- merge security fiexs from apache 1.3.39

Security: CVE-2006-5752
Security: CVE-2007-3304

1 files changed, 348 insertions, 0 deletions

diff --git a/www/apache13-modssl/files/patch-CVE-2007-3304 b/www/apache13-modssl/files/patch-CVE-2007-3304
new file mode 100644
index 000000000000..235aae2214b1
--- /dev/null
+++ b/www/apache13-modssl/files/patch-CVE-2007-3304
@@ -0,0 +1,348 @@
+--- src/CHANGES.orig	Thu Jul 27 20:19:46 2006
++++ src/CHANGES	Mon Sep 10 09:25:24 2007
+@@ -1,3 +1,22 @@
++Changes with Apache 1.3.39
++
++  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
++     mod_status: Fix a possible XSS attack against a site with a public
++     server-status page and ExtendedStatus enabled, for browsers which
++     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
++
++  *) SECURITY: CVE-2007-3304 (cve.mitre.org)
++     Ensure that the parent process cannot be forced to kill non-child
++     processes by checking scoreboard PID data with parent process
++     privately stored PID data. [Jim Jagielski]
++
++  *) mime.types: Many updates to sync with IANA registry and common
++     unregistered types that the owners refuse to register.  Admins
++     are encouraged to update their installed mime.types file.
++     PR: 35550, 37798, 39317, 31483 [Roy T. Fielding]
++
++There was no Apache 1.3.38
++
+ Changes with Apache 1.3.37
+ 
+   *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+@@ -25,10 +44,11 @@
+   *) core: Allow usage of the "Include" configuration directive within
+      previously "Include"d files. [Colm MacCarthaigh]
+ 
+-  *) HTML-escape the Expect error message.  Not classed as security as
+-     an attacker has no way to influence the Expect header a victim will
+-     send to a target site.  Reported by Thiago Zaninotti 
+-     <thiango nstalker.com>. [Mark Cox]
++  *) SECURITY: CVE-2006-3918 (cve.mitre.org)
++     HTML-escape the Expect error message.  Only a security issue if
++     an attacker can influence the Expect header a victim will send to a 
++     target site (it's known that some versions of Flash can do this)
++     Reported by Thiago Zaninotti <thiango nstalker.com>.  [Mark Cox]
+ 
+   *) mod_cgi: Remove block on OPTIONS method so that scripts can
+      respond to OPTIONS directly rather than via server default.
+--- src/Configure.orig	Mon Sep 10 09:25:22 2007
++++ src/Configure	Mon Sep 10 09:25:24 2007
+@@ -457,7 +457,7 @@
+     	PLATOSVERS=`echo $PLAT | sed 's/^.*freebsd//'`
+ 	OS="FreeBSD $PLATOSVERS"
+ 	case "$PLATOSVERS" in
+-	    [2345]*)
++	    [234567]*)
+ 		DEF_WANTHSREGEX=no
+ 		CFLAGS="$CFLAGS -funsigned-char"
+ 		;;
+@@ -2002,7 +2002,7 @@
+ 	#    select the special subtarget for shared core generation
+ 	SUBTARGET=target_shared
+ 	#    determine additional suffixes for libhttpd.so
+-	V=1 R=3 P=37
++	V=1 R=3 P=39
+ 	if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
+ 	    SHLIB_SUFFIX_LIST=""
+ 	fi
+--- src/include/httpd.h.orig	Mon Sep 10 09:25:22 2007
++++ src/include/httpd.h	Mon Sep 10 09:25:24 2007
+@@ -419,7 +419,7 @@
+ 
+ #define SERVER_BASEVENDOR   "Apache Group"
+ #define SERVER_BASEPRODUCT  "Apache"
+-#define SERVER_BASEREVISION "1.3.37"
++#define SERVER_BASEREVISION "1.3.39"
+ #define SERVER_BASEVERSION  SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
+ 
+ #define SERVER_PRODUCT  SERVER_BASEPRODUCT
+@@ -443,7 +443,7 @@
+  * Always increases along the same track as the source branch.
+  * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
+  */
+-#define APACHE_RELEASE 10337100
++#define APACHE_RELEASE 10339100
+ 
+ #define SERVER_PROTOCOL "HTTP/1.1"
+ #ifndef SERVER_SUPPORT
+--- src/main/NWGNUmakefile.mak.orig	Mon Oct 31 18:00:43 2005
++++ src/main/NWGNUmakefile.mak	Mon Sep 10 09:25:24 2007
+@@ -39,10 +39,8 @@
+ 			$(EOLIST)
+ 
+ ifdef MULTIPROC
+-XLFLAGS		+= \
+-		XDCData $(NWOS)\apache.xdc \
+-		$(EOLIST)
+-endif			
++XDCDATA		= $(NWOS)\apache.xdc
++endif
+ 
+ #
+ # These values will be appended to the correct variables based on the value of
+--- src/NWGNUmakefile.mak.orig	Mon Oct 31 18:00:43 2005
++++ src/NWGNUmakefile.mak	Mon Sep 10 09:25:24 2007
+@@ -40,10 +40,8 @@
+ 			$(EOLIST)
+ 
+ ifdef MULTIPROC
+-XLFLAGS		+= \
+-		XDCData $(NWOS)\apache.xdc \
+-		$(EOLIST)
+-endif			
++XDCDATA		= $(NWOS)\apache.xdc
++endif
+ 
+ #
+ # These values will be appended to the correct variables based on the value of
+--- src/main/http_main.c.orig	Mon Sep 10 09:25:22 2007
++++ src/main/http_main.c	Mon Sep 10 09:28:31 2007
+@@ -357,9 +357,17 @@
+ char tpf_mutex_key[TPF_MUTEX_KEY_SIZE];
+ #endif /* TPF */
+ 
++/*
++ * Shared memory scoreboard
++ */
+ scoreboard *ap_scoreboard_image = NULL;
+ 
+ /*
++ * Parent process local storage of child pids
++ */
++static table *pid_table;
++
++/*
+  * Pieces for managing the contents of the Server response header
+  * field.
+  */
+@@ -375,6 +383,33 @@
+ API_VAR_EXPORT int ap_change_shmem_uid = 0;
+ 
+ /*
++ * Check the pid table to see if the actual pid exists
++ */
++
++static int in_pid_table(int pid) {
++    char apid[64];      /* WAY generous! */
++    const char *spid;
++    ap_snprintf(apid, sizeof(apid), "%d", pid);
++    spid = ap_table_get(pid_table, apid);
++    if (spid && spid[0] == '1' && spid[1] == '\0')
++        return 1;
++    else
++        return 0;
++}
++
++static void set_pid_table(int pid) {
++    char apid[64];
++    ap_snprintf(apid, sizeof(apid), "%d", pid);
++    ap_table_set(pid_table, apid, "1");
++}
++
++static void unset_pid_table(int pid) {
++    char apid[64];
++    ap_snprintf(apid, sizeof(apid), "%d", pid);
++    ap_table_unset(pid_table, apid);
++}
++
++/*
+  * This routine is called when the pconf pool is vacuumed.  It resets the
+  * server version string to a known value and [re]enables modifications
+  * (which are disabled by configuration completion). 
+@@ -2829,9 +2864,15 @@
+ 	    if (pid == my_pid || pid == 0)
+ 		continue;
+ 
++            if (!in_pid_table(pid)) {
++                ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
++                             "Bad pid (%d) in scoreboard slot %d", pid, i);
++                continue;
++            }
+ 	    waitret = waitpid(pid, &status, WNOHANG);
+ 	    if (waitret == pid || waitret == -1) {
+ 		ap_scoreboard_image->parent[i].pid = 0;
++                unset_pid_table(pid);
+ 		continue;
+ 	    }
+ 	    ++not_dead_yet;
+@@ -2929,13 +2970,22 @@
+ 
+     for (n = 0; n < max_daemons_limit; ++n) {
+         ap_sync_scoreboard_image();
+-	if (ap_scoreboard_image->servers[n].status != SERVER_DEAD &&
+-		kill((pid = ap_scoreboard_image->parent[n].pid), 0) == -1) {
+-	    ap_update_child_status(n, SERVER_DEAD, NULL);
+-	    /* just mark it as having a successful exit status */
+-	    bzero((char *) status, sizeof(ap_wait_t));
+-	    return(pid);
+-	}
++        pid = ap_scoreboard_image->parent[n].pid;
++        if (ap_scoreboard_image->servers[n].status != SERVER_DEAD) {
++            if (in_pid_table(pid)) {
++                if (kill(pid, 0) == -1) {
++                    ap_update_child_status(n, SERVER_DEAD, NULL);
++                    /* just mark it as having a successful exit status */
++                    bzero((char *) status, sizeof(ap_wait_t));
++                    unset_pid_table(pid);       /* to be safe */
++                    return(pid);
++                }
++            }
++            else {
++                ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
++                            "Bad pid (%d) in scoreboard slot %d", pid, n);
++            }
++        }
+     }
+     return 0;
+ }
+@@ -2958,15 +3008,21 @@
+ #define MAXWAITOBJ MAXIMUM_WAIT_OBJECTS
+     HANDLE h[MAXWAITOBJ];
+     int e[MAXWAITOBJ];
+-    int round, pi, hi, rv, err;
++    int round, pi, hi, rv, err, pid;
+     for (round = 0; round <= (HARD_SERVER_LIMIT - 1) / MAXWAITOBJ + 1; round++) {
+ 	hi = 0;
+ 	for (pi = round * MAXWAITOBJ;
+ 	     (pi < (round + 1) * MAXWAITOBJ) && (pi < HARD_SERVER_LIMIT);
+ 	     pi++) {
+ 	    if (ap_scoreboard_image->servers[pi].status != SERVER_DEAD) {
+-		e[hi] = pi;
+-		h[hi++] = (HANDLE) ap_scoreboard_image->parent[pi].pid;
++                e[hi] = pi;
++                pid = ap_scoreboard_image->parent[pi].pid;
++                if (in_pid_table(pid))
++                    h[hi++] = (HANDLE) pid;
++                else {
++                    ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
++                                 "Bad pid (%d) in scoreboard slot %d", pid, pi);
++                }
+ 	    }
+ 
+ 	}
+@@ -4408,6 +4464,8 @@
+     ap_server_pre_read_config  = ap_make_array(pcommands, 1, sizeof(char *));
+     ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
+     ap_server_config_defines   = ap_make_array(pcommands, 1, sizeof(char *));
++    ap_server_config_defines   = ap_make_array(pcommands, 1, sizeof(char *));
++    pid_table                  = ap_make_table(pglobal, HARD_SERVER_LIMIT);
+ 
+ #ifdef EAPI
+     ap_hook_init();
+@@ -5081,6 +5139,7 @@
+     ap_scoreboard_image->parent[slot].last_rtime = now;
+ #endif
+     ap_scoreboard_image->parent[slot].pid = pid;
++    set_pid_table(pid);
+ #ifdef SCOREBOARD_FILE
+     lseek(scoreboard_fd, XtOffsetOf(scoreboard, parent[slot]), 0);
+     force_write(scoreboard_fd, &ap_scoreboard_image->parent[slot],
+@@ -5143,6 +5202,7 @@
+     int i;
+     int to_kill;
+     int idle_count;
++    int pid;
+     short_score *ss;
+     time_t now = time(NULL);
+     int free_length;
+@@ -5207,8 +5267,15 @@
+ 		else if (ps->last_rtime + ss->timeout_len < now) {
+ 		    /* no progress, and the timeout length has been exceeded */
+ 		    ss->timeout_len = 0;
+-		    kill(ps->pid, SIG_TIMEOUT_KILL);
+-		}
++                    pid = ps->pid;
++                    if (in_pid_table(pid)) {
++                        kill(pid, SIG_TIMEOUT_KILL);
++                    }
++                    else {
++                        ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
++                            "Bad pid (%d) in scoreboard slot %d", pid, i);
++                    }
++                }
+ 	    }
+ #endif
+ 	}
+@@ -5220,11 +5287,18 @@
+ 	 * while we were counting. Use the define SIG_IDLE_KILL to reflect
+ 	 * which signal should be used on the specific OS.
+ 	 */
+-	kill(ap_scoreboard_image->parent[to_kill].pid, SIG_IDLE_KILL);
+-	idle_spawn_rate = 1;
++        pid = ap_scoreboard_image->parent[to_kill].pid;
++        if (in_pid_table(pid)) {
++            kill(pid, SIG_IDLE_KILL);
++            idle_spawn_rate = 1;
+ #ifdef TPF
+-        ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL);
++            ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL);
+ #endif
++        }
++        else {
++            ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf,
++                         "Bad pid (%d) in scoreboard slot %d", pid, to_kill);
++        }
+     }
+     else if (idle_count < ap_daemons_min_free) {
+ 	/* terminate the free list */
+@@ -5471,6 +5545,7 @@
+             }
+ #endif
+ 	    if (pid >= 0) {
++		unset_pid_table(pid);
+ 		process_child_status(pid, status);
+ 		/* non-fatal death... note that it's gone in the scoreboard. */
+ 		ap_sync_scoreboard_image();
+@@ -5796,7 +5871,7 @@
+     if (!tpf_child) {
+         memcpy(tpf_server_name, input_parms.parent.servname,
+                INETD_SERVNAME_LENGTH);
+-        tpf_server_name[INETD_SERVNAME_LENGTH + 1] = '\0';
++        tpf_server_name[INETD_SERVNAME_LENGTH] = '\0';
+         sprintf(tpf_mutex_key, "%.*x", (int) TPF_MUTEX_KEY_SIZE - 1, getpid());
+         tpf_parent_pid = getppid();
+         ap_open_logs(server_conf, plog);
+--- src/modules/standard/mod_status.c.orig	Mon Sep 10 09:25:24 2007
++++ src/modules/standard/mod_status.c	Mon Sep 10 09:25:24 2007
+@@ -221,7 +221,7 @@
+     if (r->method_number != M_GET)
+ 	return DECLINED;
+ 
+-    r->content_type = "text/html";
++    r->content_type = "text/html; charset=ISO-8859-1";
+ 
+     /*
+      * Simple table-driven form data set parser that lets you alter the header
+@@ -247,7 +247,7 @@
+ 		    no_table_report = 1;
+ 		    break;
+ 		case STAT_OPT_AUTO:
+-		    r->content_type = "text/plain";
++		    r->content_type = "text/plain; charset=ISO-8859-1";
+ 		    short_report = 1;
+ 		    break;
+ 		}
+@@ -591,7 +591,8 @@
+ 			ap_rputs(")\n", r);
+ 			ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
+ 			    ap_escape_html(r->pool, score_record.client),
+-			    ap_escape_html(r->pool, score_record.request),
++			    ap_escape_html(r->pool,
++                                           ap_escape_logitem(r->pool, score_record.request)),
+ 			    vhost ? ap_escape_html(r->pool, 
+ 				vhost->server_hostname) : "(unavailable)");
+ 		    }