- Backport apr-util security fixes pending the 2.2.12 release (forthcomming)

Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
PR:             ports/135310
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
With Hat:       apache
This commit is contained in:
Philip M. Gollucci 2009-06-08 03:10:25 +00:00
parent 91e119d265
commit de83f0b16f
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=235407
4 changed files with 91 additions and 1 deletions

View file

@ -9,7 +9,7 @@
PORTNAME= apache
PORTVERSION= 2.2.11
PORTREVISION?= 4
PORTREVISION?= 5
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD}
DISTNAME= httpd-${PORTVERSION}

View file

@ -0,0 +1,51 @@
Taken from
http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
--- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729
+++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403
@@ -347,6 +347,25 @@
return APR_SUCCESS;
}
+#if XML_MAJOR_VERSION > 1
+/* Stop the parser if an entity declaration is hit. */
+static void entity_declaration(void *userData, const XML_Char *entityName,
+ int is_parameter_entity, const XML_Char *value,
+ int value_length, const XML_Char *base,
+ const XML_Char *systemId, const XML_Char *publicId,
+ const XML_Char *notationName)
+{
+ apr_xml_parser *parser = userData;
+
+ XML_StopParser(parser->xp, XML_FALSE);
+}
+#else
+/* A noop default_handler. */
+static void default_handler(void *userData, const XML_Char *s, int len)
+{
+}
+#endif
+
APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
{
apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
@@ -372,6 +391,19 @@
XML_SetElementHandler(parser->xp, start_handler, end_handler);
XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ /* Prevent the "billion laughs" attack against expat by disabling
+ * internal entity expansion. With 2.x, forcibly stop the parser
+ * if an entity is declared - this is safer and a more obvious
+ * failure mode. With older versions, installing a noop
+ * DefaultHandler means that internal entities will be expanded as
+ * the empty string, which is also sufficient to prevent the
+ * attack. */
+#if XML_MAJOR_VERSION > 1
+ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
+#else
+ XML_SetDefaultHandler(parser->xp, default_handler);
+#endif
+
return parser;
}

View file

@ -0,0 +1,18 @@
Equal to the fix in the apr-util itself:
http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
See discuission about original vulnerability at
http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
--- srclib/apr-util/buckets/apr_brigade.c.orig 2009-06-06 12:32:12.000000000 +0400
+++ srclib/apr-util/buckets/apr_brigade.c 2009-06-06 12:35:30.000000000 +0400
@@ -689,9 +689,6 @@
return -1;
}
- /* tack on null terminator to remaining string */
- *(vd.vbuff.curpos) = '\0';
-
/* write out what remains in the buffer */
return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
}

View file

@ -0,0 +1,21 @@
Fix underflow in apr_strmatch_precompile,
http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
--- srclib/apr-util/strmatch/apr_strmatch.c 2009/03/24 11:12:27 757729
+++ srclib/apr-util/strmatch/apr_strmatch.c 2009/05/29 07:47:52 779878
@@ -103,13 +103,13 @@
if (case_sensitive) {
pattern->compare = match_boyer_moore_horspool;
for (i = 0; i < pattern->length - 1; i++) {
- shift[(int)s[i]] = pattern->length - i - 1;
+ shift[(unsigned char)s[i]] = pattern->length - i - 1;
}
}
else {
pattern->compare = match_boyer_moore_horspool_nocase;
for (i = 0; i < pattern->length - 1; i++) {
- shift[apr_tolower(s[i])] = pattern->length - i - 1;
+ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
}
}
pattern->context = shift;