d1729cb84c
--- /dev/null
+++ b/www/apache22/patches/patch-at
@@ -0,0 +1,15 @@
+$NetBSD: patch-at,v 1.1 2007/06/28 01:20:53 lkundrak Exp $
+
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- server/mpm/worker/worker.c.orig 2007-06-28 02:53:26.000000000 +0200
++++ server/mpm/worker/worker.c
+@@ -1814,7 +1814,7 @@ int ap_mpm_run(apr_pool_t *_pconf, apr_p
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
+ if (MPM_CHILD_PID(index) != 0) {
+- if (kill(MPM_CHILD_PID(index), 0) == 0) {
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == 0) {
+ active_children = 1;
+ /* Having just one child is enough to stay around */
+ break;
diff --git a/www/apache22/patches/patch-au b/www/apache22/patches/patch-au
new file mode 100644
index 00000000000..3a86830be07
--- /dev/null
+++ b/www/apache22/patches/patch-au
@@ -0,0 +1,14 @@
+$NetBSD: patch-au,v 1.1 2007/06/28 01:20:54 lkundrak Exp $
+
+Part of fix for CVE-2007-3304 Denial of Service.
+
+--- server/mpm/worker/mpm.h.orig 2007-06-28 02:53:26.000000000 +0200
++++ server/mpm/worker/mpm.h
+@@ -52,6 +52,7 @@
+ #define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid)
+ #define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0)
+ #define MPM_ACCEPT_FUNC unixd_accept
++#define MPM_VALID_PID(p) (getpgid(p) == getpgrp())
+
+ extern int ap_threads_per_child;
+ extern int ap_max_daemons_limit;