summaryrefslogtreecommitdiff
path: root/www/apache22/patches
diff options
context:
space:
mode:
Diffstat (limited to 'www/apache22/patches')
-rw-r--r--www/apache22/patches/patch-ab117
-rw-r--r--www/apache22/patches/patch-av13
-rw-r--r--www/apache22/patches/patch-ba15
-rw-r--r--www/apache22/patches/patch-bb33
4 files changed, 107 insertions, 71 deletions
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab
index 5e5e109ed02..0da0f795344 100644
--- a/www/apache22/patches/patch-ab
+++ b/www/apache22/patches/patch-ab
@@ -1,19 +1,116 @@
-$NetBSD: patch-ab,v 1.10.4.2 2009/09/13 15:03:36 spz Exp $
+$NetBSD: patch-ab,v 1.10.4.3 2009/10/04 13:26:13 spz Exp $
-Fix for CVE-2009-3094 based on the description of the problem:
+Fixes for CVE-2009-3094 and CVE-2009-3095 taken from the Apache SVN repository:
-http://www.intevydis.com/blog/?p=59
+http://svn.apache.org/viewvc?view=rev&revision=814844
+http://svn.apache.org/viewvc?view=rev&revision=814847
--- modules/proxy/mod_proxy_ftp.c.orig 2008-11-11 20:04:34.000000000 +0000
-+++ modules/proxy/mod_proxy_ftp.c 2009-09-13 14:23:13.000000000 +0100
-@@ -1274,7 +1274,9 @@
++++ modules/proxy/mod_proxy_ftp.c 2009-10-04 12:49:43.000000000 +0100
+@@ -604,6 +604,31 @@
+ return APR_SUCCESS;
+ }
+
++/* Parse EPSV reply and return port, or zero on error. Modifies
++ * 'reply'. */
++static apr_port_t parse_epsv_reply(char *reply)
++{
++ char *p, *ep;
++ long port;
++
++ /* Reply syntax per RFC 2428: "229 blah blah (|||port|)" where '|'
++ * can be any character in ASCII from 33-126, obscurely. Verify
++ * the syntax. */
++ p = ap_strchr(reply, '(');
++ if (p == NULL || !p[0] || !p[1] || p[1] != p[2] || p[1] != p[3]
++ || p[4] == p[1]) {
++ return 0;
++ }
++
++ errno = 0;
++ port = strtol(p + 4, &ep, 10);
++ if (errno || port < 1 || port > 65535 || ep[0] != p[1] || ep[1] != ')') {
++ return 0;
++ }
++
++ return (apr_port_t)port;
++}
++
+ /*
+ * Generic "send FTP command to server" routine, using the control socket.
+ * Returns the FTP returncode (3 digit code)
+@@ -887,6 +912,11 @@
+ if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL
+ && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0
+ && (password = ap_pbase64decode(r->pool, password))[0] != ':') {
++ /* Check the decoded string for special characters. */
++ if (!ftp_check_string(password)) {
++ return ap_proxyerror(r, HTTP_BAD_REQUEST,
++ "user credentials contained invalid character");
++ }
+ /*
+ * Note that this allocation has to be made from r->connection->pool
+ * because it has the lifetime of the connection. The other
+@@ -1210,26 +1240,11 @@
+ return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage);
+ }
+ else if (rc == 229) {
+- char *pstr;
+- char *tok_cntx;
++ /* Parse the port out of the EPSV reply. */
++ data_port = parse_epsv_reply(ftpmessage);
+
+- pstr = ftpmessage;
+- pstr = apr_strtok(pstr, " ", &tok_cntx); /* separate result code */
+- if (pstr != NULL) {
+- if (*(pstr + strlen(pstr) + 1) == '=') {
+- pstr += strlen(pstr) + 2;
+- }
+- else {
+- pstr = apr_strtok(NULL, "(", &tok_cntx); /* separate address &
+- * port params */
+- if (pstr != NULL)
+- pstr = apr_strtok(NULL, ")", &tok_cntx);
+- }
+- }
+-
+- if (pstr) {
++ if (data_port) {
+ apr_sockaddr_t *epsv_addr;
+- data_port = atoi(pstr + 3);
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: EPSV contacting remote host on port %d",
+@@ -1272,10 +1287,6 @@
+ connect = 1;
+ }
}
- else {
- /* and try the regular way */
+- else {
+- /* and try the regular way */
- apr_socket_close(data_sock);
-+ if (data_sock != NULL) {
-+ apr_socket_close(data_sock);
-+ }
+- }
+ }
+ }
+
+@@ -1364,10 +1375,6 @@
+ connect = 1;
+ }
}
+- else {
+- /* and try the regular way */
+- apr_socket_close(data_sock);
+- }
}
}
+ /*bypass:*/
+@@ -1851,7 +1858,9 @@
+ * for a slow client to eat these bytes
+ */
+ ap_flush_conn(data);
+- apr_socket_close(data_sock);
++ if (data_sock) {
++ apr_socket_close(data_sock);
++ }
+ data_sock = NULL;
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "proxy: FTP: data connection closed");
diff --git a/www/apache22/patches/patch-av b/www/apache22/patches/patch-av
deleted file mode 100644
index e3309c7bb7b..00000000000
--- a/www/apache22/patches/patch-av
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-av,v 1.2 2009/01/25 09:59:51 tron Exp $
-
---- modules/generators/mod_cgid.c.orig 2008-08-15 18:08:05.000000000 -0400
-+++ modules/generators/mod_cgid.c
-@@ -203,7 +203,7 @@ static char **create_argv(apr_pool_t *p,
- char *w;
- int idx = 0;
-
-- if (ap_strchr_c(args, '=')) {
-+ if (!(*args) || ap_strchr_c(args, '=')) {
- numwords = 0;
- }
- else {
diff --git a/www/apache22/patches/patch-ba b/www/apache22/patches/patch-ba
deleted file mode 100644
index 9ad3d4056a2..00000000000
--- a/www/apache22/patches/patch-ba
+++ /dev/null
@@ -1,15 +0,0 @@
-$NetBSD: patch-ba,v 1.2.2.1 2009/08/07 21:08:15 spz Exp $
-
-Fix build problems with newer versions of OpenSSL.
-
---- modules/ssl/ssl_engine_init.c.orig 2009-08-05 09:37:09.000000000 +0200
-+++ modules/ssl/ssl_engine_init.c
-@@ -573,7 +573,7 @@ static void ssl_init_ctx_verify(server_r
- ssl_die();
- }
-
-- SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list);
-+ SSL_CTX_set_client_CA_list(ctx, ca_list);
- }
-
- /*
diff --git a/www/apache22/patches/patch-bb b/www/apache22/patches/patch-bb
deleted file mode 100644
index 1f8b8b23650..00000000000
--- a/www/apache22/patches/patch-bb
+++ /dev/null
@@ -1,33 +0,0 @@
-$NetBSD: patch-bb,v 1.3.2.2 2009/08/07 21:08:15 spz Exp $
-
-Fix build problems with newer versions of OpenSSL.
-
---- modules/ssl/ssl_util_ssl.c.orig 2009-08-05 09:33:37.000000000 +0200
-+++ modules/ssl/ssl_util_ssl.c
-@@ -294,7 +294,7 @@ BOOL SSL_X509_isSGC(X509 *cert)
- #ifdef HAVE_SSL_X509V3_EXT_d2i
- X509_EXTENSION *ext;
- int ext_nid;
-- STACK *sk;
-+ STACK_OF(SSL_CIPHER) *sk;
- BOOL is_sgc;
- int idx;
- int i;
-@@ -303,7 +303,7 @@ BOOL SSL_X509_isSGC(X509 *cert)
- idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
- if (idx >= 0) {
- ext = X509_get_ext(cert, idx);
-- if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
-+ if ((sk = X509V3_EXT_d2i(ext)) != NULL) {
- for (i = 0; i < sk_num(sk); i++) {
- ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i));
- if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
-@@ -467,7 +467,7 @@ int SSL_CTX_use_certificate_chain(
- X509 *x509;
- unsigned long err;
- int n;
-- STACK *extra_certs;
-+ STACK_OF(X509) *extra_certs;
-
- if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
- return -1;