diff options
| author | tron <tron> | 2012-01-29 12:29:07 +0000 |
|---|---|---|
| committer | tron <tron> | 2012-01-29 12:29:07 +0000 |
| commit | 685e91d8644c0f87f3e7e859b8a98648b268e0b6 (patch) | |
| tree | af7e2dd6061fbc82857fdae9dbfc255fb011c903 /www | |
| parent | 1aae89c1770a4710a42c5906f2679d85957e6a17 (diff) | |
| download | pkgsrc-685e91d8644c0f87f3e7e859b8a98648b268e0b6.tar.gz | |
Add patch for security vulnerabilities reported in CVE-2012-0021
and CVE-2012-0053 taken from Apache SVN repository.
Diffstat (limited to 'www')
| -rw-r--r-- | www/apache22/Makefile | 4 | ||||
| -rw-r--r-- | www/apache22/distinfo | 5 | ||||
| -rw-r--r-- | www/apache22/patches/patch-CVE-2012-0021 | 42 | ||||
| -rw-r--r-- | www/apache22/patches/patch-server_protocol.c | 91 |
4 files changed, 136 insertions, 6 deletions
diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 5d95de2c05b..c0cb8d2bbb9 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.77 2012/01/17 20:48:28 spz Exp $ +# $NetBSD: Makefile,v 1.78 2012/01/29 12:29:07 tron Exp $ DISTNAME= httpd-2.2.21 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ http://archive.apache.org/dist/httpd/ \ diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 6654b10c356..0eb940dfe5e 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.48 2012/01/17 20:48:28 spz Exp $ +$NetBSD: distinfo,v 1.49 2012/01/29 12:29:07 tron Exp $ SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 Size (httpd-2.2.21.tar.bz2) = 5324905 bytes +SHA1 (patch-CVE-2012-0021) = 8c44c591ffa3a4ca32de47c71d1aa8470de81f1e SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad @@ -18,6 +19,6 @@ SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118 SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796 SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 -SHA1 (patch-server_protocol.c) = 2be3e4fc08da717fa55b058eb32e398f6546d457 +SHA1 (patch-server_protocol.c) = dc99717704f53837dfd7b9c1018487a787dcbfd9 SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3 SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15 diff --git a/www/apache22/patches/patch-CVE-2012-0021 b/www/apache22/patches/patch-CVE-2012-0021 new file mode 100644 index 00000000000..80d11463546 --- /dev/null +++ b/www/apache22/patches/patch-CVE-2012-0021 @@ -0,0 +1,42 @@ +$NetBSD: patch-CVE-2012-0021,v 1.1 2012/01/29 12:29:08 tron Exp $ + +Fix security vulnerability reported in CVE-2012-0021. Patch taken from +Apache SVN repository: + +http://svn.apache.org/viewvc?view=revision&revision=1227292 + +--- modules/loggers/mod_log_config.c.orig 2010-08-24 07:41:38.000000000 +0100 ++++ modules/loggers/mod_log_config.c 2012-01-29 12:08:13.000000000 +0000 +@@ -524,19 +524,21 @@ + + while ((cookie = apr_strtok(cookies, ";", &last1))) { + char *name = apr_strtok(cookie, "=", &last2); +- char *value; +- apr_collapse_spaces(name, name); ++ if (name) { ++ char *value; ++ apr_collapse_spaces(name, name); ++ ++ if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) { ++ char *last; ++ value += strspn(value, " \t"); /* Move past leading WS */ ++ last = value + strlen(value) - 1; ++ while (last >= value && apr_isspace(*last)) { ++ *last = '\0'; ++ --last; ++ } + +- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) { +- char *last; +- value += strspn(value, " \t"); /* Move past leading WS */ +- last = value + strlen(value) - 1; +- while (last >= value && apr_isspace(*last)) { +- *last = '\0'; +- --last; ++ return ap_escape_logitem(r->pool, value); + } +- +- return ap_escape_logitem(r->pool, value); + } + cookies = NULL; + } diff --git a/www/apache22/patches/patch-server_protocol.c b/www/apache22/patches/patch-server_protocol.c index 336edb08fc1..2aa8c2ad9ae 100644 --- a/www/apache22/patches/patch-server_protocol.c +++ b/www/apache22/patches/patch-server_protocol.c @@ -1,4 +1,4 @@ -$NetBSD: patch-server_protocol.c,v 1.3 2011/12/12 18:43:14 tron Exp $ +$NetBSD: patch-server_protocol.c,v 1.4 2012/01/29 12:29:08 tron Exp $ revision 1179239 from http://svn.apache.org/: SECURITY (CVE-2011-3368): Prevent unintended pattern expansion @@ -12,8 +12,13 @@ revision 1179525 from http://svn.apache.org/: request-URI does not match the grammar from RFC 2616. This ensures the input string for RewriteRule et al really is an absolute path. +revision 1235454 from http://svn.apache.org/: + CVE-2012-0053: Fix an issue in error responses that could expose + "httpOnly" cookies when no custom ErrorDocument is specified for + status code 400. + --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 -+++ server/protocol.c 2011-12-12 18:37:04.000000000 +0000 ++++ server/protocol.c 2012-01-29 12:22:25.000000000 +0000 @@ -640,6 +640,25 @@ ap_parse_uri(r, uri); @@ -40,3 +45,85 @@ revision 1179525 from http://svn.apache.org/: if (ll[0]) { r->assbackwards = 0; pro = ll; +@@ -670,6 +689,16 @@ + return 1; + } + ++/* get the length of the field name for logging, but no more than 80 bytes */ ++#define LOG_NAME_MAX_LEN 80 ++static int field_name_len(const char *field) ++{ ++ const char *end = ap_strchr_c(field, ':'); ++ if (end == NULL || end - field > LOG_NAME_MAX_LEN) ++ return LOG_NAME_MAX_LEN; ++ return end - field; ++} ++ + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) + { + char *last_field = NULL; +@@ -709,12 +738,15 @@ + /* insure ap_escape_html will terminate correctly */ + field[len - 1] = '\0'; + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Size of a request header field " + "exceeds server limit.<br />\n" +- "<pre>\n", +- ap_escape_html(r->pool, field), +- "</pre>\n", NULL)); ++ "<pre>\n%.*s\n</pre>/n", ++ field_name_len(field), ++ ap_escape_html(r->pool, field))); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Request header exceeds LimitRequestFieldSize: " ++ "%.*s", field_name_len(field), field); + } + return; + } +@@ -735,13 +767,17 @@ + * overflow (last_field) as the field with the problem + */ + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Size of a request header field " + "after folding " + "exceeds server limit.<br />\n" +- "<pre>\n", +- ap_escape_html(r->pool, last_field), +- "</pre>\n", NULL)); ++ "<pre>\n%.*s\n</pre>\n", ++ field_name_len(last_field), ++ ap_escape_html(r->pool, last_field))); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Request header exceeds LimitRequestFieldSize " ++ "after folding: %.*s", ++ field_name_len(last_field), last_field); + return; + } + +@@ -773,13 +809,18 @@ + if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ + r->status = HTTP_BAD_REQUEST; /* abort bad request */ + apr_table_setn(r->notes, "error-notes", +- apr_pstrcat(r->pool, ++ apr_psprintf(r->pool, + "Request header field is " + "missing ':' separator.<br />\n" +- "<pre>\n", ++ "<pre>\n%.*s</pre>\n", ++ (int)LOG_NAME_MAX_LEN, + ap_escape_html(r->pool, +- last_field), +- "</pre>\n", NULL)); ++ last_field))); ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Request header field is missing ':' " ++ "separator: %.*s", (int)LOG_NAME_MAX_LEN, ++ last_field); ++ + return; + } + |