diff options
Diffstat (limited to 'www/apache22/patches')
-rw-r--r-- | www/apache22/patches/patch-ab | 117 | ||||
-rw-r--r-- | www/apache22/patches/patch-av | 13 | ||||
-rw-r--r-- | www/apache22/patches/patch-ba | 15 | ||||
-rw-r--r-- | www/apache22/patches/patch-bb | 33 |
4 files changed, 107 insertions, 71 deletions
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab index 5e5e109ed02..0da0f795344 100644 --- a/www/apache22/patches/patch-ab +++ b/www/apache22/patches/patch-ab @@ -1,19 +1,116 @@ -$NetBSD: patch-ab,v 1.10.4.2 2009/09/13 15:03:36 spz Exp $ +$NetBSD: patch-ab,v 1.10.4.3 2009/10/04 13:26:13 spz Exp $ -Fix for CVE-2009-3094 based on the description of the problem: +Fixes for CVE-2009-3094 and CVE-2009-3095 taken from the Apache SVN repository: -http://www.intevydis.com/blog/?p=59 +http://svn.apache.org/viewvc?view=rev&revision=814844 +http://svn.apache.org/viewvc?view=rev&revision=814847 --- modules/proxy/mod_proxy_ftp.c.orig 2008-11-11 20:04:34.000000000 +0000 -+++ modules/proxy/mod_proxy_ftp.c 2009-09-13 14:23:13.000000000 +0100 -@@ -1274,7 +1274,9 @@ ++++ modules/proxy/mod_proxy_ftp.c 2009-10-04 12:49:43.000000000 +0100 +@@ -604,6 +604,31 @@ + return APR_SUCCESS; + } + ++/* Parse EPSV reply and return port, or zero on error. Modifies ++ * 'reply'. */ ++static apr_port_t parse_epsv_reply(char *reply) ++{ ++ char *p, *ep; ++ long port; ++ ++ /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|' ++ * can be any character in ASCII from 33-126, obscurely. Verify ++ * the syntax. */ ++ p = ap_strchr(reply, '('); ++ if (p == NULL || !p[0] || !p[1] || p[1] != p[2] || p[1] != p[3] ++ || p[4] == p[1]) { ++ return 0; ++ } ++ ++ errno = 0; ++ port = strtol(p + 4, &ep, 10); ++ if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') { ++ return 0; ++ } ++ ++ return (apr_port_t)port; ++} ++ + /* + * Generic "send FTP command to server" routine, using the control socket. + * Returns the FTP returncode (3 digit code) +@@ -887,6 +912,11 @@ + if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL + && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 + && (password = ap_pbase64decode(r->pool, password))[0] != ':') { ++ /* Check the decoded string for special characters. */ ++ if (!ftp_check_string(password)) { ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, ++ "user credentials contained invalid character"); ++ } + /* + * Note that this allocation has to be made from r->connection->pool + * because it has the lifetime of the connection. The other +@@ -1210,26 +1240,11 @@ + return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage); + } + else if (rc == 229) { +- char *pstr; +- char *tok_cntx; ++ /* Parse the port out of the EPSV reply. */ ++ data_port = parse_epsv_reply(ftpmessage); + +- pstr = ftpmessage; +- pstr = apr_strtok(pstr, " ", &tok_cntx); /* separate result code */ +- if (pstr != NULL) { +- if (*(pstr + strlen(pstr) + 1) == '=') { +- pstr += strlen(pstr) + 2; +- } +- else { +- pstr = apr_strtok(NULL, "(", &tok_cntx); /* separate address & +- * port params */ +- if (pstr != NULL) +- pstr = apr_strtok(NULL, ")", &tok_cntx); +- } +- } +- +- if (pstr) { ++ if (data_port) { + apr_sockaddr_t *epsv_addr; +- data_port = atoi(pstr + 3); + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "proxy: FTP: EPSV contacting remote host on port %d", +@@ -1272,10 +1287,6 @@ + connect = 1; + } } - else { - /* and try the regular way */ +- else { +- /* and try the regular way */ - apr_socket_close(data_sock); -+ if (data_sock != NULL) { -+ apr_socket_close(data_sock); -+ } +- } + } + } + +@@ -1364,10 +1375,6 @@ + connect = 1; + } } +- else { +- /* and try the regular way */ +- apr_socket_close(data_sock); +- } } } + /*bypass:*/ +@@ -1851,7 +1858,9 @@ + * for a slow client to eat these bytes + */ + ap_flush_conn(data); +- apr_socket_close(data_sock); ++ if (data_sock) { ++ apr_socket_close(data_sock); ++ } + data_sock = NULL; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "proxy: FTP: data connection closed"); diff --git a/www/apache22/patches/patch-av b/www/apache22/patches/patch-av deleted file mode 100644 index e3309c7bb7b..00000000000 --- a/www/apache22/patches/patch-av +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-av,v 1.2 2009/01/25 09:59:51 tron Exp $ - ---- modules/generators/mod_cgid.c.orig 2008-08-15 18:08:05.000000000 -0400 -+++ modules/generators/mod_cgid.c -@@ -203,7 +203,7 @@ static char **create_argv(apr_pool_t *p, - char *w; - int idx = 0; - -- if (ap_strchr_c(args, '=')) { -+ if (!(*args) || ap_strchr_c(args, '=')) { - numwords = 0; - } - else { diff --git a/www/apache22/patches/patch-ba b/www/apache22/patches/patch-ba deleted file mode 100644 index 9ad3d4056a2..00000000000 --- a/www/apache22/patches/patch-ba +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-ba,v 1.2.2.1 2009/08/07 21:08:15 spz Exp $ - -Fix build problems with newer versions of OpenSSL. - ---- modules/ssl/ssl_engine_init.c.orig 2009-08-05 09:37:09.000000000 +0200 -+++ modules/ssl/ssl_engine_init.c -@@ -573,7 +573,7 @@ static void ssl_init_ctx_verify(server_r - ssl_die(); - } - -- SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list); -+ SSL_CTX_set_client_CA_list(ctx, ca_list); - } - - /* diff --git a/www/apache22/patches/patch-bb b/www/apache22/patches/patch-bb deleted file mode 100644 index 1f8b8b23650..00000000000 --- a/www/apache22/patches/patch-bb +++ /dev/null @@ -1,33 +0,0 @@ -$NetBSD: patch-bb,v 1.3.2.2 2009/08/07 21:08:15 spz Exp $ - -Fix build problems with newer versions of OpenSSL. - ---- modules/ssl/ssl_util_ssl.c.orig 2009-08-05 09:33:37.000000000 +0200 -+++ modules/ssl/ssl_util_ssl.c -@@ -294,7 +294,7 @@ BOOL SSL_X509_isSGC(X509 *cert) - #ifdef HAVE_SSL_X509V3_EXT_d2i - X509_EXTENSION *ext; - int ext_nid; -- STACK *sk; -+ STACK_OF(SSL_CIPHER) *sk; - BOOL is_sgc; - int idx; - int i; -@@ -303,7 +303,7 @@ BOOL SSL_X509_isSGC(X509 *cert) - idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1); - if (idx >= 0) { - ext = X509_get_ext(cert, idx); -- if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) { -+ if ((sk = X509V3_EXT_d2i(ext)) != NULL) { - for (i = 0; i < sk_num(sk); i++) { - ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i)); - if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) { -@@ -467,7 +467,7 @@ int SSL_CTX_use_certificate_chain( - X509 *x509; - unsigned long err; - int n; -- STACK *extra_certs; -+ STACK_OF(X509) *extra_certs; - - if ((bio = BIO_new(BIO_s_file_internal())) == NULL) - return -1; |