Import improved version of the fix for CVE-2009-1195 to restore backwards compatibility with e.g. "mod_perl".diff -r1.45 -r1.46 pkgsrc/www/apache22/Makefile
(tron)
@@ -1,17 +1,17 @@ | @@ -1,17 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.45 2009/06/04 08:51:52 tron Exp $ | 1 | # $NetBSD: Makefile,v 1.46 2009/06/11 20:30:58 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= httpd-2.2.11 | 3 | DISTNAME= httpd-2.2.11 | |
4 | PKGREVISION= 4 | 4 | PKGREVISION= 5 | |
5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
6 | CATEGORIES= www | 6 | CATEGORIES= www | |
7 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | 7 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | |
8 | ${MASTER_SITE_APACHE:=httpd/old/} | 8 | ${MASTER_SITE_APACHE:=httpd/old/} | |
9 | EXTRACT_SUFX= .tar.bz2 | 9 | EXTRACT_SUFX= .tar.bz2 | |
10 | 10 | |||
11 | MAINTAINER= tron@NetBSD.org | 11 | MAINTAINER= tron@NetBSD.org | |
12 | HOMEPAGE= http://httpd.apache.org/ | 12 | HOMEPAGE= http://httpd.apache.org/ | |
13 | COMMENT= Apache HTTP (Web) server, version 2.2 | 13 | COMMENT= Apache HTTP (Web) server, version 2.2 | |
14 | LICENSE= apache-2.0 | 14 | LICENSE= apache-2.0 | |
15 | 15 | |||
16 | PKG_DESTDIR_SUPPORT= user-destdir | 16 | PKG_DESTDIR_SUPPORT= user-destdir | |
17 | 17 |
@@ -1,23 +1,22 @@ | @@ -1,23 +1,22 @@ | |||
1 | $NetBSD: distinfo,v 1.19 2009/06/04 08:51:52 tron Exp $ | 1 | $NetBSD: distinfo,v 1.20 2009/06/11 20:30:58 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a | 3 | SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a | |
4 | RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d | 4 | RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d | |
5 | Size (httpd-2.2.11.tar.bz2) = 5230130 bytes | 5 | Size (httpd-2.2.11.tar.bz2) = 5230130 bytes | |
6 | SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf | 6 | SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf | |
7 | SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560 | 7 | SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560 | |
8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | 8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | |
9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | 9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | |
10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | 10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | |
11 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | 11 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | |
12 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | 12 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | |
13 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | 13 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | |
14 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | 14 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | |
15 | SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1 | 15 | SHA1 (patch-aq) = 27a0093fc75dcafc673abc25e9ebe80167f52ac1 | |
16 | SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c | 16 | SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c | |
17 | SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1 | 17 | SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1 | |
18 | SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf | 18 | SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf | |
19 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | 19 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | |
20 | SHA1 (patch-ba) = fad28e9305c46ec27efdf51f9a4103b870c51be0 | 20 | SHA1 (patch-ba) = ab9984391fcdda9c9793009290d95de8ec2a1371 | |
21 | SHA1 (patch-bb) = a577c9ab28dd6cb2ec0805cadb3650709d960c7e | 21 | SHA1 (patch-bc) = f980d98f1b0ee277d995e3be0f5e55622ebc3931 | |
22 | SHA1 (patch-bc) = f7f17cd31dfb0f0522933a3ef662f5a4f201dc12 | 22 | SHA1 (patch-bd) = 66f882a4d8c884e5422e025ed175a17412b02fd4 | |
23 | SHA1 (patch-bd) = 88b156067ea75196b1d82587c439c2cf524656cf |
@@ -1,35 +1,42 @@ | @@ -1,35 +1,42 @@ | |||
1 | $NetBSD: patch-ba,v 1.1 2009/06/04 08:51:52 tron Exp $ | 1 | $NetBSD: patch-ba,v 1.2 2009/06/11 20:30:59 tron Exp $ | |
2 | 2 | |||
3 | Patch for CVE-2009-1195 taken from: | 3 | Patch for CVE-2009-1195 taken from: | |
4 | 4 | |||
5 | http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?r1=739382&r2=772997&pathrev=772997 | 5 | http://svn.apache.org/viewvc?view=rev&revision=773881 | |
6 | http://svn.apache.org/viewvc?view=rev&revision=779472 | |||
6 | 7 | |||
7 | --- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000 | 8 | --- include/http_core.h.orig 2008-02-26 19:47:51.000000000 +0000 | |
8 | +++ include/http_core.h 2009-06-04 09:39:58.000000000 +0100 | 9 | +++ include/http_core.h 2009-06-11 20:53:26.000000000 +0100 | |
9 | @@ -65,7 +65,7 @@ | 10 | @@ -65,7 +65,7 @@ | |
10 | #define OPT_NONE 0 | 11 | #define OPT_NONE 0 | |
11 | /** Indexes directive */ | 12 | /** Indexes directive */ | |
12 | #define OPT_INDEXES 1 | 13 | #define OPT_INDEXES 1 | |
13 | -/** Includes directive */ | 14 | -/** Includes directive */ | |
14 | +/** SSI is enabled without exec= permission */ | 15 | +/** SSI is enabled without exec= permission */ | |
15 | #define OPT_INCLUDES 2 | 16 | #define OPT_INCLUDES 2 | |
16 | /** FollowSymLinks directive */ | 17 | /** FollowSymLinks directive */ | |
17 | #define OPT_SYM_LINKS 4 | 18 | #define OPT_SYM_LINKS 4 | |
18 | @@ -73,14 +73,14 @@ | 19 | @@ -80,9 +80,22 @@ | |
19 | #define OPT_EXECCGI 8 | |||
20 | /** directive unset */ | |||
21 | #define OPT_UNSET 16 | |||
22 | -/** IncludesNOEXEC directive */ | |||
23 | -#define OPT_INCNOEXEC 32 | |||
24 | +/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ | |||
25 | +#define OPT_INC_WITH_EXEC 32 | |||
26 | /** SymLinksIfOwnerMatch directive */ | |||
27 | #define OPT_SYM_OWNER 64 | |||
28 | /** MultiViews directive */ | 20 | /** MultiViews directive */ | |
29 | #define OPT_MULTI 128 | 21 | #define OPT_MULTI 128 | |
30 | /** All directives */ | 22 | /** All directives */ | |
31 | -#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) | 23 | -#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) | |
32 | +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) | 24 | +#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI) | |
33 | /** @} */ | 25 | /** @} */ | |
34 | 26 | |||
27 | +#ifdef CORE_PRIVATE | |||
28 | +/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is | |||
29 | + * internally replaced by OPT_INC_WITH_EXEC. The internal semantics | |||
30 | + * of the two SSI-related bits are hence: | |||
31 | + * | |||
32 | + * OPT_INCLUDES => "enable SSI, without exec= permission" | |||
33 | + * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec=" | |||
34 | + * | |||
35 | + * The set of options exposed via ap_allow_options() retains the | |||
36 | + * semantics of OPT_INCNOEXEC by flipping the bit. */ | |||
37 | +#define OPT_INC_WITH_EXEC OPT_INCNOEXEC | |||
38 | +#endif | |||
39 | + | |||
35 | /** | 40 | /** | |
41 | * @defgroup get_remote_host Remote Host Resolution | |||
42 | * @ingroup APACHE_CORE_HTTPD |
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | $NetBSD: patch-bc,v 1.1 2009/06/04 08:51:52 tron Exp $ | 1 | $NetBSD: patch-bc,v 1.2 2009/06/11 20:30:59 tron Exp $ | |
2 | 2 | |||
3 | Patch for CVE-2009-1195 taken from: | 3 | Patch for CVE-2009-1195 taken from: | |
4 | 4 | |||
5 | http://svn.apache.org/viewvc/httpd/httpd/trunk/server/config.c?r1=759924&r2=772997&pathrev=772997 | 5 | http://svn.apache.org/viewvc?view=rev&revision=773881 | |
6 | 6 | |||
7 | --- server/config.c.orig 2008-12-02 22:28:21.000000000 +0000 | 7 | --- server/config.c.orig 2008-12-02 22:28:21.000000000 +0000 | |
8 | +++ server/config.c 2009-06-04 09:44:24.000000000 +0100 | 8 | +++ server/config.c 2009-06-04 09:44:24.000000000 +0100 | |
9 | @@ -1510,7 +1510,7 @@ | 9 | @@ -1510,7 +1510,7 @@ | |
10 | parms.temp_pool = ptemp; | 10 | parms.temp_pool = ptemp; | |
11 | parms.server = s; | 11 | parms.server = s; | |
12 | parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); | 12 | parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); | |
13 | - parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; | 13 | - parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; | |
14 | + parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; | 14 | + parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; | |
15 | 15 | |||
16 | parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", | 16 | parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", | |
17 | &arr_parms, NULL, | 17 | &arr_parms, NULL, | |
18 | @@ -1617,7 +1617,7 @@ | 18 | @@ -1617,7 +1617,7 @@ |
@@ -1,62 +1,22 @@ | @@ -1,62 +1,22 @@ | |||
1 | $NetBSD: patch-bd,v 1.1 2009/06/04 08:51:52 tron Exp $ | 1 | $NetBSD: patch-bd,v 1.2 2009/06/11 20:30:59 tron Exp $ | |
2 | 2 | |||
3 | Patch for CVE-2009-1195 taken from: | 3 | Patch for CVE-2009-1195 taken from: | |
4 | 4 | |||
5 | http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=759699&r2=772997&pathrev=772997 | 5 | http://svn.apache.org/viewvc?view=rev&revision=773881 | |
6 | http://svn.apache.org/viewvc?view=rev&revision=779472 | |||
6 | 7 | |||
7 | --- server/core.c.orig 2008-06-02 22:18:18.000000000 +0100 | 8 | --- server/core.c.orig 2009-06-11 20:51:15.000000000 +0100 | |
8 | +++ server/core.c 2009-06-04 09:46:04.000000000 +0100 | 9 | +++ server/core.c 2009-06-11 21:01:04.000000000 +0100 | |
9 | @@ -108,8 +108,7 @@ | 10 | @@ -659,7 +659,11 @@ | |
10 | conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; | 11 | core_dir_config *conf = | |
11 | conf->opts_add = conf->opts_remove = OPT_NONE; | 12 | (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); | |
12 | conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; | |||
13 | - conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | |||
14 | - | OPT_MULTI; | |||
15 | + conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; | |||
16 | 13 | |||
17 | conf->content_md5 = 2; | 14 | - return conf->opts; | |
18 | conf->accept_path_info = 3; | 15 | + /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is | |
19 | @@ -242,8 +241,13 @@ | 16 | + * inverted, such that the exposed semantics match that of | |
20 | conf->opts_remove = (conf->opts_remove & ~new->opts_add) | 17 | + * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not* | |
21 | | new->opts_remove; | 18 | + * permitted. */ | |
22 | conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; | 19 | + return conf->opts ^ OPT_INC_WITH_EXEC; | |
23 | - if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { | 20 | } | |
24 | - conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; | 21 | ||
25 | + | 22 | AP_DECLARE(int) ap_allow_overrides(request_rec *r) | |
26 | + /* if Includes was enabled without exec in the new config, but | |||
27 | + * was enabled with exec in the base, then disable exec in the | |||
28 | + * resulting options. */ | |||
29 | + if ((base->opts & OPT_INC_WITH_EXEC) | |||
30 | + && (new->opts & OPT_INC_WITH_EXEC) == 0) { | |||
31 | + conf->opts &= ~OPT_INC_WITH_EXEC; | |||
32 | } | |||
33 | } | |||
34 | else { | |||
35 | @@ -1304,10 +1308,12 @@ | |||
36 | opt = OPT_INDEXES; | |||
37 | } | |||
38 | else if (!strcasecmp(w, "Includes")) { | |||
39 | - opt = OPT_INCLUDES; | |||
40 | + /* If Includes is permitted, both Includes and | |||
41 | + * IncludesNOEXEC may be changed. */ | |||
42 | + opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); | |||
43 | } | |||
44 | else if (!strcasecmp(w, "IncludesNOEXEC")) { | |||
45 | - opt = (OPT_INCLUDES | OPT_INCNOEXEC); | |||
46 | + opt = OPT_INCLUDES; | |||
47 | } | |||
48 | else if (!strcasecmp(w, "FollowSymLinks")) { | |||
49 | opt = OPT_SYM_LINKS; | |||
50 | @@ -1428,10 +1434,10 @@ | |||
51 | opt = OPT_INDEXES; | |||
52 | } | |||
53 | else if (!strcasecmp(w, "Includes")) { | |||
54 | - opt = OPT_INCLUDES; | |||
55 | + opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); | |||
56 | } | |||
57 | else if (!strcasecmp(w, "IncludesNOEXEC")) { | |||
58 | - opt = (OPT_INCLUDES | OPT_INCNOEXEC); | |||
59 | + opt = OPT_INCLUDES; | |||
60 | } | |||
61 | else if (!strcasecmp(w, "FollowSymLinks")) { | |||
62 | opt = OPT_SYM_LINKS; |