Add patch for security vulnerabilities reported in CVE-2012-0021 and CVE-2012-0053 taken from Apache SVN repository.diff -r1.77 -r1.78 pkgsrc/www/apache22/Makefile
(tron)
| @@ -1,19 +1,19 @@ | @@ -1,19 +1,19 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.77 2012/01/17 20:48:28 spz Exp $ | 1 | # $NetBSD: Makefile,v 1.78 2012/01/29 12:29:07 tron Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= httpd-2.2.21 | 3 | DISTNAME= httpd-2.2.21 | |
| 4 | 4 | |||
| 5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | 5 | PKGNAME= ${DISTNAME:S/httpd/apache/} | |
| 6 | PKGREVISION= 6 | 6 | PKGREVISION= 7 | |
| 7 | CATEGORIES= www | 7 | CATEGORIES= www | |
| 8 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | 8 | MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ | |
| 9 | http://archive.apache.org/dist/httpd/ \ | 9 | http://archive.apache.org/dist/httpd/ \ | |
| 10 | http://archive.eu.apache.org/dist/httpd/ | 10 | http://archive.eu.apache.org/dist/httpd/ | |
| 11 | EXTRACT_SUFX= .tar.bz2 | 11 | EXTRACT_SUFX= .tar.bz2 | |
| 12 | 12 | |||
| 13 | MAINTAINER= tron@NetBSD.org | 13 | MAINTAINER= tron@NetBSD.org | |
| 14 | HOMEPAGE= http://httpd.apache.org/ | 14 | HOMEPAGE= http://httpd.apache.org/ | |
| 15 | COMMENT= Apache HTTP (Web) server, version 2.2 | 15 | COMMENT= Apache HTTP (Web) server, version 2.2 | |
| 16 | LICENSE= apache-2.0 | 16 | LICENSE= apache-2.0 | |
| 17 | 17 | |||
| 18 | PKG_DESTDIR_SUPPORT= user-destdir | 18 | PKG_DESTDIR_SUPPORT= user-destdir | |
| 19 | 19 |
| @@ -1,23 +1,24 @@ | @@ -1,23 +1,24 @@ | |||
| 1 | $NetBSD: distinfo,v 1.48 2012/01/17 20:48:28 spz Exp $ | 1 | $NetBSD: distinfo,v 1.49 2012/01/29 12:29:07 tron Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 | 3 | SHA1 (httpd-2.2.21.tar.bz2) = c02f9b05da9a7e316ff37d9053dc76a57ba51cb4 | |
| 4 | RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 | 4 | RMD160 (httpd-2.2.21.tar.bz2) = 6464a03d78ab858b1288ea9eef4cd5f73b60a9f1 | |
| 5 | Size (httpd-2.2.21.tar.bz2) = 5324905 bytes | 5 | Size (httpd-2.2.21.tar.bz2) = 5324905 bytes | |
| 6 | SHA1 (patch-CVE-2012-0021) = 8c44c591ffa3a4ca32de47c71d1aa8470de81f1e | |||
| 6 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | 7 | SHA1 (patch-aa) = e0bfdf6bc9cb034bea46a390a12a5508e363c9a7 | |
| 7 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | 8 | SHA1 (patch-ab) = 365cc3b0ac2d9d68ccb94f5699fe168a1c9b0150 | |
| 8 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | 9 | SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad | |
| 9 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | 10 | SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 | |
| 10 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | 11 | SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 | |
| 11 | SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392 | 12 | SHA1 (patch-af) = 312d3bce5e1bf6e747b5f0f313d89bf5b4636392 | |
| 12 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | 13 | SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01 | |
| 13 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | 14 | SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312 | |
| 14 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | 15 | SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1 | |
| 15 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | 16 | SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08 | |
| 16 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | 17 | SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4 | |
| 17 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | 18 | SHA1 (patch-lock.c) = 770ca03f1cb4421879bd5baa5a7c30cc91acb6e1 | |
| 18 | SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118 | 19 | SHA1 (patch-modules_mappers_mod_rewrite.c) = de7bbdf02dda38e2542e4967ee6f22745ec0f118 | |
| 19 | SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796 | 20 | SHA1 (patch-modules_proxy_mod_proxy.c) = bab58b70eee22d7c08be9a4a9ada3fad886fa796 | |
| 20 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 | 21 | SHA1 (patch-repos.c) = 0e0361b91d4b0fe6c7c55a12fdfd2e6aacc710e1 | |
| 21 | SHA1 (patch-server_protocol.c) = 2be3e4fc08da717fa55b058eb32e398f6546d457 | 22 | SHA1 (patch-server_protocol.c) = dc99717704f53837dfd7b9c1018487a787dcbfd9 | |
| 22 | SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3 | 23 | SHA1 (patch-server_scoreboard.c) = 8d1e007f8d1d6a6db827a41d82369749e603a2b3 | |
| 23 | SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15 | 24 | SHA1 (patch-server_util.c) = 37e9c357618a9645222cd981f0ccb04c7987fe15 |
$NetBSD: patch-CVE-2012-0021,v 1.1 2012/01/29 12:29:08 tron Exp $
Fix security vulnerability reported in CVE-2012-0021. Patch taken from
Apache SVN repository:
http://svn.apache.org/viewvc?view=revision&revision=1227292
--- modules/loggers/mod_log_config.c.orig 2010-08-24 07:41:38.000000000 +0100
+++ modules/loggers/mod_log_config.c 2012-01-29 12:08:13.000000000 +0000
@@ -524,19 +524,21 @@
while ((cookie = apr_strtok(cookies, ";", &last1))) {
char *name = apr_strtok(cookie, "=", &last2);
- char *value;
- apr_collapse_spaces(name, name);
+ if (name) {
+ char *value;
+ apr_collapse_spaces(name, name);
+
+ if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
+ char *last;
+ value += strspn(value, " \t"); /* Move past leading WS */
+ last = value + strlen(value) - 1;
+ while (last >= value && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+ }
- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) {
- char *last;
- value += strspn(value, " \t"); /* Move past leading WS */
- last = value + strlen(value) - 1;
- while (last >= value && apr_isspace(*last)) {
- *last = '\0';
- --last;
+ return ap_escape_logitem(r->pool, value);
}
-
- return ap_escape_logitem(r->pool, value);
}
cookies = NULL;
}
| @@ -1,42 +1,129 @@ | @@ -1,42 +1,129 @@ | |||
| 1 | $NetBSD: patch-server_protocol.c,v 1.3 2011/12/12 18:43:14 tron Exp $ | 1 | $NetBSD: patch-server_protocol.c,v 1.4 2012/01/29 12:29:08 tron Exp $ | |
| 2 | 2 | |||
| 3 | revision 1179239 from http://svn.apache.org/: | 3 | revision 1179239 from http://svn.apache.org/: | |
| 4 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion | 4 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion | |
| 5 | in some reverse proxy configurations by strictly validating | 5 | in some reverse proxy configurations by strictly validating | |
| 6 | the request-URI. | 6 | the request-URI. | |
| 7 | 7 | |||
| 8 | revision 1179525 from http://svn.apache.org/: | 8 | revision 1179525 from http://svn.apache.org/: | |
| 9 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some | 9 | SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some | |
| 10 | reverse proxy configurations by strictly validating the request-URI: | 10 | reverse proxy configurations by strictly validating the request-URI: | |
| 11 | * server/protocol.c (read_request_line): Send a 400 response if the | 11 | * server/protocol.c (read_request_line): Send a 400 response if the | |
| 12 | request-URI does not match the grammar from RFC 2616. This ensures | 12 | request-URI does not match the grammar from RFC 2616. This ensures | |
| 13 | the input string for RewriteRule et al really is an absolute path. | 13 | the input string for RewriteRule et al really is an absolute path. | |
| 14 | 14 | |||
| 15 | revision 1235454 from http://svn.apache.org/: | |||
| 16 | CVE-2012-0053: Fix an issue in error responses that could expose | |||
| 17 | "httpOnly" cookies when no custom ErrorDocument is specified for | |||
| 18 | status code 400. | |||
| 19 | ||||
| 15 | --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 | 20 | --- server/protocol.c.orig 2011-05-07 12:39:29.000000000 +0100 | |
| 16 | +++ server/protocol.c 2011-12-12 18:37:04.000000000 +0000 | 21 | +++ server/protocol.c 2012-01-29 12:22:25.000000000 +0000 | |
| 17 | @@ -640,6 +640,25 @@ | 22 | @@ -640,6 +640,25 @@ | |
| 18 | 23 | |||
| 19 | ap_parse_uri(r, uri); | 24 | ap_parse_uri(r, uri); | |
| 20 | 25 | |||
| 21 | + /* RFC 2616: | 26 | + /* RFC 2616: | |
| 22 | + * Request-URI = "*" | absoluteURI | abs_path | authority | 27 | + * Request-URI = "*" | absoluteURI | abs_path | authority | |
| 23 | + * | 28 | + * | |
| 24 | + * authority is a special case for CONNECT. If the request is not | 29 | + * authority is a special case for CONNECT. If the request is not | |
| 25 | + * using CONNECT, and the parsed URI does not have scheme, and | 30 | + * using CONNECT, and the parsed URI does not have scheme, and | |
| 26 | + * it does not begin with '/', and it is not '*', then, fail | 31 | + * it does not begin with '/', and it is not '*', then, fail | |
| 27 | + * and give a 400 response. */ | 32 | + * and give a 400 response. */ | |
| 28 | + if (r->method_number != M_CONNECT | 33 | + if (r->method_number != M_CONNECT | |
| 29 | + && !r->parsed_uri.scheme | 34 | + && !r->parsed_uri.scheme | |
| 30 | + && uri[0] != '/' | 35 | + && uri[0] != '/' | |
| 31 | + && !(uri[0] == '*' && uri[1] == '\0')) { | 36 | + && !(uri[0] == '*' && uri[1] == '\0')) { | |
| 32 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, | 37 | + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, | |
| 33 | + "invalid request-URI %s", uri); | 38 | + "invalid request-URI %s", uri); | |
| 34 | + r->args = NULL; | 39 | + r->args = NULL; | |
| 35 | + r->hostname = NULL; | 40 | + r->hostname = NULL; | |
| 36 | + r->status = HTTP_BAD_REQUEST; | 41 | + r->status = HTTP_BAD_REQUEST; | |
| 37 | + r->uri = apr_pstrdup(r->pool, uri); | 42 | + r->uri = apr_pstrdup(r->pool, uri); | |
| 38 | + } | 43 | + } | |
| 39 | + | 44 | + | |
| 40 | if (ll[0]) { | 45 | if (ll[0]) { | |
| 41 | r->assbackwards = 0; | 46 | r->assbackwards = 0; | |
| 42 | pro = ll; | 47 | pro = ll; | |
| 48 | @@ -670,6 +689,16 @@ | |||
| 49 | return 1; | |||
| 50 | } | |||
| 51 | ||||
| 52 | +/* get the length of the field name for logging, but no more than 80 bytes */ | |||
| 53 | +#define LOG_NAME_MAX_LEN 80 | |||
| 54 | +static int field_name_len(const char *field) | |||
| 55 | +{ | |||
| 56 | + const char *end = ap_strchr_c(field, ':'); | |||
| 57 | + if (end == NULL || end - field > LOG_NAME_MAX_LEN) | |||
| 58 | + return LOG_NAME_MAX_LEN; | |||
| 59 | + return end - field; | |||
| 60 | +} | |||
| 61 | + | |||
| 62 | AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) | |||
| 63 | { | |||
| 64 | char *last_field = NULL; | |||
| 65 | @@ -709,12 +738,15 @@ | |||
| 66 | /* insure ap_escape_html will terminate correctly */ | |||
| 67 | field[len - 1] = '\0'; | |||
| 68 | apr_table_setn(r->notes, "error-notes", | |||
| 69 | - apr_pstrcat(r->pool, | |||
| 70 | + apr_psprintf(r->pool, | |||
| 71 | "Size of a request header field " | |||
| 72 | "exceeds server limit.<br />\n" | |||
| 73 | - "<pre>\n", | |||
| 74 | - ap_escape_html(r->pool, field), | |||
| 75 | - "</pre>\n", NULL)); | |||
| 76 | + "<pre>\n%.*s\n</pre>/n", | |||
| 77 | + field_name_len(field), | |||
| 78 | + ap_escape_html(r->pool, field))); | |||
| 79 | + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | |||
| 80 | + "Request header exceeds LimitRequestFieldSize: " | |||
| 81 | + "%.*s", field_name_len(field), field); | |||
| 82 | } | |||
| 83 | return; | |||
| 84 | } | |||
| 85 | @@ -735,13 +767,17 @@ | |||
| 86 | * overflow (last_field) as the field with the problem | |||
| 87 | */ | |||
| 88 | apr_table_setn(r->notes, "error-notes", | |||
| 89 | - apr_pstrcat(r->pool, | |||
| 90 | + apr_psprintf(r->pool, | |||
| 91 | "Size of a request header field " | |||
| 92 | "after folding " | |||
| 93 | "exceeds server limit.<br />\n" | |||
| 94 | - "<pre>\n", | |||
| 95 | - ap_escape_html(r->pool, last_field), | |||
| 96 | - "</pre>\n", NULL)); | |||
| 97 | + "<pre>\n%.*s\n</pre>\n", | |||
| 98 | + field_name_len(last_field), | |||
| 99 | + ap_escape_html(r->pool, last_field))); | |||
| 100 | + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, | |||
| 101 | + "Request header exceeds LimitRequestFieldSize " | |||
| 102 | + "after folding: %.*s", | |||
| 103 | + field_name_len(last_field), last_field); | |||
| 104 | return; | |||
| 105 | } | |||
| 106 | ||||
| 107 | @@ -773,13 +809,18 @@ | |||
| 108 | if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ | |||
| 109 | r->status = HTTP_BAD_REQUEST; /* abort bad request */ | |||
| 110 | apr_table_setn(r->notes, "error-notes", | |||
| 111 | - apr_pstrcat(r->pool, | |||
| 112 | + apr_psprintf(r->pool, | |||
| 113 | "Request header field is " | |||
| 114 | "missing ':' separator.<br />\n" | |||
| 115 | - "<pre>\n", | |||
| 116 | + "<pre>\n%.*s</pre>\n", | |||
| 117 | + (int)LOG_NAME_MAX_LEN, | |||
| 118 | ap_escape_html(r->pool, | |||
| 119 | - last_field), | |||
| 120 | - "</pre>\n", NULL)); | |||
| 121 | + last_field))); | |||
| 122 | + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, | |||
| 123 | + "Request header field is missing ':' " | |||
| 124 | + "separator: %.*s", (int)LOG_NAME_MAX_LEN, | |||
| 125 | + last_field); | |||
| 126 | + | |||
| 127 | return; | |||
| 128 | } | |||
| 129 |