Use official fix for CVE-2009-3094 taken from the Apache SVN repository.

3 files changed, 99 insertions, 15 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index bd6f3e57087..58005c421aa 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.50 2009/09/13 13:32:50 tron Exp $
+# $NetBSD: Makefile,v 1.51 2009/09/14 22:09:33 tron Exp $
 
 DISTNAME=	httpd-2.2.13
 PKGNAME=	${DISTNAME:S/httpd/apache/}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
 		${MASTER_SITE_APACHE:=httpd/old/}
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index f59e7d8f31a..4e256b63e87 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.25 2009/09/13 13:32:50 tron Exp $
+$NetBSD: distinfo,v 1.26 2009/09/14 22:09:33 tron Exp $
 
 SHA1 (httpd-2.2.13.tar.bz2) = 44d85da1b8e6c579d4514cfefbea00b284717b69
 RMD160 (httpd-2.2.13.tar.bz2) = 4a6a2247cc118175a9a36f1e14344ee71da24627
 Size (httpd-2.2.13.tar.bz2) = 5300199 bytes
 SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
-SHA1 (patch-ab) = 76e50e1603c37e982a6ae9179009457aa9589e87
+SHA1 (patch-ab) = 4427989bec4faadbd64c46dced5e57b4d6649270
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab
index 358e46cd363..c8ab19d9f2f 100644
--- a/www/apache22/patches/patch-ab
+++ b/www/apache22/patches/patch-ab
@@ -1,19 +1,103 @@
-$NetBSD: patch-ab,v 1.12 2009/09/13 13:32:50 tron Exp $
+$NetBSD: patch-ab,v 1.13 2009/09/14 22:09:33 tron Exp $
 
-Fix for CVE-2009-3094 based on the description of the problem:
+Fix for CVE-2009-3094 taken from the Apache SVN repository:
 
-http://www.intevydis.com/blog/?p=59
+http://svn.apache.org/viewvc?view=rev&revision=814652
 
---- modules/proxy/mod_proxy_ftp.c.orig	2008-11-11 20:04:34.000000000 +0000
-+++ modules/proxy/mod_proxy_ftp.c	2009-09-13 14:23:13.000000000 +0100
-@@ -1274,7 +1274,9 @@
+--- modules/proxy/mod_proxy_ftp.c	2009/09/14 14:15:34	814651
++++ modules/proxy/mod_proxy_ftp.c	2009/09/14 14:16:14	814652
+@@ -683,6 +683,31 @@
+     return APR_SUCCESS;
+ }
+ 
++/* Parse EPSV reply and return port, or zero on error.  Modifies
++ * 'reply'. */
++static apr_port_t parse_epsv_reply(char *reply)
++{
++    char *p, *ep;
++    long port;
++
++    /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
++     * can be any character in ASCII from 33-126, obscurely.  Verify
++     * the syntax. */
++    p = ap_strchr(reply, '(');
++    if (p == NULL || !p[0] || !p[1] || p[1] != p[2] || p[1] != p[3]
++        || p[4] == p[1]) {
++        return 0;
++    }
++
++    errno = 0;
++    port = strtol(p + 4, &ep, 10);
++    if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
++        return 0;
++    }
++
++    return (apr_port_t)port;
++}
++
+ /*
+  * Generic "send FTP command to server" routine, using the control socket.
+  * Returns the FTP returncode (3 digit code)
+@@ -1296,26 +1321,11 @@
+             return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage);
+         }
+         else if (rc == 229) {
+-            char *pstr;
+-            char *tok_cntx;
++            /* Parse the port out of the EPSV reply. */
++            data_port = parse_epsv_reply(ftpmessage);
+ 
+-            pstr = ftpmessage;
+-            pstr = apr_strtok(pstr, " ", &tok_cntx);    /* separate result code */
+-            if (pstr != NULL) {
+-                if (*(pstr + strlen(pstr) + 1) == '=') {
+-                    pstr += strlen(pstr) + 2;
+-                }
+-                else {
+-                    pstr = apr_strtok(NULL, "(", &tok_cntx);    /* separate address &
+-                                                                 * port params */
+-                    if (pstr != NULL)
+-                        pstr = apr_strtok(NULL, ")", &tok_cntx);
+-                }
+-            }
+-
+-            if (pstr) {
++            if (data_port) {
+                 apr_sockaddr_t *epsv_addr;
+-                data_port = atoi(pstr + 3);
+ 
+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                        "proxy: FTP: EPSV contacting remote host on port %d",
+@@ -1356,10 +1366,6 @@
+                     connect = 1;
+                 }
              }
-             else {
-                 /* and try the regular way */
+-            else {
+-                /* and try the regular way */
 -                apr_socket_close(data_sock);
-+                if (data_sock != NULL) {
-+                    apr_socket_close(data_sock);
-+                }
+-            }
+         }
+     }
+ 
+@@ -1446,10 +1452,6 @@
+                     connect = 1;
+                 }
              }
+-            else {
+-                /* and try the regular way */
+-                apr_socket_close(data_sock);
+-            }
          }
      }
+ /*bypass:*/
+@@ -1929,7 +1931,9 @@
+                  * for a slow client to eat these bytes
+                  */
+                 ap_flush_conn(data);
+-                apr_socket_close(data_sock);
++                if (data_sock) {
++                    apr_socket_close(data_sock);
++                }
+                 data_sock = NULL;
+                 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                              "proxy: FTP: data connection closed");