- Backport apr-util security fixes pending the 2.2.12 release (forthcomming)
Security: http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812 PR: ports/135310 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> With Hat: apache
This commit is contained in:
parent
91e119d265
commit
de83f0b16f
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=235407
4 changed files with 91 additions and 1 deletions
|
@ -9,7 +9,7 @@
|
|||
|
||||
PORTNAME= apache
|
||||
PORTVERSION= 2.2.11
|
||||
PORTREVISION?= 4
|
||||
PORTREVISION?= 5
|
||||
CATEGORIES= www
|
||||
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
|
||||
DISTNAME= httpd-${PORTVERSION}
|
||||
|
|
51
www/apache22/files/patch-apr-fix-apr_xml-expat-attack
Normal file
51
www/apache22/files/patch-apr-fix-apr_xml-expat-attack
Normal file
|
@ -0,0 +1,51 @@
|
|||
Taken from
|
||||
http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
|
||||
|
||||
--- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729
|
||||
+++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403
|
||||
@@ -347,6 +347,25 @@
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
+#if XML_MAJOR_VERSION > 1
|
||||
+/* Stop the parser if an entity declaration is hit. */
|
||||
+static void entity_declaration(void *userData, const XML_Char *entityName,
|
||||
+ int is_parameter_entity, const XML_Char *value,
|
||||
+ int value_length, const XML_Char *base,
|
||||
+ const XML_Char *systemId, const XML_Char *publicId,
|
||||
+ const XML_Char *notationName)
|
||||
+{
|
||||
+ apr_xml_parser *parser = userData;
|
||||
+
|
||||
+ XML_StopParser(parser->xp, XML_FALSE);
|
||||
+}
|
||||
+#else
|
||||
+/* A noop default_handler. */
|
||||
+static void default_handler(void *userData, const XML_Char *s, int len)
|
||||
+{
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
|
||||
{
|
||||
apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
|
||||
@@ -372,6 +391,19 @@
|
||||
XML_SetElementHandler(parser->xp, start_handler, end_handler);
|
||||
XML_SetCharacterDataHandler(parser->xp, cdata_handler);
|
||||
|
||||
+ /* Prevent the "billion laughs" attack against expat by disabling
|
||||
+ * internal entity expansion. With 2.x, forcibly stop the parser
|
||||
+ * if an entity is declared - this is safer and a more obvious
|
||||
+ * failure mode. With older versions, installing a noop
|
||||
+ * DefaultHandler means that internal entities will be expanded as
|
||||
+ * the empty string, which is also sufficient to prevent the
|
||||
+ * attack. */
|
||||
+#if XML_MAJOR_VERSION > 1
|
||||
+ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
|
||||
+#else
|
||||
+ XML_SetDefaultHandler(parser->xp, default_handler);
|
||||
+#endif
|
||||
+
|
||||
return parser;
|
||||
}
|
||||
|
18
www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
Normal file
18
www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
Normal file
|
@ -0,0 +1,18 @@
|
|||
Equal to the fix in the apr-util itself:
|
||||
http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
|
||||
|
||||
See discuission about original vulnerability at
|
||||
http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
|
||||
|
||||
--- srclib/apr-util/buckets/apr_brigade.c.orig 2009-06-06 12:32:12.000000000 +0400
|
||||
+++ srclib/apr-util/buckets/apr_brigade.c 2009-06-06 12:35:30.000000000 +0400
|
||||
@@ -689,9 +689,6 @@
|
||||
return -1;
|
||||
}
|
||||
|
||||
- /* tack on null terminator to remaining string */
|
||||
- *(vd.vbuff.curpos) = '\0';
|
||||
-
|
||||
/* write out what remains in the buffer */
|
||||
return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
|
||||
}
|
21
www/apache22/files/patch-apr-fix-strmatch-underflow
Normal file
21
www/apache22/files/patch-apr-fix-strmatch-underflow
Normal file
|
@ -0,0 +1,21 @@
|
|||
Fix underflow in apr_strmatch_precompile,
|
||||
http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
|
||||
|
||||
--- srclib/apr-util/strmatch/apr_strmatch.c 2009/03/24 11:12:27 757729
|
||||
+++ srclib/apr-util/strmatch/apr_strmatch.c 2009/05/29 07:47:52 779878
|
||||
@@ -103,13 +103,13 @@
|
||||
if (case_sensitive) {
|
||||
pattern->compare = match_boyer_moore_horspool;
|
||||
for (i = 0; i < pattern->length - 1; i++) {
|
||||
- shift[(int)s[i]] = pattern->length - i - 1;
|
||||
+ shift[(unsigned char)s[i]] = pattern->length - i - 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
pattern->compare = match_boyer_moore_horspool_nocase;
|
||||
for (i = 0; i < pattern->length - 1; i++) {
|
||||
- shift[apr_tolower(s[i])] = pattern->length - i - 1;
|
||||
+ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
|
||||
}
|
||||
}
|
||||
pattern->context = shift;
|
Loading…
Reference in a new issue