- Backport security fixes in ssl_engine_io.c

* [SECURITY] mod_ssl: Fix potential input filter segfaults in SPECULATIVE mode. (rollback handling for AP_MODE_SPECULATIVE) "This issue has possible security implications; it's been assigned CVE CAN-2004-0751 (cve.mitre.org)." http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 * [SECURITY] mod_ssl: Fix potential infinite loop. (potential infinite loop in ssl_io_input_getline if connection is aborted without inctx->rc being set.) http://issues.apache.org/bugzilla/show_bug.cgi?id=27945 http://issues.apache.org/bugzilla/show_bug.cgi?id=29690 Obtained from: Apache CVS (httpd-2.0 HEAD)
author: clement <clement@FreeBSD.org> 2004-08-19 03:40:07 +0800
committer: clement <clement@FreeBSD.org> 2004-08-19 03:40:07 +0800
commit: 49f92a1a1ecdc9ae485e91f16c5968cb42472124 (patch)
tree: 15cec36757863beb9abe88a30ef8477a0846a44c
parent: f9f546567af2b1c06eeb6c83dcc0667d0ea32298 (diff)
download: freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.tar.gz
freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.tar.zst
freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.zip
4 files changed, 70 insertions, 2 deletions
diff --git a/www/apache2/Makefile b/www/apache2/Makefile
index 156efc00b756..e8f6087e5573 100644
--- a/www/apache2/Makefile
+++ b/www/apache2/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.50
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		http://sheepkiller.nerim.net/ports/${PORTNAME}/:powerlogo
diff --git a/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c b/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c
new file mode 100644
index 000000000000..f29cfd5aed4d
--- /dev/null
+++ b/www/apache2/files/patch-secfix-modules:ssl:ssl_engine_io.c
@@ -0,0 +1,34 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
+retrieving revision 1.124
+retrieving revision 1.126
+diff -u -r1.124 -r1.126
+--- modules/ssl/ssl_engine_io.c	2004/07/13 18:11:22	1.124
++++ modules/ssl/ssl_engine_io.c	2004/08/17 16:31:23	1.126
+@@ -564,8 +564,12 @@
+         *len = bytes;
+         if (inctx->mode == AP_MODE_SPECULATIVE) {
+             /* We want to rollback this read. */
+-            inctx->cbuf.value -= bytes;
+-            inctx->cbuf.length += bytes;
++            if (inctx->cbuf.length > 0) {
++                inctx->cbuf.value -= bytes;
++                inctx->cbuf.length += bytes;
++            } else {
++                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
++            }
+             return APR_SUCCESS;
+         }
+         /* This could probably be *len == wanted, but be safe from stray
+@@ -589,6 +593,10 @@
+     while (1) {
+ 
+         if (!inctx->filter_ctx->pssl) {
++            /* Ensure a non-zero error code is returned */
++            if (inctx->rc == APR_SUCCESS) {
++                inctx->rc = APR_EGENERAL;
++            }
+             break;
+         }
+ 
+
diff --git a/www/apache20/Makefile b/www/apache20/Makefile
index 156efc00b756..e8f6087e5573 100644
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.0.50
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD} \
 		http://sheepkiller.nerim.net/ports/${PORTNAME}/:powerlogo
diff --git a/www/apache20/files/patch-secfix-modules:ssl:ssl_engine_io.c b/www/apache20/files/patch-secfix-modules:ssl:ssl_engine_io.c
new file mode 100644
index 000000000000..f29cfd5aed4d
--- /dev/null
+++ b/www/apache20/files/patch-secfix-modules:ssl:ssl_engine_io.c
@@ -0,0 +1,34 @@
+===================================================================
+RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
+retrieving revision 1.124
+retrieving revision 1.126
+diff -u -r1.124 -r1.126
+--- modules/ssl/ssl_engine_io.c	2004/07/13 18:11:22	1.124
++++ modules/ssl/ssl_engine_io.c	2004/08/17 16:31:23	1.126
+@@ -564,8 +564,12 @@
+         *len = bytes;
+         if (inctx->mode == AP_MODE_SPECULATIVE) {
+             /* We want to rollback this read. */
+-            inctx->cbuf.value -= bytes;
+-            inctx->cbuf.length += bytes;
++            if (inctx->cbuf.length > 0) {
++                inctx->cbuf.value -= bytes;
++                inctx->cbuf.length += bytes;
++            } else {
++                char_buffer_write(&inctx->cbuf, buf, (int)bytes);
++            }
+             return APR_SUCCESS;
+         }
+         /* This could probably be *len == wanted, but be safe from stray
+@@ -589,6 +593,10 @@
+     while (1) {
+ 
+         if (!inctx->filter_ctx->pssl) {
++            /* Ensure a non-zero error code is returned */
++            if (inctx->rc == APR_SUCCESS) {
++                inctx->rc = APR_EGENERAL;
++            }
+             break;
+         }
+ 
+
author	clement <clement@FreeBSD.org>	2004-08-19 03:40:07 +0800
committer	clement <clement@FreeBSD.org>	2004-08-19 03:40:07 +0800
commit	49f92a1a1ecdc9ae485e91f16c5968cb42472124 (patch)
tree	15cec36757863beb9abe88a30ef8477a0846a44c
parent	f9f546567af2b1c06eeb6c83dcc0667d0ea32298 (diff)
download	freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.tar.gz freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.tar.zst freebsd-ports-gnome-49f92a1a1ecdc9ae485e91f16c5968cb42472124.zip