head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.8
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.6
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.4
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.2
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2010Q3:1.1.0.12
	pkgsrc-2010Q3-base:1.1
	pkgsrc-2010Q2:1.1.0.10
	pkgsrc-2010Q2-base:1.1
	pkgsrc-2010Q1:1.1.0.8
	pkgsrc-2010Q1-base:1.1
	pkgsrc-2009Q4:1.1.0.6
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2009Q3:1.1.0.4
	pkgsrc-2009Q3-base:1.1
	pkgsrc-2009Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2010.11.01.18.03.04;	author adam;	state dead;
branches;
next	1.1;

1.1
date	2009.08.12.03.37.28;	author taca;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2009.08.12.03.37.28;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2009.08.14.10.18.19;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Changes 2.0.64:
* SECURITY: CVE-2010-1452 (cve.mitre.org)
  mod_dav: Fix Handling of requests without a path segment.
* SECURITY: CVE-2009-1891 (cve.mitre.org)
  Fix a potential Denial-of-Service attack against mod_deflate or other
  modules, by forcing the server to consume CPU time in compressing a
  large file after a client disconnects.
* SECURITY: CVE-2009-3095 (cve.mitre.org)
  mod_proxy_ftp: sanity check authn credentials.
* SECURITY: CVE-2009-3094 (cve.mitre.org)
  mod_proxy_ftp: NULL pointer dereference on error paths.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
  mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
  attack when compiled against OpenSSL version 0.9.8m or later. Introduces
  the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
  and offer unsafe legacy renegotiation with clients which do not yet
  support the new secure renegotiation protocol, RFC 5746.
* SECURITY: CVE-2009-3555 (cve.mitre.org)
  mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
  for OpenSSL versions prior to 0.9.8l; reject any client-initiated
  renegotiations. Forcibly disable keepalive for the connection if there
  is any buffered data readable. Any configuration which requires
  renegotiation for per-directory/location access control is still
  vulnerable, unless using openssl 0.9.8l or later.
* SECURITY: CVE-2010-0434 (cve.mitre.org)
  Ensure each subrequest has a shallow copy of headers_in so that the
  parent request headers are not corrupted.  Elimiates a problematic
  optimization in the case of no request body.
* SECURITY: CVE-2008-2364 (cve.mitre.org)
  mod_proxy_http: Better handling of excessive interim responses
  from origin server to prevent potential denial of service and high
  memory usage.
* SECURITY: CVE-2010-0425 (cve.mitre.org)
  mod_isapi: Do not unload an isapi .dll module until the request
  processing is completed, avoiding orphaned callback pointers.
* SECURITY: CVE-2008-2939 (cve.mitre.org)
  mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
  the FTP URL. Discovered by Marc Bevand of Rapid7.
* Fix recursive ErrorDocument handling.
* mod_ssl: Do not do overlapping memcpy.
* Add Set-Cookie and Set-Cookie2 to the list of headers allowed to pass
  through on a 304 response.
* apxs: Fix -A and -a options to ignore whitespace in httpd.conf
@
text
@$NetBSD: patch-ab,v 1.1 2009/08/12 03:37:28 taca Exp $

Fix for http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2412.

--- apr-util/misc/apr_rmm.c.orig	2005-08-05 20:02:06.000000000 +0900
+++ apr-util/misc/apr_rmm.c
@@@@ -47,6 +47,7 @@@@ struct apr_rmm_t {
 static apr_rmm_off_t find_block_by_offset(apr_rmm_t *rmm, apr_rmm_off_t next, 
                                           apr_rmm_off_t find, int includes)
 {
+    apr_size_t size;
     apr_rmm_off_t prev = 0;
 
     while (next) {
@@@@ -277,13 +278,17 @@@@ APU_DECLARE(apr_status_t) apr_rmm_detach
 
 APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
     
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
@@@@ -296,18 +301,22 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_mallo
 
 APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
         
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
         this += RMM_BLOCK_SIZE;
-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
+        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
     }
 
     APR_ANYLOCK_UNLOCK(&rmm->lock);
@@@@ -320,16 +329,19 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_reall
     apr_rmm_off_t this;
     apr_rmm_off_t old;
     struct rmm_block_t *blk;
-    apr_size_t oldsize;
+    apr_size_t size, oldsize;
 
     if (!entity) {
         return apr_rmm_malloc(rmm, reqsize);
     }
 
-    reqsize = APR_ALIGN_DEFAULT(reqsize);
+    size = APR_ALIGN_DEFAULT(reqsize);
+    if (size < reqsize) {
+        return 0;
+    }
     old = apr_rmm_offset_get(rmm, entity);
 
-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
+    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
         return 0;
     }
 
@@@@ -337,7 +349,7 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_reall
     oldsize = blk->size;
 
     memcpy(apr_rmm_addr_get(rmm, this),
-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
+           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
     apr_rmm_free(rmm, old);
 
     return this;
@


1.1
log
@Fix security problem of CVE-2009-2412 adding patches described in it.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ab was added on branch pkgsrc-2009Q2 on 2009-08-14 10:18:19 +0000
@
text
@d1 92
@


1.1.2.2
log
@Pullup ticket #2865 - requested by taca
apr0: security patch

Revisions pulled up:
- devel/apr0/Makefile				1.6
- devel/apr0/distinfo				1.4
- devel/apr0/patches/patch-ab			1.1
- devel/apr0/patches/patch-ac			1.1
---
Module Name:	pkgsrc
Committed By:	taca
Date:		Wed Aug 12 03:37:28 UTC 2009

Modified Files:
	pkgsrc/devel/apr0: Makefile distinfo
Added Files:
	pkgsrc/devel/apr0/patches: patch-ab patch-ac

Log Message:
Fix security problem of CVE-2009-2412 adding patches described in it.

Bump PKGREVISION.
@
text
@a0 92
$NetBSD: patch-ab,v 1.1 2009/08/12 03:37:28 taca Exp $

Fix for http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2412.

--- apr-util/misc/apr_rmm.c.orig	2005-08-05 20:02:06.000000000 +0900
+++ apr-util/misc/apr_rmm.c
@@@@ -47,6 +47,7 @@@@ struct apr_rmm_t {
 static apr_rmm_off_t find_block_by_offset(apr_rmm_t *rmm, apr_rmm_off_t next, 
                                           apr_rmm_off_t find, int includes)
 {
+    apr_size_t size;
     apr_rmm_off_t prev = 0;
 
     while (next) {
@@@@ -277,13 +278,17 @@@@ APU_DECLARE(apr_status_t) apr_rmm_detach
 
 APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
     
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
@@@@ -296,18 +301,22 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_mallo
 
 APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize)
 {
+    apr_size_t size;
     apr_rmm_off_t this;
         
-    reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE;
+    if (size < reqsize) {
+        return 0;
+    }
 
     APR_ANYLOCK_LOCK(&rmm->lock);
 
-    this = find_block_of_size(rmm, reqsize);
+    this = find_block_of_size(rmm, size);
 
     if (this) {
         move_block(rmm, this, 0);
         this += RMM_BLOCK_SIZE;
-        memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE);
+        memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE);
     }
 
     APR_ANYLOCK_UNLOCK(&rmm->lock);
@@@@ -320,16 +329,19 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_reall
     apr_rmm_off_t this;
     apr_rmm_off_t old;
     struct rmm_block_t *blk;
-    apr_size_t oldsize;
+    apr_size_t size, oldsize;
 
     if (!entity) {
         return apr_rmm_malloc(rmm, reqsize);
     }
 
-    reqsize = APR_ALIGN_DEFAULT(reqsize);
+    size = APR_ALIGN_DEFAULT(reqsize);
+    if (size < reqsize) {
+        return 0;
+    }
     old = apr_rmm_offset_get(rmm, entity);
 
-    if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) {
+    if ((this = apr_rmm_malloc(rmm, size)) == 0) {
         return 0;
     }
 
@@@@ -337,7 +349,7 @@@@ APU_DECLARE(apr_rmm_off_t) apr_rmm_reall
     oldsize = blk->size;
 
     memcpy(apr_rmm_addr_get(rmm, this),
-           apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize);
+           apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size);
     apr_rmm_free(rmm, old);
 
     return this;
@