Add patch for security vulnerabilities reported in CVE-2012-0021 and CVE-2012-0053 taken from Apache SVN repository.diff -r1.77 -r1.78 pkgsrc/www/apache22/Makefile
(tron)
@@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
1 | # $NetBSD: Makefile,v 1.77 2012/01/17 20:48:28 spz Exp $ | 1 | # $NetBSD: Makefile,v 1.78 2012/01/29 12:29:07 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= httpd-2.2.21 | 3 | DISTNAME= httpd-2.2.21 | |
4 | 4 | |||
5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
6 | PKGREVISION= 6 | 6 | PKGREVISION= 7 | |
7 | CATEGORIES= www | 7 | CATEGORIES= www | |
8 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | 8 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | |
9 | http://archive.apache.org/dist/httpd/ \ | 9 | http://archive.apache.org/dist/httpd/ \ | |
10 | http://archive.eu.apache.org/dist/httpd/ | 10 | http://archive.eu.apache.org/dist/httpd/ | |
11 | EXTRACT_SUFX= .tar.bz2 | 11 | EXTRACT_SUFX= .tar.bz2 | |
12 | 12 | |||
13 | MAINTAINER= tron@NetBSD.org | 13 | MAINTAINER= tron@NetBSD.org | |
14 | HOMEPAGE= http://httpd.apache.org/ | 14 | HOMEPAGE= http://httpd.apache.org/ | |
15 | COMMENT= Apache HTTP (Web) server, version 2.2 | 15 | COMMENT= Apache HTTP (Web) server, version 2.2 | |
16 | LICENSE= apache-2.0 | 16 | LICENSE= apache-2.0 | |
17 | 17 | |||
18 | PKG_DESTDIR_SUPPORT= user-destdir | 18 | PKG_DESTDIR_SUPPORT= user-destdir | |
19 | 19 |
@@ -1,23 +1,24 @@ | @@ -1,23 +1,24 @@ | |||
1 | $NetBSD: distinfo,v 1.48 2012/01/17 20:48:28 spz Exp $ | 1 | $NetBSD: distinfo,v 1.49 2012/01/29 12:29:07 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 | 3 | SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 | |
4 | RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 | 4 | RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 | |
5 | Size (httpd-2.2.21.tar.bz2) = 5324905 bytes | 5 | Size (httpd-2.2.21.tar.bz2) = 5324905 bytes | |
6 | SHA1 (patch-CVE-2012-0021) = 8c44c591ffa3a4ca32de47c71d1aa8470de81f1e | |||
6 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | 7 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | |
7 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | 8 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | |
8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | 9 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | |
9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | 10 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | |
10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | 11 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | |
11 | SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392 | 12 | SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392 | |
12 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | 13 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | |
13 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | 14 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | |
14 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | 15 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | |
15 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | 16 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | |
16 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | 17 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | |
17 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | 18 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | |
18 | SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118 | 19 | SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118 | |
19 | SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796 | 20 | SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796 | |
20 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 | 21 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 | |
21 | SHA1 (patch-server_protocol.c) = 2be3e4fc08da717fa55b058eb32e398f6546d457 | 22 | SHA1 (patch-server_protocol.c) = dc99717704f53837dfd7b9c1018487a787dcbfd9 | |
22 | SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3 | 23 | SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3 | |
23 | SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15 | 24 | SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15 |
$NetBSD: patch-CVE-2012-0021,v 1.1 2012/01/29 12:29:08 tron Exp $
Fix security vulnerability reported in CVE-2012-0021. Patch taken from
Apache SVN repository:
http://svn.apache.org/viewvc?view=revision&revision=1227292
--- modules/loggers/mod_log_config.c.orig 2010-08-24 07:41:38.000000000 +0100
+++ modules/loggers/mod_log_config.c 2012-01-29 12:08:13.000000000 +0000
@@ -524,19 +524,21 @@
while ((cookie = apr_strtok(cookies, ";", &last1))) {
char *name = apr_strtok(cookie, "=", &last2);
- char *value;
- apr_collapse_spaces(name, name);
+ if (name) {
+ char *value;
+ apr_collapse_spaces(name, name);
+
+ if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+ char *last;
+ value += strspn(value, " \t"); /* Move past leading WS */
+ last = value + strlen(value) - 1;
+ while (last >= value && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+ }
- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
- char *last;
- value += strspn(value, " \t"); /* Move past leading WS */
- last = value + strlen(value) - 1;
- while (last >= value && apr_isspace(*last)) {
- *last = '\0';
- --last;
+ return ap_escape_logitem(r->pool, value);
}
-
- return ap_escape_logitem(r->pool, value);
}
cookies = NULL;
}
@@ -1,42 +1,129 @@ | @@ -1,42 +1,129 @@ | |||
1 | $NetBSD: patch-server_protocol.c,v 1.3 2011/12/12 18:43:14 tron Exp $ | 1 | $NetBSD: patch-server_protocol.c,v 1.4 2012/01/29 12:29:08 tron Exp $ | |
2 | 2 | |||
3 | revision 1179239 from http://svn.apache.org/: | 3 | revision 1179239 from http://svn.apache.org/: | |
4 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion | 4 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion | |
5 | in some reverse proxy configurations by strictly validating | 5 | in some reverse proxy configurations by strictly validating | |
6 | the request-URI. | 6 | the request-URI. | |
7 | 7 | |||
8 | revision 1179525 from http://svn.apache.org/: | 8 | revision 1179525 from http://svn.apache.org/: | |
9 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some | 9 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some | |
10 | reverse proxy configurations by strictly validating the request-URI: | 10 | reverse proxy configurations by strictly validating the request-URI: | |
11 | * server/protocol.c (read_request_line): Send a 400 response if the | 11 | * server/protocol.c (read_request_line): Send a 400 response if the | |
12 | request-URI does not match the grammar from RFC 2616. This ensures | 12 | request-URI does not match the grammar from RFC 2616. This ensures | |
13 | the input string for RewriteRule et al really is an absolute path. | 13 | the input string for RewriteRule et al really is an absolute path. | |
14 | 14 | |||
15 | revision 1235454 from http://svn.apache.org/: | |||
16 | CVE-2012-0053: Fix an issue in error responses that could expose | |||
17 | "httpOnly" cookies when no custom ErrorDocument is specified for | |||
18 | status code 400. | |||
19 | ||||
15 | --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 | 20 | --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 | |
16 | +++ server/protocol.c 2011-12-12 18:37:04.000000000 +0000 | 21 | +++ server/protocol.c 2012-01-29 12:22:25.000000000 +0000 | |
17 | @@ -640,6 +640,25 @@ | 22 | @@ -640,6 +640,25 @@ | |
18 | 23 | |||
19 | ap_parse_uri(r, uri); | 24 | ap_parse_uri(r, uri); | |
20 | 25 | |||
21 | + /* RFC 2616: | 26 | + /* RFC 2616: | |
22 | + * Request-URI = "*" | absoluteURI | abs_path | authority | 27 | + * Request-URI = "*" | absoluteURI | abs_path | authority | |
23 | + * | 28 | + * | |
24 | + * authority is a special case for CONNECT. If the request is not | 29 | + * authority is a special case for CONNECT. If the request is not | |
25 | + * using CONNECT, and the parsed URI does not have scheme, and | 30 | + * using CONNECT, and the parsed URI does not have scheme, and | |
26 | + * it does not begin with '/', and it is not '*', then, fail | 31 | + * it does not begin with '/', and it is not '*', then, fail | |
27 | + * and give a 400 response. */ | 32 | + * and give a 400 response. */ | |
28 | + if (r->method_number != M_CONNECT | 33 | + if (r->method_number != M_CONNECT | |
29 | + && !r->parsed_uri.scheme | 34 | + && !r->parsed_uri.scheme | |
30 | + && uri[0] != '/' | 35 | + && uri[0] != '/' | |
31 | + && !(uri[0] == '*' && uri[1] == '\0')) { | 36 | + && !(uri[0] == '*' && uri[1] == '\0')) { | |
32 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, | 37 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, | |
33 | + "invalid request-URI %s", uri); | 38 | + "invalid request-URI %s", uri); | |
34 | + r->args = NULL; | 39 | + r->args = NULL; | |
35 | + r->hostname = NULL; | 40 | + r->hostname = NULL; | |
36 | + r->status = HTTP_BAD_REQUEST; | 41 | + r->status = HTTP_BAD_REQUEST; | |
37 | + r->uri = apr_pstrdup(r->pool, uri); | 42 | + r->uri = apr_pstrdup(r->pool, uri); | |
38 | + } | 43 | + } | |
39 | + | 44 | + | |
40 | if (ll[0]) { | 45 | if (ll[0]) { | |
41 | r->assbackwards = 0; | 46 | r->assbackwards = 0; | |
42 | pro = ll; | 47 | pro = ll; | |
48 | @@ -670,6 +689,16 @@ | |||
49 | return 1; | |||
50 | } | |||
51 | ||||
52 | +/* get the length of the field name for logging, but no more than 80 bytes */ | |||
53 | +#define LOG_NAME_MAX_LEN 80 | |||
54 | +static int field_name_len(const char *field) | |||
55 | +{ | |||
56 | + const char *end = ap_strchr_c(field, ':'); | |||
57 | + if (end == NULL || end - field > LOG_NAME_MAX_LEN) | |||
58 | + return LOG_NAME_MAX_LEN; | |||
59 | + return end - field; | |||
60 | +} | |||
61 | + | |||
62 | AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) | |||
63 | { | |||
64 | char *last_field = NULL; | |||
65 | @@ -709,12 +738,15 @@ | |||
66 | /* insure ap_escape_html will terminate correctly */ | |||
67 | field[len - 1] = '\0'; | |||
68 | apr_table_setn(r->notes, "error-notes", | |||
69 | - apr_pstrcat(r->pool, | |||
70 | + apr_psprintf(r->pool, | |||
71 | "Size of a request header field " | |||
72 | "exceeds server limit.<br />\n" | |||
73 | - "<pre>\n", | |||
74 | - ap_escape_html(r->pool, field), | |||
75 | - "</pre>\n", NULL)); | |||
76 | + "<pre>\n%.*s\n</pre>/n", | |||
77 | + field_name_len(field), | |||
78 | + ap_escape_html(r->pool, field))); | |||
79 | + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | |||
80 | + "Request header exceeds LimitRequestFieldSize: " | |||
81 | + "%.*s", field_name_len(field), field); | |||
82 | } | |||
83 | return; | |||
84 | } | |||
85 | @@ -735,13 +767,17 @@ | |||
86 | * overflow (last_field) as the field with the problem | |||
87 | */ | |||
88 | apr_table_setn(r->notes, "error-notes", | |||
89 | - apr_pstrcat(r->pool, | |||
90 | + apr_psprintf(r->pool, | |||
91 | "Size of a request header field " | |||
92 | "after folding " | |||
93 | "exceeds server limit.<br />\n" | |||
94 | - "<pre>\n", | |||
95 | - ap_escape_html(r->pool, last_field), | |||
96 | - "</pre>\n", NULL)); | |||
97 | + "<pre>\n%.*s\n</pre>\n", | |||
98 | + field_name_len(last_field), | |||
99 | + ap_escape_html(r->pool, last_field))); | |||
100 | + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | |||
101 | + "Request header exceeds LimitRequestFieldSize " | |||
102 | + "after folding: %.*s", | |||
103 | + field_name_len(last_field), last_field); | |||
104 | return; | |||
105 | } | |||
106 | ||||
107 | @@ -773,13 +809,18 @@ | |||
108 | if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ | |||
109 | r->status = HTTP_BAD_REQUEST; /* abort bad request */ | |||
110 | apr_table_setn(r->notes, "error-notes", | |||
111 | - apr_pstrcat(r->pool, | |||
112 | + apr_psprintf(r->pool, | |||
113 | "Request header field is " | |||
114 | "missing ':' separator.<br />\n" | |||
115 | - "<pre>\n", | |||
116 | + "<pre>\n%.*s</pre>\n", | |||
117 | + (int)LOG_NAME_MAX_LEN, | |||
118 | ap_escape_html(r->pool, | |||
119 | - last_field), | |||
120 | - "</pre>\n", NULL)); | |||
121 | + last_field))); | |||
122 | + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, | |||
123 | + "Request header field is missing ':' " | |||
124 | + "separator: %.*s", (int)LOG_NAME_MAX_LEN, | |||
125 | + last_field); | |||
126 | + | |||
127 | return; | |||
128 | } | |||
129 |