add patch from upstream to fix a directory traversal problem which

could allow information disclosure by servers (CVE-2011-2524, does not affect client applications)
2011-07-29 10:27:29 +00:00 · 2011-07-29 10:27:29 +00:00 · 9d55275760
commit 9d55275760
parent b5703cf078
3 changed files with 26 additions and 2 deletions
--- a/net/libsoup24/Makefile
+++ b/net/libsoup24/Makefile
@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.32 2011/07/08 18:35:37 drochner Exp $
+# $NetBSD: Makefile,v 1.33 2011/07/29 10:27:29 drochner Exp $

 DISTNAME=	libsoup-2.34.2
 PKGNAME=	${DISTNAME:S/libsoup/libsoup24/}
+PKGREVISION=	1
 CATEGORIES=	net gnome
 MASTER_SITES=	${MASTER_SITE_GNOME:=sources/libsoup/2.34/}
 EXTRACT_SUFX=	.tar.bz2
--- a/net/libsoup24/distinfo
+++ b/net/libsoup24/distinfo
@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.22 2011/06/10 09:33:53 drochner Exp $
+$NetBSD: distinfo,v 1.23 2011/07/29 10:27:29 drochner Exp $

 SHA1 (libsoup-2.34.2.tar.bz2) = 1812b3c78778b37d55ea2904b9763b6dd8266a1c
 RMD160 (libsoup-2.34.2.tar.bz2) = a3a94ca9dd6a49a3ee15efda6cf8e4ba96a66338
 Size (libsoup-2.34.2.tar.bz2) = 683331 bytes
+SHA1 (patch-aa) = 02d26d3f70954f1bb2d2014aab84a58d5ce14469
--- a/net/libsoup24/patches/patch-aa
+++ b/net/libsoup24/patches/patch-aa
@ -0,0 +1,22 @@
+$NetBSD: patch-aa,v 1.3 2011/07/29 10:27:29 drochner Exp $
+
+CVE-2011-2524
+
+--- libsoup/soup-server.c.orig	2011-04-07 13:29:03.000000000 +0000
+++ libsoup/soup-server.c
+@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClien
+ 
+ 		uri = soup_message_get_uri (req);
+ 		decoded_path = soup_uri_decode (uri->path);
+
+		if (strstr (decoded_path, "/../") ||
+		    g_str_has_suffix (decoded_path, "/..")) {
+			/* Introducing new ".." segments is not allowed */
+			g_free (decoded_path);
+			soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
+			return;
+		}
+
+ 		soup_uri_set_path (uri, decoded_path);
+ 		g_free (decoded_path);
+ 	}