From 4212c25f271b01f10f86b6f48c750ef4ac6c05d3 Mon Sep 17 00:00:00 2001 From: lkundrak Date: Thu, 28 Jun 2007 01:49:04 +0000 Subject: Fixes for security issues and PKGREVISION bump; CVE-2006-5752 XSS in mod_status with ExtendedStatus on CVE-2007-1863 remote crash when mod_cache enabled --- www/apache2/Makefile | 4 +- www/apache2/distinfo | 4 +- www/apache2/patches/patch-ap | 44 ++++++++++++++++++++++ www/apache2/patches/patch-aq | 87 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 136 insertions(+), 3 deletions(-) create mode 100644 www/apache2/patches/patch-ap create mode 100644 www/apache2/patches/patch-aq diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 486d2c9f901..68114f91909 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.113 2007/06/10 06:14:18 joerg Exp $ +# $NetBSD: Makefile,v 1.114 2007/06/28 01:49:04 lkundrak Exp $ .include "Makefile.common" PKGNAME= apache-${APACHE_VERSION} -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= www HOMEPAGE= http://httpd.apache.org/ diff --git a/www/apache2/distinfo b/www/apache2/distinfo index 38778eab5f5..db7f2a34ac8 100644 --- a/www/apache2/distinfo +++ b/www/apache2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.49 2006/08/30 06:16:27 rillig Exp $ +$NetBSD: distinfo,v 1.50 2007/06/28 01:49:04 lkundrak Exp $ SHA1 (httpd-2.0.59.tar.bz2) = 908209cd6e52f700d2a841a25de36e44d469c376 RMD160 (httpd-2.0.59.tar.bz2) = 78b802354e338798a6978ece8b3568be97542174 @@ -13,3 +13,5 @@ SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215 SHA1 (patch-al) = 9af7b6c56177d971e135f0a00b3ab9ded5d1b6dd SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 SHA1 (patch-ao) = c629a7563d0e555922526e26b266251144a14ff6 +SHA1 (patch-ap) = 3f9dbd6dbbadb54f5255dfdb15decc6cc7e8eccc +SHA1 (patch-aq) = d1e0243b28c9e224746fa5cac1321f55c5c0927e diff --git a/www/apache2/patches/patch-ap b/www/apache2/patches/patch-ap new file mode 100644 index 00000000000..7d42ccc770c --- /dev/null +++ b/www/apache2/patches/patch-ap @@ -0,0 +1,44 @@ +$NetBSD: patch-ap,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ + +Fix for CVE-2006-5752 XSS in mod_status with ExtendedStatus on. + +--- modules/generators/mod_status.c.orig 2006-07-12 09:40:55.000000000 +0200 ++++ modules/generators/mod_status.c +@@ -269,7 +269,7 @@ static int status_handler(request_rec *r + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -298,7 +298,7 @@ static int status_handler(request_rec *r + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + short_report = 1; + break; + } +@@ -664,7 +664,8 @@ static int status_handler(request_rec *r + ap_escape_html(r->pool, + ws_record->client), + ap_escape_html(r->pool, +- ws_record->request), ++ ap_escape_logitem(r->pool, ++ ws_record->request)), + ap_escape_html(r->pool, + ws_record->vhost)); + } +@@ -753,7 +754,8 @@ static int status_handler(request_rec *r + ap_escape_html(r->pool, + ws_record->vhost), + ap_escape_html(r->pool, +- ws_record->request)); ++ ap_escape_logitem(r->pool, ++ ws_record->request))); + } /* no_table_report */ + } /* for (j...) */ + } /* for (i...) */ diff --git a/www/apache2/patches/patch-aq b/www/apache2/patches/patch-aq new file mode 100644 index 00000000000..243e6873394 --- /dev/null +++ b/www/apache2/patches/patch-aq @@ -0,0 +1,87 @@ +$NetBSD: patch-aq,v 1.3 2007/06/28 01:49:04 lkundrak Exp $ + +Fix for CVE-2007-1863 remote crash when mod_cache enabled. + +--- modules/experimental/cache_util.c.orig 2006-07-12 09:40:55.000000000 +0200 ++++ modules/experimental/cache_util.c +@@ -186,10 +186,12 @@ CACHE_DECLARE(int) ap_cache_check_freshn + age = ap_cache_current_age(info, age_c, r->request_time); + + /* extract s-maxage */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } +- else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val)) { ++ else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } + else { +@@ -197,7 +199,8 @@ CACHE_DECLARE(int) ap_cache_check_freshn + } + + /* extract max-age from request */ +- if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { ++ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) ++ && val != NULL) { + maxage_req = apr_atoi64(val); + } + else { +@@ -205,10 +208,12 @@ CACHE_DECLARE(int) ap_cache_check_freshn + } + + /* extract max-age from response */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } +- else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val)) { ++ else if (cc_ceresp && ap_cache_liststr(r->pool, cc_ceresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } + else +@@ -231,14 +236,28 @@ CACHE_DECLARE(int) ap_cache_check_freshn + + /* extract max-stale */ + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { +- maxstale = apr_atoi64(val); ++ if(val != NULL) { ++ maxstale = apr_atoi64(val); ++ } ++ else { ++ /* ++ * If no value is assigned to max-stale, then the client is willing ++ * to accept a stale response of any age (RFC2616 14.9.3). We will ++ * set it to one year in this case as this situation is somewhat ++ * similar to a "never expires" Expires header (RFC2616 14.21) ++ * which is set to a date one year from the time the response is ++ * sent in this case. ++ */ ++ maxstale = APR_INT64_C(86400*365); ++ } + } + else { + maxstale = 0; + } + + /* extract min-fresh */ +- if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { ++ if (cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) ++ && val != NULL) { + minfresh = apr_atoi64(val); + } + else { +@@ -384,6 +403,9 @@ CACHE_DECLARE(int) ap_cache_liststr(apr_ + next - val_start); + } + } ++ else { ++ *val = NULL; ++ } + } + return 1; + } -- cgit v1.2.3