From acc0b4f8890476d6e4733083c141088b4cdd49bd Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 28 Aug 2005 08:36:55 +0000 Subject: - Add security patch for CAN-2005-2491 from Apache SVN repository. - Add patch for high memory usage caused by "Byterange" support from Apache SVN repository. Bump package revision because of the above changes. --- www/apache2/Makefile | 4 +-- www/apache2/distinfo | 4 ++- www/apache2/patches/patch-ah | 56 ++++++++++++++++++++++++++++++ www/apache2/patches/patch-aj | 82 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 143 insertions(+), 3 deletions(-) create mode 100644 www/apache2/patches/patch-ah create mode 100644 www/apache2/patches/patch-aj (limited to 'www/apache2') diff --git a/www/apache2/Makefile b/www/apache2/Makefile index 97c089c7288..497af3f37b0 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.80 2005/08/23 11:48:51 rillig Exp $ +# $NetBSD: Makefile,v 1.81 2005/08/28 08:36:55 tron Exp $ .include "Makefile.common" PKGNAME= apache-${APACHE_VERSION} CATEGORIES= www -PKGREVISION= 3 +PKGREVISION= 4 HOMEPAGE= http://httpd.apache.org/ COMMENT= Apache HTTP (Web) server, version 2 diff --git a/www/apache2/distinfo b/www/apache2/distinfo index 5b0227625a5..ea23d6e9c85 100644 --- a/www/apache2/distinfo +++ b/www/apache2/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.39 2005/08/08 18:30:26 tron Exp $ +$NetBSD: distinfo,v 1.40 2005/08/28 08:36:55 tron Exp $ SHA1 (httpd-2.0.54.tar.bz2) = 15b4fc3024cceea6562fb03383fd624e84e5e35a RMD160 (httpd-2.0.54.tar.bz2) = c511cb2fa396ba04caf77bfc6ca03413df48ea08 @@ -10,7 +10,9 @@ SHA1 (patch-ad) = 8c6f62346ffb5069de89a50516a3da2c6104e09b SHA1 (patch-ae) = 0c7b733fe2e46a91dcd3bc29aa18c4b02455ff0d SHA1 (patch-af) = 9e9a8bae118140cc8a49bd30c4753cab5741bdf3 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 +SHA1 (patch-ah) = 39109cb9d58f900627ea190e4ce24731735538ea SHA1 (patch-ai) = 4dc88c15b0525a5aabc80d5c2a0720cd260629de +SHA1 (patch-aj) = 32ac362e0d67bfb208a8814b9baf70e20c22ae4b SHA1 (patch-ak) = f11a86b1235d5c595fa381bbb474db4fe8448215 SHA1 (patch-al) = 9af7b6c56177d971e135f0a00b3ab9ded5d1b6dd SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 diff --git a/www/apache2/patches/patch-ah b/www/apache2/patches/patch-ah new file mode 100644 index 00000000000..ce22c3c0e0d --- /dev/null +++ b/www/apache2/patches/patch-ah @@ -0,0 +1,56 @@ +$NetBSD: patch-ah,v 1.8 2005/08/28 08:36:55 tron Exp $ + +--- srclib/pcre/pcre.c.orig Wed Nov 24 20:31:09 2004 ++++ srclib/pcre/pcre.c Thu Aug 25 22:14:56 2005 +@@ -714,7 +714,18 @@ + int min = 0; + int max = -1; + ++/* Read the minimum value and do a paranoid check: a negative value indicates ++an integer overflow. */ ++ + while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; ++if (min < 0 || min > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } ++ ++/* Read the maximum value if there is one, and again do a paranoid on its size. ++Also, max must not be less than min. */ + + if (*p == '}') max = min; else + { +@@ -722,6 +733,11 @@ + { + max = 0; + while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; ++ if (max < 0 || max > 65535) ++ { ++ *errorptr = ERR5; ++ return p; ++ } + if (max < min) + { + *errorptr = ERR4; +@@ -730,16 +746,11 @@ + } + } + +-/* Do paranoid checks, then fill in the required variables, and pass back the +-pointer to the terminating '}'. */ ++/* Fill in the required variables, and pass back the pointer to the terminating ++'}'. */ + +-if (min > 65535 || max > 65535) +- *errorptr = ERR5; +-else +- { +- *minp = min; +- *maxp = max; +- } ++*minp = min; ++*maxp = max; + return p; + } + diff --git a/www/apache2/patches/patch-aj b/www/apache2/patches/patch-aj new file mode 100644 index 00000000000..e0867ac2047 --- /dev/null +++ b/www/apache2/patches/patch-aj @@ -0,0 +1,82 @@ +$NetBSD: patch-aj,v 1.3 2005/08/28 08:36:55 tron Exp $ + +--- modules/http/http_protocol.c.orig ++++ modules/http/http_protocol.c Tue Aug 23 01:36:16 2005 +@@ -2856,18 +2856,35 @@ + #define MIN_LENGTH(len1, len2) ((len1 > len2) ? len2 : len1) + request_rec *r = f->r; + conn_rec *c = r->connection; +- byterange_ctx *ctx = f->ctx; ++ byterange_ctx *ctx; + apr_bucket *e; + apr_bucket_brigade *bsend; + apr_off_t range_start; + apr_off_t range_end; + char *current; +- apr_off_t bb_length; + apr_off_t clength = 0; + apr_status_t rv; + int found = 0; + +- if (!ctx) { ++ /* Iterate through the brigade until reaching EOS or a bucket with ++ * unknown length. */ ++ for (e = APR_BRIGADE_FIRST(bb); ++ (e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e) ++ && e->length != (apr_size_t)-1); ++ e = APR_BUCKET_NEXT(e)) { ++ clength += e->length; ++ } ++ ++ /* Don't attempt to do byte range work if this brigade doesn't ++ * contain an EOS, or if any of the buckets has an unknown length; ++ * this avoids the cases where it is expensive to perform ++ * byteranging (i.e. may require arbitrary amounts of memory). */ ++ if (!APR_BUCKET_IS_EOS(e) || clength <= 0) { ++ ap_remove_output_filter(f); ++ return ap_pass_brigade(f->next, bb); ++ } ++ ++ { + int num_ranges = ap_set_byterange(r); + + /* We have nothing to do, get out of the way. */ +@@ -2876,7 +2893,7 @@ + return ap_pass_brigade(f->next, bb); + } + +- ctx = f->ctx = apr_pcalloc(r->pool, sizeof(*ctx)); ++ ctx = apr_pcalloc(r->pool, sizeof(*ctx)); + ctx->num_ranges = num_ranges; + /* create a brigade in case we never call ap_save_brigade() */ + ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc); +@@ -2902,29 +2919,6 @@ + ap_xlate_proto_to_ascii(ctx->bound_head, strlen(ctx->bound_head)); + } + } +- +- /* We can't actually deal with byte-ranges until we have the whole brigade +- * because the byte-ranges can be in any order, and according to the RFC, +- * we SHOULD return the data in the same order it was requested. +- * +- * XXX: We really need to dump all bytes prior to the start of the earliest +- * range, and only slurp up to the end of the latest range. By this we +- * mean that we should peek-ahead at the lowest first byte of any range, +- * and the highest last byte of any range. +- */ +- if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) { +- ap_save_brigade(f, &ctx->bb, &bb, r->pool); +- return APR_SUCCESS; +- } +- +- /* Prepend any earlier saved brigades. */ +- APR_BRIGADE_PREPEND(bb, ctx->bb); +- +- /* It is possible that we won't have a content length yet, so we have to +- * compute the length before we can actually do the byterange work. +- */ +- apr_brigade_length(bb, 1, &bb_length); +- clength = (apr_off_t)bb_length; + + /* this brigade holds what we will be sending */ + bsend = apr_brigade_create(r->pool, c->bucket_alloc); -- cgit v1.2.3