kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

- Security patch

Browse source 
Security: CVE-2007-6388
Security: CVE-2007-5000
Security: CVE-2007-3847
Reported by:	Thomas Vogt
This commit is contained in:
Dirk Meyer 2008-01-23 08:00:43 +00:00
parent 06a579296f
commit 49cc29edd1
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=206048
2 changed files with 400 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
www/apache13-modssl/Makefile
View file

@ -7,7 +7,7 @@
PORTNAME= apache+mod_ssl
PORTVERSION= ${VERSION_APACHE}+${VERSION_MODSSL}
PORTREVISION?= 0
PORTREVISION?= 1
CATEGORIES?= www security
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITES_MODSSL:S/$/:mod_ssl/} \

399
www/apache13-modssl/files/patch-CVE-2007-6388 Normal file
View file

@ -0,0 +1,399 @@
diff -ur conf/mime.types apache_1.3.41/conf/mime.types
--- conf/mime.types 2007-09-01 00:03:39.000000000 +0200
+++ apache_1.3.41/conf/mime.types 2008-01-02 23:12:12.000000000 +0100
@@ -82,6 +82,10 @@
application/mbox mbox
application/mediaservercontrol+xml mscml
application/mikey
+application/moss-keys
+application/moss-signature
+application/mosskey-data
+application/mosskey-request
application/mp4 mp4s
application/mpeg4-generic
application/mpeg4-iod
@@ -135,6 +139,10 @@
application/samlassertion+xml
application/samlmetadata+xml
application/sbml+xml sbml
+application/scvp-cv-request scq
+application/scvp-cv-response scs
+application/scvp-vp-request spq
+application/scvp-vp-response spp
application/sdp sdp
application/set-payment
application/set-payment-initiation setpay
@@ -152,6 +160,8 @@
application/smil+xml smi smil
application/soap+fastinfoset
application/soap+xml
+application/sparql-query rq
+application/sparql-results+xml srx
application/spirits-event+xml
application/srgs gram
application/srgs+xml grxml
@@ -159,6 +169,7 @@
application/timestamp-query
application/timestamp-reply
application/tve-trigger
+application/ulpfec
application/vemmi
application/vividence.scriptfile
application/vnd.3gpp.bsf+xml
@@ -168,6 +179,7 @@
application/vnd.3gpp.sms
application/vnd.3gpp2.bcmcsinfo+xml
application/vnd.3gpp2.sms
+application/vnd.3gpp2.tcap tcap
application/vnd.3m.post-it-notes pwn
application/vnd.accpac.simply.aso aso
application/vnd.accpac.simply.imp imp
@@ -317,6 +329,7 @@
application/vnd.japannet-verification-wakeup
application/vnd.jcp.javame.midlet-rms rms
application/vnd.jisp jisp
+application/vnd.joost.joda-archive joda
application/vnd.kahootz ktz ktr
application/vnd.kde.karbon karbon
application/vnd.kde.kchart chrt
@@ -393,9 +406,13 @@
application/vnd.ms-xpsdocument xps
application/vnd.mseq mseq
application/vnd.msign
+application/vnd.multiad.creator
+application/vnd.multiad.creator.cif
application/vnd.music-niff
application/vnd.musician mus
+application/vnd.muvee.style msty
application/vnd.ncd.control
+application/vnd.ncd.reference
application/vnd.nervana
application/vnd.netfpx
application/vnd.neurolanguage.nlu nlu
@@ -455,7 +472,10 @@
application/vnd.oma.dd2+xml dd2
application/vnd.oma.drm.risd+xml
application/vnd.oma.group-usage-list+xml
+application/vnd.oma.poc.detailed-progress-report+xml
+application/vnd.oma.poc.final-report+xml
application/vnd.oma.poc.groups+xml
+application/vnd.oma.poc.optimized-progress-report+xml
application/vnd.oma.xcap-directory+xml
application/vnd.omads-email+xml
application/vnd.omads-file+xml
@@ -495,6 +515,7 @@
application/vnd.rn-realmedia rm
application/vnd.ruckus.download
application/vnd.s3sms
+application/vnd.sbm.mid2
application/vnd.scribus
application/vnd.sealed.3df
application/vnd.sealed.csf
@@ -571,6 +592,7 @@
application/vnd.wap.wmlscriptc wmlsc
application/vnd.webturbo wtb
application/vnd.wfa.wsc
+application/vnd.wmc
application/vnd.wordperfect wpd
application/vnd.wqd wqd
application/vnd.wrq-hp3000-labelled
@@ -742,6 +764,7 @@
audio/t38
audio/telephone-event
audio/tone
+audio/ulpfec
audio/vdvi
audio/vmr-wb
audio/vnd.3gpp.iufp
@@ -812,7 +835,7 @@
image/vnd.fujixerox.edmics-mmr mmr
image/vnd.fujixerox.edmics-rlc rlc
image/vnd.globalgraphics.pgb
-image/vnd.microsoft.icon ico
+image/vnd.microsoft.icon
image/vnd.mix
image/vnd.ms-modi mdi
image/vnd.net-fpx npx
@@ -824,7 +847,7 @@
image/vnd.xiff xif
image/x-cmu-raster ras
image/x-cmx cmx
-image/x-icon
+image/x-icon ico
image/x-pcx pcx
image/x-pict pic pct
image/x-portable-anymap pnm
@@ -847,6 +870,7 @@
message/sip
message/sipfrag
message/tracking-status
+message/vnd.si.simp
model/iges igs iges
model/mesh msh mesh silo
model/vnd.dwf dwf
@@ -894,6 +918,7 @@
text/t140
text/tab-separated-values tsv
text/troff t tr roff man me ms
+text/ulpfec
text/uri-list uri uris urls
text/vnd.abc
text/vnd.curl
@@ -909,6 +934,7 @@
text/vnd.motorola.reflex
text/vnd.ms-mediapackage
text/vnd.net2phone.commcenter.command
+text/vnd.si.uricatalogue
text/vnd.sun.j2me.app-descriptor jad
text/vnd.trolltech.linguist
text/vnd.wap.si
@@ -957,6 +983,7 @@
video/rtp-enc-aescm128
video/rtx
video/smpte292m
+video/ulpfec
video/vc1
video/vnd.dlna.mpeg-tts
video/vnd.fvt fvt
diff -ur src/CHANGES apache_1.3.41/src/CHANGES
--- src/CHANGES 2007-09-04 14:28:53.000000000 +0200
+++ apache_1.3.41/src/CHANGES 2008-01-09 15:33:07.000000000 +0100
@@ -1,3 +1,29 @@
+Changes with Apache 1.3.41
+
+ *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+ mod_status: Ensure refresh parameter is numeric to prevent
+ a possible XSS attack caused by redirecting to other URLs.
+ Reported by SecurityReason. [Mark Cox]
+
+Changes with Apache 1.3.40 (not released)
+
+ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
+ mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
+ [Joe Orton]
+
+ *) SECURITY: CVE-2007-3847 (cve.mitre.org)
+ mod_proxy: Prevent reading past the end of a buffer when parsing
+ date-related headers. PR 41144.
+ With Apache 1.3, the denial of service vulnerability applies only
+ to the Windows and NetWare platforms.
+ [Jeff Trawick]
+
+ *) More efficient implementation of the CVE-2007-3304 PID table
+ patch. This fixes issues with excessive memory usage by the
+ parent process if long-running and with a high number of child
+ process forks during that timeframe. Also fixes bogus "Bad pid"
+ errors. [Jim Jagielski, Jeff Trawick]
+
Changes with Apache 1.3.39
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
diff -ur src/Configure apache_1.3.41/src/Configure
--- src/Configure 2007-08-10 17:45:50.000000000 +0200
+++ apache_1.3.41/src/Configure 2008-01-04 15:40:05.000000000 +0100
@@ -1936,7 +1936,7 @@
# select the special subtarget for shared core generation
SUBTARGET=target_shared
# determine additional suffixes for libhttpd.so
- V=1 R=3 P=39
+ V=1 R=3 P=41
if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
SHLIB_SUFFIX_LIST=""
fi
diff -ur src/include/httpd.h apache_1.3.41/src/include/httpd.h
--- src/include/httpd.h 2007-09-04 14:28:53.000000000 +0200
+++ apache_1.3.41/src/include/httpd.h 2008-01-10 17:20:45.000000000 +0100
@@ -389,7 +389,7 @@
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
-#define SERVER_BASEREVISION "1.3.39"
+#define SERVER_BASEREVISION "1.3.41"
#define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
#define SERVER_PRODUCT SERVER_BASEPRODUCT
@@ -410,7 +410,7 @@
* Always increases along the same track as the source branch.
* For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
*/
-#define APACHE_RELEASE 10339100
+#define APACHE_RELEASE 10341100
#define SERVER_PROTOCOL "HTTP/1.1"
#ifndef SERVER_SUPPORT
diff -ur src/main/http_main.c apache_1.3.41/src/main/http_main.c
--- src/main/http_main.c 2007-06-04 21:26:21.000000000 +0200
+++ apache_1.3.41/src/main/http_main.c 2007-11-15 22:31:15.000000000 +0100
@@ -362,7 +362,7 @@
/*
* Parent process local storage of child pids
*/
-static table *pid_table;
+static int pid_table[HARD_SERVER_LIMIT];
/*
* Pieces for managing the contents of the Server response header
@@ -384,26 +384,34 @@
*/
static int in_pid_table(int pid) {
- char apid[64]; /* WAY generous! */
- const char *spid;
- ap_snprintf(apid, sizeof(apid), "%d", pid);
- spid = ap_table_get(pid_table, apid);
- if (spid && spid[0] == '1' && spid[1] == '\0')
- return 1;
- else
- return 0;
+ int i;
+ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+ if (pid_table[i] == pid) {
+ return 1;
+ }
+ }
+ return 0;
}
static void set_pid_table(int pid) {
- char apid[64];
- ap_snprintf(apid, sizeof(apid), "%d", pid);
- ap_table_set(pid_table, apid, "1");
+ int i;
+ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+ if (pid_table[i] == 0) {
+ pid_table[i] = pid;
+ break;
+ }
+ }
+ /* NOTE: Error detection?? */
}
static void unset_pid_table(int pid) {
- char apid[64];
- ap_snprintf(apid, sizeof(apid), "%d", pid);
- ap_table_unset(pid_table, apid);
+ int i;
+ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+ if (pid_table[i] == pid) {
+ pid_table[i] = 0;
+ break;
+ }
+ }
}
/*
@@ -2680,7 +2688,10 @@
ss->vhostrec = r->server;
}
}
- if (status == SERVER_STARTING && r == NULL) {
+ if (status == SERVER_DEAD) {
+ ap_scoreboard_image->parent[child_num].pid = 0;
+ }
+ else if (status == SERVER_STARTING && r == NULL) {
/* clean up the slot's vhostrec pointer (maybe re-used)
* and mark the slot as belonging to a new generation.
*/
@@ -4370,6 +4381,7 @@
*/
static void common_init(void)
{
+ int i;
INIT_SIGLIST()
#ifdef AUX3
(void) set42sig();
@@ -4465,6 +4477,9 @@
ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *));
- pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT);
+ /* overkill since static */
+ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
+ pid_table[i] = 0;
+ }
#ifdef EAPI
ap_hook_init();
diff -ur src/modules/proxy/proxy_util.c apache_1.3.41/src/modules/proxy/proxy_util.c
--- src/modules/proxy/proxy_util.c 2006-07-12 10:16:05.000000000 +0200
+++ apache_1.3.41/src/modules/proxy/proxy_util.c 2007-10-30 20:17:03.000000000 +0100
@@ -282,7 +282,8 @@
*q = ',';
if (wk == 7)
return x; /* not a valid date */
- if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
+ if (strlen(q) != 24 ||
+ q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
q[17] != ':' || strcmp(&q[20], " GMT") != 0)
return x;
if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
@@ -294,8 +295,9 @@
year += 1900;
}
else {
-/* check for acstime() date */
- if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
+/* check for asctime() date */
+ if (strlen(x) != 24 ||
+ x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
x[16] != ':' || x[19] != ' ' || x[24] != '\0')
return x;
if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,
diff -ur src/modules/standard/mod_imap.c apache_1.3.41/src/modules/standard/mod_imap.c
--- src/modules/standard/mod_imap.c 2006-07-12 10:16:05.000000000 +0200
+++ apache_1.3.41/src/modules/standard/mod_imap.c 2007-12-12 13:36:54.000000000 +0100
@@ -463,7 +463,7 @@
static void menu_header(request_rec *r, char *menu)
{
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=ISO-8859-1";
ap_send_http_header(r);
#ifdef CHARSET_EBCDIC
/* Server-generated response, converted */
@@ -471,11 +471,13 @@
#endif
ap_hard_timeout("send menu", r); /* killed in menu_footer */
- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
- "</title>\n</head><body>\n", NULL);
+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</title>\n</head><body>\n", NULL);
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+ ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+ "</h1>\n<hr>\n\n", NULL);
}
return;
diff -ur src/modules/standard/mod_status.c apache_1.3.41/src/modules/standard/mod_status.c
--- src/modules/standard/mod_status.c 2007-07-24 20:03:56.000000000 +0200
+++ apache_1.3.41/src/modules/standard/mod_status.c 2008-01-07 03:31:11.000000000 +0100
@@ -232,17 +232,15 @@
while (status_options[i].id != STAT_OPT_END) {
if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
switch (status_options[i].id) {
- case STAT_OPT_REFRESH:
- if (*(loc + strlen(status_options[i].form_data_str)) == '='
- && atol(loc + strlen(status_options[i].form_data_str)
- + 1) > 0)
- ap_table_set(r->headers_out,
- status_options[i].hdr_out_str,
- loc + strlen(status_options[i].hdr_out_str) + 1);
- else
- ap_table_set(r->headers_out,
- status_options[i].hdr_out_str, "1");
- break;
+ case STAT_OPT_REFRESH: {
+ long refreshtime = 0;
+ if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+ refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+ ap_table_set(r->headers_out,
+ status_options[i].hdr_out_str,
+ ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
+ break;
+ }
case STAT_OPT_NOTABLE:
no_table_report = 1;
break;