- Backport apr-util security fixes pending the 2.2.12 release (forthcomming)

Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
PR:             ports/135310
Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
With Hat:       apache

4 files changed, 91 insertions, 1 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 685b834e719..14d42bdce86 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.11
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
new file mode 100644
index 00000000000..2040f082ea2
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
@@ -0,0 +1,51 @@
+Taken from
+  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
+
+--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+ 
++#if XML_MAJOR_VERSION > 1
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *value,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser = userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#else
++/* A noop default_handler. */
++static void default_handler(void *userData, const XML_Char *s, int len)
++{
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,19 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ 
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, installing a noop
++     * DefaultHandler means that internal entities will be expanded as
++     * the empty string, which is also sufficient to prevent the
++     * attack. */
++#if XML_MAJOR_VERSION > 1
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, default_handler);
++#endif
++
+     return parser;
+ }
+ 
diff --git a/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
new file mode 100644
index 00000000000..7ac97674b0c
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
@@ -0,0 +1,18 @@
+Equal to the fix in the apr-util itself:
+  http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
+
+See discuission about original vulnerability at
+  http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
+
+--- srclib/apr-util/buckets/apr_brigade.c.orig	2009-06-06 12:32:12.000000000 +0400
++++ srclib/apr-util/buckets/apr_brigade.c	2009-06-06 12:35:30.000000000 +0400
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+ 
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) = '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
diff --git a/www/apache22/files/patch-apr-fix-strmatch-underflow b/www/apache22/files/patch-apr-fix-strmatch-underflow
new file mode 100644
index 00000000000..c1e25235592
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-strmatch-underflow
@@ -0,0 +1,21 @@
+Fix underflow in apr_strmatch_precompile,
+  http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
+
+--- srclib/apr-util/strmatch/apr_strmatch.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/strmatch/apr_strmatch.c	2009/05/29 07:47:52	779878
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare = match_boyer_moore_horspool;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] = pattern->length - i - 1;
++            shift[(unsigned char)s[i]] = pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare = match_boyer_moore_horspool_nocase;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+         }
+     }
+     pattern->context = shift;