Thu Jun 11 20:30:59 2009 UTC ()
Import improved version of the fix for CVE-2009-1195 to restore
backwards compatibility with e.g. "mod_perl".


(tron)
diff -r1.45 -r1.46 pkgsrc/www/apache22/Makefile
diff -r1.19 -r1.20 pkgsrc/www/apache22/distinfo
diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-ba
diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-bc
diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/patch-bd
diff -r1.1 -r0 pkgsrc/www/apache22/patches/patch-bb
cvs diff -r1.45 -r1.46 pkgsrc/www/apache22/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/www/apache22/Attic/Makefile 2009/06/04 08:51:52 1.45
+++ pkgsrc/www/apache22/Attic/Makefile 2009/06/11 20:30:58 1.46
@@ -1,17 +1,17 @@ @@ -1,17 +1,17 @@
1# $NetBSD: Makefile,v 1.45 2009/06/04 08:51:52 tron Exp $ 1# $NetBSD: Makefile,v 1.46 2009/06/11 20:30:58 tron Exp $
2 2
3DISTNAME= httpd-2.2.11 3DISTNAME= httpd-2.2.11
4PKGREVISION= 4 4PKGREVISION= 5
5PKGNAME= ${DISTNAME:S/httpd/apache/} 5PKGNAME= ${DISTNAME:S/httpd/apache/}
6CATEGORIES= www 6CATEGORIES= www
7MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ 7MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
8 ${MASTER_SITE_APACHE:=httpd/old/} 8 ${MASTER_SITE_APACHE:=httpd/old/}
9EXTRACT_SUFX= .tar.bz2 9EXTRACT_SUFX= .tar.bz2
10 10
11MAINTAINER= tron@NetBSD.org 11MAINTAINER= tron@NetBSD.org
12HOMEPAGE= http://httpd.apache.org/ 12HOMEPAGE= http://httpd.apache.org/
13COMMENT= Apache HTTP (Web) server, version 2.2 13COMMENT= Apache HTTP (Web) server, version 2.2
14LICENSE= apache-2.0 14LICENSE= apache-2.0
15 15
16PKG_DESTDIR_SUPPORT= user-destdir 16PKG_DESTDIR_SUPPORT= user-destdir
17 17
cvs diff -r1.19 -r1.20 pkgsrc/www/apache22/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/www/apache22/Attic/distinfo 2009/06/04 08:51:52 1.19
+++ pkgsrc/www/apache22/Attic/distinfo 2009/06/11 20:30:58 1.20
@@ -1,23 +1,22 @@ @@ -1,23 +1,22 @@
1$NetBSD: distinfo,v 1.19 2009/06/04 08:51:52 tron Exp $ 1$NetBSD: distinfo,v 1.20 2009/06/11 20:30:58 tron Exp $
2 2
3SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a 3SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a
4RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d 4RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d
5Size (httpd-2.2.11.tar.bz2) = 5230130 bytes 5Size (httpd-2.2.11.tar.bz2) = 5230130 bytes
6SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf 6SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
7SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560 7SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560
8SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad 8SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
9SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 9SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
10SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 10SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
11SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 11SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
12SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 12SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
13SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 13SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
14SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 14SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
15SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1 15SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1
16SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c 16SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c
17SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1 17SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1
18SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf 18SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf
19SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 19SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
20SHA1 (patch-ba) = fad28e9305c46ec27efdf51f9a4103b870c51be0 20SHA1 (patch-ba) = ab9984391fcdda9c9793009290d95de8ec2a1371
21SHA1 (patch-bb) = a577c9ab28dd6cb2ec0805cadb3650709d960c7e 21SHA1 (patch-bc) = f980d98f1b0ee277d995e3be0f5e55622ebc3931
22SHA1 (patch-bc) = f7f17cd31dfb0f0522933a3ef662f5a4f201dc12 22SHA1 (patch-bd) = 66f882a4d8c884e5422e025ed175a17412b02fd4
23SHA1 (patch-bd) = 88b156067ea75196b1d82587c439c2cf524656cf 
cvs diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/Attic/patch-ba (expand / switch to unified diff)

--- pkgsrc/www/apache22/patches/Attic/patch-ba 2009/06/04 08:51:52 1.1
+++ pkgsrc/www/apache22/patches/Attic/patch-ba 2009/06/11 20:30:59 1.2
@@ -1,35 +1,42 @@ @@ -1,35 +1,42 @@
1$NetBSD: patch-ba,v 1.1 2009/06/04 08:51:52 tron Exp $ 1$NetBSD: patch-ba,v 1.2 2009/06/11 20:30:59 tron Exp $
2 2
3Patch for CVE-2009-1195 taken from: 3Patch for CVE-2009-1195 taken from:
4 4
5http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=772997&pathrev=772997 5http://svn.apache.org/viewvc?view=rev&revision=773881
 6http://svn.apache.org/viewvc?view=rev&revision=779472
6 7
7--- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000 8--- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000
8+++ include/http_core.h 2009-06-04 09:39:58.000000000 +0100 9+++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100
9@@ -65,7 +65,7 @@ 10@@ -65,7 +65,7 @@
10 #define OPT_NONE 0 11 #define OPT_NONE 0
11 /** Indexes directive */ 12 /** Indexes directive */
12 #define OPT_INDEXES 1 13 #define OPT_INDEXES 1
13-/** Includes directive */ 14-/** Includes directive */
14+/** SSI is enabled without exec= permission */ 15+/** SSI is enabled without exec= permission */
15 #define OPT_INCLUDES 2 16 #define OPT_INCLUDES 2
16 /** FollowSymLinks directive */ 17 /** FollowSymLinks directive */
17 #define OPT_SYM_LINKS 4 18 #define OPT_SYM_LINKS 4
18@@ -73,14 +73,14 @@ 19@@ -80,9 +80,22 @@
19 #define OPT_EXECCGI 8 
20 /** directive unset */ 
21 #define OPT_UNSET 16 
22-/** IncludesNOEXEC directive */ 
23-#define OPT_INCNOEXEC 32 
24+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ 
25+#define OPT_INC_WITH_EXEC 32 
26 /** SymLinksIfOwnerMatch directive */ 
27 #define OPT_SYM_OWNER 64 
28 /** MultiViews directive */ 20 /** MultiViews directive */
29 #define OPT_MULTI 128 21 #define OPT_MULTI 128
30 /** All directives */ 22 /** All directives */
31-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) 23-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
32+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) 24+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
33 /** @} */ 25 /** @} */
34  26
 27+#ifdef CORE_PRIVATE
 28+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
 29+ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics
 30+ * of the two SSI-related bits are hence:
 31+ *
 32+ * OPT_INCLUDES => "enable SSI, without exec= permission"
 33+ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
 34+ *
 35+ * The set of options exposed via ap_allow_options() retains the
 36+ * semantics of OPT_INCNOEXEC by flipping the bit. */
 37+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
 38+#endif
 39+
35 /** 40 /**
 41 * @defgroup get_remote_host Remote Host Resolution
 42 * @ingroup APACHE_CORE_HTTPD
cvs diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/Attic/patch-bc (expand / switch to unified diff)

--- pkgsrc/www/apache22/patches/Attic/patch-bc 2009/06/04 08:51:52 1.1
+++ pkgsrc/www/apache22/patches/Attic/patch-bc 2009/06/11 20:30:59 1.2
@@ -1,18 +1,18 @@ @@ -1,18 +1,18 @@
1$NetBSD: patch-bc,v 1.1 2009/06/04 08:51:52 tron Exp $ 1$NetBSD: patch-bc,v 1.2 2009/06/11 20:30:59 tron Exp $
2 2
3Patch for CVE-2009-1195 taken from: 3Patch for CVE-2009-1195 taken from:
4 4
5http://svn.apache.org/viewvc/httpd/httpd/trunk/server/config.c?r1=759924&r2=772997&pathrev=772997 5http://svn.apache.org/viewvc?view=rev&revision=773881
6 6
7--- server/config.c.orig 2008-12-02 22:28:21.000000000 +0000 7--- server/config.c.orig 2008-12-02 22:28:21.000000000 +0000
8+++ server/config.c 2009-06-04 09:44:24.000000000 +0100 8+++ server/config.c 2009-06-04 09:44:24.000000000 +0100
9@@ -1510,7 +1510,7 @@ 9@@ -1510,7 +1510,7 @@
10 parms.temp_pool = ptemp; 10 parms.temp_pool = ptemp;
11 parms.server = s; 11 parms.server = s;
12 parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); 12 parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
13- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; 13- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
14+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; 14+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
15  15
16 parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", 16 parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
17 &arr_parms, NULL, 17 &arr_parms, NULL,
18@@ -1617,7 +1617,7 @@ 18@@ -1617,7 +1617,7 @@
cvs diff -r1.1 -r1.2 pkgsrc/www/apache22/patches/Attic/patch-bd (expand / switch to unified diff)

--- pkgsrc/www/apache22/patches/Attic/patch-bd 2009/06/04 08:51:52 1.1
+++ pkgsrc/www/apache22/patches/Attic/patch-bd 2009/06/11 20:30:59 1.2
@@ -1,62 +1,22 @@ @@ -1,62 +1,22 @@
1$NetBSD: patch-bd,v 1.1 2009/06/04 08:51:52 tron Exp $ 1$NetBSD: patch-bd,v 1.2 2009/06/11 20:30:59 tron Exp $
2 2
3Patch for CVE-2009-1195 taken from: 3Patch for CVE-2009-1195 taken from:
4 4
5http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=759699&r2=772997&pathrev=772997 5http://svn.apache.org/viewvc?view=rev&revision=773881
 6http://svn.apache.org/viewvc?view=rev&revision=779472
6 7
7--- server/core.c.orig 2008-06-02 22:18:18.000000000 +0100 8--- server/core.c.orig 2009-06-11 20:51:15.000000000 +0100
8+++ server/core.c 2009-06-04 09:46:04.000000000 +0100 9+++ server/core.c 2009-06-11 21:01:04.000000000 +0100
9@@ -108,8 +108,7 @@ 10@@ -659,7 +659,11 @@
10 conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; 11 core_dir_config *conf =
11 conf->opts_add = conf->opts_remove = OPT_NONE; 12 (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
12 conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; 
13- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER 
14- | OPT_MULTI; 
15+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; 
16  13
17 conf->content_md5 = 2; 14- return conf->opts;
18 conf->accept_path_info = 3; 15+ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
19@@ -242,8 +241,13 @@ 16+ * inverted, such that the exposed semantics match that of
20 conf->opts_remove = (conf->opts_remove & ~new->opts_add) 17+ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
21 | new->opts_remove; 18+ * permitted. */
22 conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; 19+ return conf->opts ^ OPT_INC_WITH_EXEC;
23- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { 20 }
24- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; 21
25+ 22 AP_DECLARE(int) ap_allow_overrides(request_rec *r)
26+ /* if Includes was enabled without exec in the new config, but 
27+ * was enabled with exec in the base, then disable exec in the 
28+ * resulting options. */ 
29+ if ((base->opts & OPT_INC_WITH_EXEC)  
30+ && (new->opts & OPT_INC_WITH_EXEC) == 0) { 
31+ conf->opts &= ~OPT_INC_WITH_EXEC; 
32 } 
33 } 
34 else { 
35@@ -1304,10 +1308,12 @@ 
36 opt = OPT_INDEXES; 
37 } 
38 else if (!strcasecmp(w, "Includes")) { 
39- opt = OPT_INCLUDES; 
40+ /* If Includes is permitted, both Includes and 
41+ * IncludesNOEXEC may be changed. */ 
42+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); 
43 } 
44 else if (!strcasecmp(w, "IncludesNOEXEC")) { 
45- opt = (OPT_INCLUDES | OPT_INCNOEXEC); 
46+ opt = OPT_INCLUDES; 
47 } 
48 else if (!strcasecmp(w, "FollowSymLinks")) { 
49 opt = OPT_SYM_LINKS; 
50@@ -1428,10 +1434,10 @@ 
51 opt = OPT_INDEXES; 
52 } 
53 else if (!strcasecmp(w, "Includes")) { 
54- opt = OPT_INCLUDES; 
55+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); 
56 } 
57 else if (!strcasecmp(w, "IncludesNOEXEC")) { 
58- opt = (OPT_INCLUDES | OPT_INCNOEXEC); 
59+ opt = OPT_INCLUDES; 
60 } 
61 else if (!strcasecmp(w, "FollowSymLinks")) { 
62 opt = OPT_SYM_LINKS; 
File Deleted: pkgsrc/www/apache22/patches/Attic/patch-bb