summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorspz <spz@pkgsrc.org>2009-06-12 21:38:06 +0000
committerspz <spz@pkgsrc.org>2009-06-12 21:38:06 +0000
commit27bbb878e409f0b015728fbc84ba9fc909100c5f (patch)
treeab5a3b024afcef3b9d32203b5b587b6147c27568
parentf8b24251f9487439dbbd47abc343797c37df8fe6 (diff)
downloadpkgsrc-27bbb878e409f0b015728fbc84ba9fc909100c5f.tar.gz
Pullup ticket 2795 - requested by tron
Compatibility update Fixes PR 41550 Revisions pulled up: - pkgsrc/www/apache22/Makefile 1.46 - pkgsrc/www/apache22/distinfo 1.20 - pkgsrc/www/apache22/patches/patch-ba 1.2 - pkgsrc/www/apache22/patches/patch-bc 1.2 - pkgsrc/www/apache22/patches/patch-bd 1.2 Files deleted: pkgsrc/www/apache22/patches/patch-bb Module Name: pkgsrc Committed By: tron Date: Thu Jun 11 20:30:59 UTC 2009 Modified Files: pkgsrc/www/apache22: Makefile distinfo pkgsrc/www/apache22/patches: patch-ba patch-bc patch-bd Removed Files: pkgsrc/www/apache22/patches: patch-bb Log Message: Import improved version of the fix for CVE-2009-1195 to restore backwards compatibility with e.g. "mod_perl". To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/apache22/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/apache22/distinfo cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-ba \ pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-bb
Diffstat
-rw-r--r--www/apache22/Makefile4
-rw-r--r--www/apache22/distinfo9
-rw-r--r--www/apache22/patches/patch-ba35
-rw-r--r--www/apache22/patches/patch-bb17
-rw-r--r--www/apache22/patches/patch-bc4
-rw-r--r--www/apache22/patches/patch-bd74
6 files changed, 46 insertions, 97 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 9d5fe2c7c7e..d970c0f4d4f 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.39.2.2 2009/06/04 20:41:20 spz Exp $
+# $NetBSD: Makefile,v 1.39.2.3 2009/06/12 21:38:06 spz Exp $
DISTNAME= httpd-2.2.11
-PKGREVISION= 4
+PKGREVISION= 5
PKGNAME= ${DISTNAME:S/httpd/apache/}
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 68e6e91add5..6e40ba2e981 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17.2.2 2009/06/04 20:41:20 spz Exp $
+$NetBSD: distinfo,v 1.17.2.3 2009/06/12 21:38:06 spz Exp $
SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a
RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d
@@ -17,7 +17,6 @@ SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c
SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1
SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf
SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
-SHA1 (patch-ba) = fad28e9305c46ec27efdf51f9a4103b870c51be0
-SHA1 (patch-bb) = a577c9ab28dd6cb2ec0805cadb3650709d960c7e
-SHA1 (patch-bc) = f7f17cd31dfb0f0522933a3ef662f5a4f201dc12
-SHA1 (patch-bd) = 88b156067ea75196b1d82587c439c2cf524656cf
+SHA1 (patch-ba) = ab9984391fcdda9c9793009290d95de8ec2a1371
+SHA1 (patch-bc) = f980d98f1b0ee277d995e3be0f5e55622ebc3931
+SHA1 (patch-bd) = 66f882a4d8c884e5422e025ed175a17412b02fd4
diff --git a/www/apache22/patches/patch-ba b/www/apache22/patches/patch-ba
index c65510d2533..5ca3b8b1c64 100644
--- a/www/apache22/patches/patch-ba
+++ b/www/apache22/patches/patch-ba
@@ -1,11 +1,12 @@
-$NetBSD: patch-ba,v 1.1.2.2 2009/06/04 20:41:20 spz Exp $
+$NetBSD: patch-ba,v 1.1.2.3 2009/06/12 21:38:06 spz Exp $
Patch for CVE-2009-1195 taken from:
-http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=772997&pathrev=772997
+http://svn.apache.org/viewvc?view=rev&revision=773881
+http://svn.apache.org/viewvc?view=rev&revision=779472
--- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000
-+++ include/http_core.h 2009-06-04 09:39:58.000000000 +0100
++++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100
@@ -65,7 +65,7 @@
#define OPT_NONE 0
/** Indexes directive */
@@ -15,21 +16,27 @@ http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=
#define OPT_INCLUDES 2
/** FollowSymLinks directive */
#define OPT_SYM_LINKS 4
-@@ -73,14 +73,14 @@
- #define OPT_EXECCGI 8
- /** directive unset */
- #define OPT_UNSET 16
--/** IncludesNOEXEC directive */
--#define OPT_INCNOEXEC 32
-+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
-+#define OPT_INC_WITH_EXEC 32
- /** SymLinksIfOwnerMatch directive */
- #define OPT_SYM_OWNER 64
+@@ -80,9 +80,22 @@
/** MultiViews directive */
#define OPT_MULTI 128
/** All directives */
-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
/** @} */
++#ifdef CORE_PRIVATE
++/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
++ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics
++ * of the two SSI-related bits are hence:
++ *
++ * OPT_INCLUDES => "enable SSI, without exec= permission"
++ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
++ *
++ * The set of options exposed via ap_allow_options() retains the
++ * semantics of OPT_INCNOEXEC by flipping the bit. */
++#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
++#endif
++
/**
+ * @defgroup get_remote_host Remote Host Resolution
+ * @ingroup APACHE_CORE_HTTPD
diff --git a/www/apache22/patches/patch-bb b/www/apache22/patches/patch-bb
deleted file mode 100644
index c16cb88dedc..00000000000
--- a/www/apache22/patches/patch-bb
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD: patch-bb,v 1.1.2.2 2009/06/04 20:41:20 spz Exp $
-
-Patch for CVE-2009-1195 taken from:
-
-http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_include.c?r1=758929&r2=772997&pathrev=772997
-
---- modules/filters/mod_include.c.orig 2008-03-17 14:32:47.000000000 +0000
-+++ modules/filters/mod_include.c 2009-06-04 09:41:46.000000000 +0100
-@@ -3573,7 +3573,7 @@
- intern->seen_eos = 0;
- intern->state = PARSE_PRE_HEAD;
- ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
-- if (ap_allow_options(r) & OPT_INCNOEXEC) {
-+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
- ctx->flags |= SSI_FLAG_NO_EXEC;
- }
- intern->accessenable = conf->accessenable;
diff --git a/www/apache22/patches/patch-bc b/www/apache22/patches/patch-bc
index 224de34cc15..ea8036dfb84 100644
--- a/www/apache22/patches/patch-bc
+++ b/www/apache22/patches/patch-bc
@@ -1,8 +1,8 @@
-$NetBSD: patch-bc,v 1.1.2.2 2009/06/04 20:41:20 spz Exp $
+$NetBSD: patch-bc,v 1.1.2.3 2009/06/12 21:38:06 spz Exp $
Patch for CVE-2009-1195 taken from:
-http://svn.apache.org/viewvc/httpd/httpd/trunk/server/config.c?r1=759924&r2=772997&pathrev=772997
+http://svn.apache.org/viewvc?view=rev&revision=773881
--- server/config.c.orig 2008-12-02 22:28:21.000000000 +0000
+++ server/config.c 2009-06-04 09:44:24.000000000 +0100
diff --git a/www/apache22/patches/patch-bd b/www/apache22/patches/patch-bd
index a2457fa6c7b..a57747336b5 100644
--- a/www/apache22/patches/patch-bd
+++ b/www/apache22/patches/patch-bd
@@ -1,62 +1,22 @@
-$NetBSD: patch-bd,v 1.1.2.2 2009/06/04 20:41:20 spz Exp $
+$NetBSD: patch-bd,v 1.1.2.3 2009/06/12 21:38:06 spz Exp $
Patch for CVE-2009-1195 taken from:
-http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=759699&r2=772997&pathrev=772997
+http://svn.apache.org/viewvc?view=rev&revision=773881
+http://svn.apache.org/viewvc?view=rev&revision=779472
---- server/core.c.orig 2008-06-02 22:18:18.000000000 +0100
-+++ server/core.c 2009-06-04 09:46:04.000000000 +0100
-@@ -108,8 +108,7 @@
- conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
- conf->opts_add = conf->opts_remove = OPT_NONE;
- conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
-- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
-- | OPT_MULTI;
-+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+--- server/core.c.orig 2009-06-11 20:51:15.000000000 +0100
++++ server/core.c 2009-06-11 21:01:04.000000000 +0100
+@@ -659,7 +659,11 @@
+ core_dir_config *conf =
+ (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
- conf->content_md5 = 2;
- conf->accept_path_info = 3;
-@@ -242,8 +241,13 @@
- conf->opts_remove = (conf->opts_remove & ~new->opts_add)
- | new->opts_remove;
- conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
-- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
-- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
-+
-+ /* if Includes was enabled without exec in the new config, but
-+ * was enabled with exec in the base, then disable exec in the
-+ * resulting options. */
-+ if ((base->opts & OPT_INC_WITH_EXEC)
-+ && (new->opts & OPT_INC_WITH_EXEC) == 0) {
-+ conf->opts &= ~OPT_INC_WITH_EXEC;
- }
- }
- else {
-@@ -1304,10 +1308,12 @@
- opt = OPT_INDEXES;
- }
- else if (!strcasecmp(w, "Includes")) {
-- opt = OPT_INCLUDES;
-+ /* If Includes is permitted, both Includes and
-+ * IncludesNOEXEC may be changed. */
-+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
- }
- else if (!strcasecmp(w, "IncludesNOEXEC")) {
-- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+ opt = OPT_INCLUDES;
- }
- else if (!strcasecmp(w, "FollowSymLinks")) {
- opt = OPT_SYM_LINKS;
-@@ -1428,10 +1434,10 @@
- opt = OPT_INDEXES;
- }
- else if (!strcasecmp(w, "Includes")) {
-- opt = OPT_INCLUDES;
-+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
- }
- else if (!strcasecmp(w, "IncludesNOEXEC")) {
-- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+ opt = OPT_INCLUDES;
- }
- else if (!strcasecmp(w, "FollowSymLinks")) {
- opt = OPT_SYM_LINKS;
+- return conf->opts;
++ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
++ * inverted, such that the exposed semantics match that of
++ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
++ * permitted. */
++ return conf->opts ^ OPT_INC_WITH_EXEC;
+ }
+
+ AP_DECLARE(int) ap_allow_overrides(request_rec *r)
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-21 15:43:29 +0000