add patch from upstream to fix sign extension bug which can lead

to out-of-bounds array read
(possible DOS, CVE-2011-4362)
bump PKGREV

3 files changed, 19 insertions, 3 deletions

diff --git a/www/lighttpd/Makefile b/www/lighttpd/Makefile
index 30a2d73c812..4cb209d1d7f 100644
--- a/www/lighttpd/Makefile
+++ b/www/lighttpd/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.28 2011/08/23 13:06:54 obache Exp $
+# $NetBSD: Makefile,v 1.29 2011/11/30 11:13:59 drochner Exp $
 
 DISTNAME=	lighttpd-1.4.29
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	http://download.lighttpd.net/lighttpd/releases-1.4.x/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo
index 05ee1d614b1..43f7c6be2ad 100644
--- a/www/lighttpd/distinfo
+++ b/www/lighttpd/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.20 2011/07/14 19:59:45 adam Exp $
+$NetBSD: distinfo,v 1.21 2011/11/30 11:13:59 drochner Exp $
 
 SHA1 (lighttpd-1.4.29.tar.bz2) = fe8ee6dc5f5302bffef905fcdf0b35f255e59b32
 RMD160 (lighttpd-1.4.29.tar.bz2) = d4369e8970001d2ebe4e49767053c341c4bd2f27
 Size (lighttpd-1.4.29.tar.bz2) = 659974 bytes
+SHA1 (patch-aa) = 12969ff0e488494e83188ba8130466c8d7e0275e
diff --git a/www/lighttpd/patches/patch-aa b/www/lighttpd/patches/patch-aa
new file mode 100644
index 00000000000..bf1cc720e00
--- /dev/null
+++ b/www/lighttpd/patches/patch-aa
@@ -0,0 +1,15 @@
+$NetBSD: patch-aa,v 1.11 2011/11/30 11:13:59 drochner Exp $
+
+CVE-2011-4362
+
+--- src/http_auth.c.orig	2011-04-24 15:44:59.000000000 +0000
++++ src/http_auth.c
+@@ -95,7 +95,7 @@ static unsigned char * base64_decode(buf
+ 	ch = in[0];
+ 	/* run through the whole string, converting as we go */
+ 	for (i = 0; i < in_len; i++) {
+-		ch = in[i];
++		ch = (unsigned char) in[i];
+ 
+ 		if (ch == '\0') break;
+