Add patches from the Apache SVN repository to fix the security

vulnerabilities reported in CVE-2009-1890 and CVE-2009-1891.

4 files changed, 84 insertions, 3 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index a90d4b29c00..5d761935f31 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.46 2009/06/11 20:30:58 tron Exp $
+# $NetBSD: Makefile,v 1.47 2009/07/14 12:23:39 tron Exp $
 
 DISTNAME=	httpd-2.2.11
-PKGREVISION=	5
+PKGREVISION=	6
 PKGNAME=	${DISTNAME:S/httpd/apache/}
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index f31c4b7427b..29c87d4790d 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2009/06/11 20:30:58 tron Exp $
+$NetBSD: distinfo,v 1.21 2009/07/14 12:23:39 tron Exp $
 
 SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a
 RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d
@@ -8,7 +8,9 @@ SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
+SHA1 (patch-af) = cf7cc7d09e0379830d1ce0be4be74c8f2bbb1719
 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
+SHA1 (patch-ah) = 5fc2a3fad42fa67669c219123b8c27e138927452
 SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
 SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
diff --git a/www/apache22/patches/patch-af b/www/apache22/patches/patch-af
new file mode 100644
index 00000000000..faff767dc3a
--- /dev/null
+++ b/www/apache22/patches/patch-af
@@ -0,0 +1,35 @@
+$NetBSD: patch-af,v 1.1 2009/07/14 12:23:40 tron Exp $
+
+Fix for CVE-2009-1891 taken from here:
+
+http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454
+
+--- server/core_filters.c.orig	2006-07-12 04:38:44.000000000 +0100
++++ server/core_filters.c	2009-07-14 13:01:09.000000000 +0100
+@@ -542,6 +542,12 @@
+     apr_read_type_e eblock = APR_NONBLOCK_READ;
+     apr_pool_t *input_pool = b->p;
+ 
++    /* Fail quickly if the connection has already been aborted. */
++    if (c->aborted) {
++        apr_brigade_cleanup(b);
++        return APR_ECONNABORTED;
++    }
++
+     if (ctx == NULL) {
+         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
+         net->out_ctx = ctx;
+@@ -909,12 +915,9 @@
+             /* No need to check for SUCCESS, we did that above. */
+             if (!APR_STATUS_IS_EAGAIN(rv)) {
+                 c->aborted = 1;
++                return APR_ECONNABORTED;
+             }
+ 
+-            /* The client has aborted, but the request was successful. We
+-             * will report success, and leave it to the access and error
+-             * logs to note that the connection was aborted.
+-             */
+             return APR_SUCCESS;
+         }
+ 
diff --git a/www/apache22/patches/patch-ah b/www/apache22/patches/patch-ah
new file mode 100644
index 00000000000..f42450e7da1
--- /dev/null
+++ b/www/apache22/patches/patch-ah
@@ -0,0 +1,44 @@
+$NetBSD: patch-ah,v 1.1 2009/07/14 12:23:40 tron Exp $
+
+Fix for CVE-2009-1890 taken from here:
+
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587
+
+--- modules/proxy/mod_proxy_http.c.orig	2008-11-11 20:04:34.000000000 +0000
++++ modules/proxy/mod_proxy_http.c	2009-07-14 13:03:49.000000000 +0100
+@@ -422,10 +422,16 @@
+     apr_off_t bytes_streamed = 0;
+ 
+     if (old_cl_val) {
++        char *endstr;
++
+         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
+-        if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
+-                                                 0))) {
+-            return HTTP_INTERNAL_SERVER_ERROR;
++        status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
++        
++        if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++                          "proxy: could not parse request Content-Length (%s)",
++                          old_cl_val);
++            return HTTP_BAD_REQUEST;
+         }
+     }
+     terminate_headers(bucket_alloc, header_brigade);
+@@ -453,8 +459,13 @@
+          *
+          * Prevents HTTP Response Splitting.
+          */
+-        if (bytes_streamed > cl_val)
+-             continue;
++        if (bytes_streamed > cl_val) {
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                          "proxy: read more bytes of request body than expected "
++                          "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
++                          bytes_streamed, cl_val);
++            return HTTP_INTERNAL_SERVER_ERROR;
++        }
+ 
+         if (header_brigade) {
+             /* we never sent the header brigade, so go ahead and