Pullup ticket 2425 - requested by tron security patch for apache22 - pkgsrc/www/apache22/Makefile 1.26 - pkgsrc/www/apache22/distinfo 1.10 - pkgsrc/www/apache22/patches/patch-ab 1.6 Module Name: pkgsrc Committed By: tron Date: Thu Jun 12 14:12:19 UTC 2008 Modified Files: pkgsrc/www/apache22: Makefile distinfo Added Files: pkgsrc/www/apache22/patches: patch-ab Log Message: Add patch for CVE-2008-2364 from the Apache SVN repository.

(ghen)

@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2008/01/21 15:07:10 xtraeme Exp $
+# $NetBSD: Makefile,v 1.24.2.1 2008/06/16 09:00:02 ghen Exp $
 
 .include "Makefile.common"
 
 PKGNAME=	apache-${APACHE_VERSION}
-#PKGREVISION=	1
+PKGREVISION=	1
 CATEGORIES=	www
 
 HOMEPAGE=	http://httpd.apache.org/

@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.9 2008/01/21 15:07:11 xtraeme Exp $
+$NetBSD: distinfo,v 1.9.2.1 2008/06/16 09:00:02 ghen Exp $
 
 SHA1 (httpd-2.2.8.tar.bz2) = 5074904435d3d942ce2dc96c44b07294b8eaca77
 RMD160 (httpd-2.2.8.tar.bz2) = 0736ea9617bafaa1c8cd34ce4fc1c7a659afea57
 Size (httpd-2.2.8.tar.bz2) = 4799055 bytes
 SHA1 (patch-aa) = ae5b34058fc6455cfa9e3d52a50829155ce2eb11
+SHA1 (patch-ab) = 55f4dac616fbe47fea7be0aecd1b7be679b9b0e7
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913

$NetBSD: patch-ab,v 1.5.2.1 2008/06/16 09:00:02 ghen Exp $ Patch for CVE-2008-2364, taken from here: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154 --- modules/proxy/mod_proxy_http.c.orig 2007-12-08 14:01:47.000000000 +0000 +++ modules/proxy/mod_proxy_http.c 2008-06-12 14:44:10.000000000 +0100 @@ -1309,6 +1309,16 @@ return rv; } +/* + * Limit the number of interim respones we sent back to the client. Otherwise + * we suffer from a memory build up. Besides there is NO sense in sending back + * an unlimited number of interim responses to the client. Thus if we cross + * this limit send back a 502 (Bad Gateway). + */ +#ifndef AP_MAX_INTERIM_RESPONSES +#define AP_MAX_INTERIM_RESPONSES 10 +#endif + static apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, proxy_conn_rec *backend, @@ -1323,8 +1333,8 @@ apr_bucket *e; apr_bucket_brigade *bb, *tmp_bb; int len, backasswards; - int interim_response; /* non-zero whilst interim 1xx responses - * are being read. */ + int interim_response = 0; /* non-zero whilst interim 1xx responses + * are being read. */ int pread_len = 0; apr_table_t *save_table; int backend_broke = 0; @@ -1339,6 +1349,7 @@ */ rp = ap_proxy_make_fake_req(origin, r); + ap_proxy_pre_http_request(origin, rp); /* In case anyone needs to know, this is a fake request that is really a * response. */ @@ -1469,7 +1480,6 @@ if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { ap_set_content_type(r, apr_pstrdup(p, buf)); } - ap_proxy_pre_http_request(origin,rp); /* Clear hop-by-hop headers */ for (i=0; hop_by_hop_hdrs[i]; ++i) { @@ -1518,7 +1528,12 @@ backend->close += 1; } - interim_response = ap_is_HTTP_INFO(r->status); + if (ap_is_HTTP_INFO(r->status)) { + interim_response++; + } + else { + interim_response = 0; + } if (interim_response) { /* RFC2616 tells us to forward this. * @@ -1711,7 +1726,15 @@ apr_brigade_cleanup(bb); } - } while (interim_response); + } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES)); + + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (interim_response >= AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY, + apr_psprintf(p, + "Too many (%d) interim responses from origin server", + interim_response)); + } /* If our connection with the client is to be aborted, return DONE. */ if (c->aborted || backend_broke) {