From deb88a3a81e851c3170a1357f099567dc666a57b Mon Sep 17 00:00:00 2001 From: spz Date: Sat, 11 Feb 2012 12:44:09 +0000 Subject: fix CVE-2012-0840 with patches taken from the Apache svn --- devel/apr/Makefile | 4 +- devel/apr/distinfo | 4 +- devel/apr/patches/patch-tables_apr__hash.c | 138 +++++++++++++++++++++++++++++ devel/apr/patches/patch-test_testhash.c | 96 ++++++++++++++++++++ 4 files changed, 239 insertions(+), 3 deletions(-) create mode 100644 devel/apr/patches/patch-tables_apr__hash.c create mode 100644 devel/apr/patches/patch-test_testhash.c (limited to 'devel/apr') diff --git a/devel/apr/Makefile b/devel/apr/Makefile index ba1d1e03c6b..dd81949509d 100644 --- a/devel/apr/Makefile +++ b/devel/apr/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.67 2011/12/02 07:13:28 sbd Exp $ +# $NetBSD: Makefile,v 1.68 2012/02/11 12:44:09 spz Exp $ DISTNAME= apr-1.4.5 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_APACHE:=apr/} EXTRACT_SUFX= .tar.bz2 diff --git a/devel/apr/distinfo b/devel/apr/distinfo index cc01c1b8434..d53db4044f9 100644 --- a/devel/apr/distinfo +++ b/devel/apr/distinfo @@ -1,7 +1,9 @@ -$NetBSD: distinfo,v 1.33 2011/11/19 21:16:22 alnsn Exp $ +$NetBSD: distinfo,v 1.34 2012/02/11 12:44:09 spz Exp $ SHA1 (apr-1.4.5.tar.bz2) = 517de5e3cc1e3be810d9bc95508ab66bb8ebe7cb RMD160 (apr-1.4.5.tar.bz2) = d2a966c1b143416cd3655cf849cb5d3cb1ca2c5f Size (apr-1.4.5.tar.bz2) = 754763 bytes SHA1 (patch-atomic_unix_ia32.c) = c51d5810ceb8438b04d7945a476fef96ea57a76a +SHA1 (patch-tables_apr__hash.c) = 6ef340a7c36d54134fd41e0da9e6739b24897e32 SHA1 (patch-test_testatomic.c) = 0905b0001e0d06b9c96beb1c32ee9ce9382f233f +SHA1 (patch-test_testhash.c) = 4233874557009e99d00436401be0b9793603978e diff --git a/devel/apr/patches/patch-tables_apr__hash.c b/devel/apr/patches/patch-tables_apr__hash.c new file mode 100644 index 00000000000..54140120274 --- /dev/null +++ b/devel/apr/patches/patch-tables_apr__hash.c @@ -0,0 +1,138 @@ +$NetBSD: patch-tables_apr__hash.c,v 1.1 2012/02/11 12:44:09 spz Exp $ + +http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/tables/apr_hash.c +revision 1237547: +Randomise hashes by providing a seed (initial hash value). + +--- tables/apr_hash.c.orig 2010-01-19 21:39:11.000000000 +0000 ++++ tables/apr_hash.c +@@ -18,6 +18,7 @@ + + #include "apr_general.h" + #include "apr_pools.h" ++#include "apr_time.h" + + #include "apr_hash.h" + +@@ -75,7 +76,7 @@ struct apr_hash_t { + apr_pool_t *pool; + apr_hash_entry_t **array; + apr_hash_index_t iterator; /* For apr_hash_first(NULL, ...) */ +- unsigned int count, max; ++ unsigned int count, max, seed; + apr_hashfunc_t hash_func; + apr_hash_entry_t *free; /* List of recycled entries */ + }; +@@ -95,13 +96,18 @@ static apr_hash_entry_t **alloc_array(ap + APR_DECLARE(apr_hash_t *) apr_hash_make(apr_pool_t *pool) + { + apr_hash_t *ht; ++ apr_time_t now = apr_time_now(); ++ + ht = apr_palloc(pool, sizeof(apr_hash_t)); + ht->pool = pool; + ht->free = NULL; + ht->count = 0; + ht->max = INITIAL_MAX; ++ ht->seed = (unsigned int)((now >> 32) ^ now ^ (apr_uintptr_t)pool ^ ++ (apr_uintptr_t)ht ^ (apr_uintptr_t)&now) - 1; + ht->array = alloc_array(ht, ht->max); +- ht->hash_func = apr_hashfunc_default; ++ ht->hash_func = NULL; ++ + return ht; + } + +@@ -178,10 +184,9 @@ static void expand_array(apr_hash_t *ht) + ht->max = new_max; + } + +-APR_DECLARE_NONSTD(unsigned int) apr_hashfunc_default(const char *char_key, +- apr_ssize_t *klen) ++static unsigned int hashfunc_default(const char *char_key, apr_ssize_t *klen, ++ unsigned int hash) + { +- unsigned int hash = 0; + const unsigned char *key = (const unsigned char *)char_key; + const unsigned char *p; + apr_ssize_t i; +@@ -223,7 +228,7 @@ APR_DECLARE_NONSTD(unsigned int) apr_has + * + * -- Ralf S. Engelschall + */ +- ++ + if (*klen == APR_HASH_KEY_STRING) { + for (p = key; *p; p++) { + hash = hash * 33 + *p; +@@ -239,6 +244,11 @@ APR_DECLARE_NONSTD(unsigned int) apr_has + return hash; + } + ++APR_DECLARE_NONSTD(unsigned int) apr_hashfunc_default(const char *char_key, ++ apr_ssize_t *klen) ++{ ++ return hashfunc_default(char_key, klen, 0); ++} + + /* + * This is where we keep the details of the hash function and control +@@ -257,7 +267,10 @@ static apr_hash_entry_t **find_entry(apr + apr_hash_entry_t **hep, *he; + unsigned int hash; + +- hash = ht->hash_func(key, &klen); ++ if (ht->hash_func) ++ hash = ht->hash_func(key, &klen); ++ else ++ hash = hashfunc_default(key, &klen, ht->seed); + + /* scan linked list */ + for (hep = &ht->array[hash & ht->max], he = *hep; +@@ -299,6 +312,7 @@ APR_DECLARE(apr_hash_t *) apr_hash_copy( + ht->free = NULL; + ht->count = orig->count; + ht->max = orig->max; ++ ht->seed = orig->seed; + ht->hash_func = orig->hash_func; + ht->array = (apr_hash_entry_t **)((char *)ht + sizeof(apr_hash_t)); + +@@ -396,7 +410,7 @@ APR_DECLARE(apr_hash_t *) apr_hash_merge + apr_hash_entry_t *new_vals = NULL; + apr_hash_entry_t *iter; + apr_hash_entry_t *ent; +- unsigned int i,j,k; ++ unsigned int i, j, k, hash; + + #if APR_POOL_DEBUG + /* we don't copy keys and values, so it's necessary that +@@ -424,6 +438,7 @@ APR_DECLARE(apr_hash_t *) apr_hash_merge + if (base->count + overlay->count > res->max) { + res->max = res->max * 2 + 1; + } ++ res->seed = base->seed; + res->array = alloc_array(res, res->max); + if (base->count + overlay->count) { + new_vals = apr_palloc(p, sizeof(apr_hash_entry_t) * +@@ -445,7 +460,11 @@ APR_DECLARE(apr_hash_t *) apr_hash_merge + + for (k = 0; k <= overlay->max; k++) { + for (iter = overlay->array[k]; iter; iter = iter->next) { +- i = iter->hash & res->max; ++ if (res->hash_func) ++ hash = res->hash_func(iter->key, &iter->klen); ++ else ++ hash = hashfunc_default(iter->key, &iter->klen, res->seed); ++ i = hash & res->max; + for (ent = res->array[i]; ent; ent = ent->next) { + if ((ent->klen == iter->klen) && + (memcmp(ent->key, iter->key, iter->klen) == 0)) { +@@ -463,7 +482,7 @@ APR_DECLARE(apr_hash_t *) apr_hash_merge + new_vals[j].klen = iter->klen; + new_vals[j].key = iter->key; + new_vals[j].val = iter->val; +- new_vals[j].hash = iter->hash; ++ new_vals[j].hash = hash; + new_vals[j].next = res->array[i]; + res->array[i] = &new_vals[j]; + res->count++; diff --git a/devel/apr/patches/patch-test_testhash.c b/devel/apr/patches/patch-test_testhash.c new file mode 100644 index 00000000000..1497b19dd54 --- /dev/null +++ b/devel/apr/patches/patch-test_testhash.c @@ -0,0 +1,96 @@ +$NetBSD: patch-test_testhash.c,v 1.1 2012/02/11 12:44:09 spz Exp $ + +http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/test/testhash.c +revision 1237547: +Randomise hashes by providing a seed (initial hash value). + +--- test/testhash.c.orig 2007-11-01 23:01:06.000000000 +0000 ++++ test/testhash.c +@@ -437,6 +437,79 @@ static void overlay_same(abts_case *tc, + ABTS_STR_EQUAL(tc, "#entries 5\n", StrArray[5]); + } + ++static void overlay_fetch(abts_case *tc, void *data) ++{ ++ apr_hash_t *base = NULL; ++ apr_hash_t *overlay = NULL; ++ apr_hash_t *result = NULL; ++ int count; ++ ++ base = apr_hash_make(p); ++ overlay = apr_hash_make(p); ++ ABTS_PTR_NOTNULL(tc, base); ++ ABTS_PTR_NOTNULL(tc, overlay); ++ ++ apr_hash_set(base, "base1", APR_HASH_KEY_STRING, "value1"); ++ apr_hash_set(base, "base2", APR_HASH_KEY_STRING, "value2"); ++ apr_hash_set(base, "base3", APR_HASH_KEY_STRING, "value3"); ++ apr_hash_set(base, "base4", APR_HASH_KEY_STRING, "value4"); ++ apr_hash_set(base, "base5", APR_HASH_KEY_STRING, "value5"); ++ ++ apr_hash_set(overlay, "overlay1", APR_HASH_KEY_STRING, "value1"); ++ apr_hash_set(overlay, "overlay2", APR_HASH_KEY_STRING, "value2"); ++ apr_hash_set(overlay, "overlay3", APR_HASH_KEY_STRING, "value3"); ++ apr_hash_set(overlay, "overlay4", APR_HASH_KEY_STRING, "value4"); ++ apr_hash_set(overlay, "overlay5", APR_HASH_KEY_STRING, "value5"); ++ ++ result = apr_hash_overlay(p, overlay, base); ++ ++ count = apr_hash_count(result); ++ ABTS_INT_EQUAL(tc, 10, count); ++ ++ ABTS_STR_EQUAL(tc, "value1", ++ apr_hash_get(result, "base1", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value2", ++ apr_hash_get(result, "base2", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value3", ++ apr_hash_get(result, "base3", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value4", ++ apr_hash_get(result, "base4", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value5", ++ apr_hash_get(result, "base5", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value1", ++ apr_hash_get(result, "overlay1", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value2", ++ apr_hash_get(result, "overlay2", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value3", ++ apr_hash_get(result, "overlay3", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value4", ++ apr_hash_get(result, "overlay4", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value5", ++ apr_hash_get(result, "overlay5", APR_HASH_KEY_STRING)); ++ ++ ABTS_STR_EQUAL(tc, "value1", ++ apr_hash_get(base, "base1", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value2", ++ apr_hash_get(base, "base2", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value3", ++ apr_hash_get(base, "base3", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value4", ++ apr_hash_get(base, "base4", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value5", ++ apr_hash_get(base, "base5", APR_HASH_KEY_STRING)); ++ ++ ABTS_STR_EQUAL(tc, "value1", ++ apr_hash_get(overlay, "overlay1", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value2", ++ apr_hash_get(overlay, "overlay2", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value3", ++ apr_hash_get(overlay, "overlay3", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value4", ++ apr_hash_get(overlay, "overlay4", APR_HASH_KEY_STRING)); ++ ABTS_STR_EQUAL(tc, "value5", ++ apr_hash_get(overlay, "overlay5", APR_HASH_KEY_STRING)); ++} ++ + abts_suite *testhash(abts_suite *suite) + { + suite = ADD_SUITE(suite) +@@ -460,6 +533,7 @@ abts_suite *testhash(abts_suite *suite) + abts_run_test(suite, overlay_empty, NULL); + abts_run_test(suite, overlay_2unique, NULL); + abts_run_test(suite, overlay_same, NULL); ++ abts_run_test(suite, overlay_fetch, NULL); + + return suite; + } -- cgit v1.2.3