diff options
| author | Clement Laforet <clement@FreeBSD.org> | 2004-09-15 16:54:37 +0000 |
|---|---|---|
| committer | Clement Laforet <clement@FreeBSD.org> | 2004-09-15 16:54:37 +0000 |
| commit | 222ecfdf5d16a0078eeb8593028cc93830c80457 (patch) | |
| tree | b3c0c38b75bd58446743b8985a38b79d6ea58b1b /www/apache2 | |
| parent | Note CUPS printer queue browser denial-of-service. (diff) | |
Security fixes [1]:
*) SECURITY: CAN-2004-0786 (cve.mitre.org)
Fix an input validation issue in apr-util which could be
triggered by malformed IPv6 literal addresses. [Joe Orton]
*) SECURITY: CAN-2004-0747 (cve.mitre.org)
Fix buffer overflow in expansion of environment variables in
configuration file parsing. [Andr<E9> Malo]
*) SECURITY: CAN-2004-0809 (cve.mitre.org)
mod_dav_fs: Fix a segfault in the handling of an indirect lock
refresh. PR 31183. [Joe Orton]
- Update documentation (finally!) and fix WITH_<CATEGORY>_MODULES
for special modules like LDAP or SSL [2]
Noticed by: nectar [1]
Requested by: Emile Heitor <imil at home dot imil dot net> [2]
Approved by: portmgr (marcus)
Notes
Notes:
svn path=/head/; revision=118182
Diffstat (limited to 'www/apache2')
| -rw-r--r-- | www/apache2/Makefile | 20 | ||||
| -rw-r--r-- | www/apache2/Makefile.doc | 39 | ||||
| -rw-r--r-- | www/apache2/Makefile.modules.3rd | 2 | ||||
| -rw-r--r-- | www/apache2/files/patch-secfix-modules:dav:fs:lock.c | 46 | ||||
| -rw-r--r-- | www/apache2/files/patch-secfix-server:utils.c | 132 | ||||
| -rw-r--r-- | www/apache2/files/patch-secfix-srclib:apr-util:test:testuri.c | 33 |
6 files changed, 251 insertions, 21 deletions
diff --git a/www/apache2/Makefile b/www/apache2/Makefile index ae35d07389cb..0322398b7a7b 100644 --- a/www/apache2/Makefile +++ b/www/apache2/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.0.50 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \ http://sheepkiller.nerim.net/ports/${PORTNAME}/:powerlogo @@ -87,7 +87,7 @@ CONFIGURE_ARGS+= --enable-v4-mapped . endif .endif -.if !defined(WITHOUT_SSL) +.if !defined(WITHOUT_SSL) || defined(WITHOUT_SSL_MODULES) USE_OPENSSL= yes .endif @@ -118,7 +118,7 @@ APACHEDIR= ${.CURDIR} APACHEDIR= ${MASTERDIR} .endif -.if defined (WITH_LDAP) +.if defined (WITH_LDAP) || defined (WITH_LDAP_MODULES) USE_OPENLDAP= YES CONFIGURE_ARGS+= --with-ldap \ --with-ldap-lib="${LOCALBASE}/lib" \ @@ -161,6 +161,12 @@ CONFIGURE_ARGS+= --with-mpm=${WITH_MPM:L} ${CONFIGURE_TARGET} show-options: @${SED} -ne 's/^##//p' ${APACHEDIR}/Makefile.doc +show-categories: +.for category in ${ALL_MODULES_CATEGORIES:S/SLAVE_PORT//} + @${ECHO_MSG} "${category} contains these modules:" + @${ECHO_MSG} " ${${category}_MODULES}" +.endfor + show-modules: @for module in ${AVAILABLE_MODULES} ; do \ ${ECHO_MSG} -n "$${module}: ";\ @@ -178,6 +184,14 @@ show-modules: pre-everything:: @${ECHO_MSG} "" + @${ECHO_MSG} " To enable a module category: WITH_<CATEGORY>_MODULES" + @${ECHO_MSG} " To disable a module category: WITHOUT_<CATEGORY>_MODULES" + @${ECHO_MSG} "" + @${ECHO_MSG} " Per default categories are:" + @${ECHO_MSG} " ${DEFAULT_MODULES_CATEGORIES}" + @${ECHO_MSG} " Categories available:" + @${ECHO_MSG} " ${ALL_MODULES_CATEGORIES:C/SLAVE_PORT//}" + @${ECHO_MSG} "" @${ECHO_MSG} " To see all available knobs, type make show-options" @${ECHO_MSG} " You can check your modules configuration by using show-modules" @${ECHO_MSG} "" diff --git a/www/apache2/Makefile.doc b/www/apache2/Makefile.doc index d22f0d3d5709..889cbaac3801 100644 --- a/www/apache2/Makefile.doc +++ b/www/apache2/Makefile.doc @@ -11,25 +11,28 @@ ## Available knobs: ## By default, modules are compiled as dynamically loadable (DSO) modules. ## +## Modules knobs philosophy: +## Modules are split in categories, "make show-categories" shows you +## which modules they contain. You can enable/disable/customize a category: +## - To enable a category: WITH_<CATEGORY>_MODULES=yes +## [WITH_PROXY_MODULES=yes] +## - To disable a category: WITHOUT_<CATEGORY>_MODULES=yes +## [WITHOUT_DAV_MODULES=yes] +## - To customize a category: WITH_CUSTOM_<CATEGORY> +## [WITH_CUSTOM_PROXY="proxy proxy_http"] +## ## Apache-related ## WITH_MPM: prefork (default) ## worker ## perchild (deprecated) ## threadpool (testing purpose only) ## WITH_HTTP_PORT: default: 80 -## WITH_LDAP: Enable LDAP support (mod_auth_ldap) -## WITHOUT_PROXY: Disable proxy support -## WITH_CUSTOM_PROXY: Let you choose which proxy modules you wish -## WITHOUT_AUTH: Disable auth modules -## WITH_CUSTOM_AUTH: Let you choose which auth modules you wish -## WITHOUT_DAV: Disable DAV support -## WITHOUT_IPV6: Disable IPv6 support +## WITH_LDAP: Enable LDAP support (mod_auth_ldap) (implies WITH_LDAP_MODULES) ## WITHOUT_V4MAPPED ## WITH_IPV6_V6ONLY: Don't allow IPv6 sockets to handle IPv4 ## connections ## WITHOUT_SSL: Disable SSL support ## WITH_THREADS: Enable threads support !! USE IT WITH CARE !! -## WITH_CUSTOM_THREADS: Let you choose which threaded modules you want ## WITH_DBM: Choose your DBM: bdb (Berkeley DB), gdbm or ## ndbm (default) ## WITH_BERKELEYDB: Choose your BerkeleyDB version: db2, db3, @@ -44,11 +47,8 @@ ## WITH_MODULES or with default configuration ## use 'make show-modules', to check if they are ## enabled) -## WITH_EXPERIMENTAL: Build and install experimental modules -## WITH_EXTRA_MODULES: Use this to support additional modules (plist -## entry is NOT yet supported) -## WITH_MODULES: List of your own modules -## WITHOUT_MODULES: Disable listed modules +## WITH_MODULES: List of modules you choose +## WITHOUT_MODULES: Disable selected modules ## WITH_SUEXEC: Enable suExec support ## SUEXEC_DOCROOT: SuExec root directory ## SUEXEC_USERDIR: User subdirectory (default public_html) @@ -73,16 +73,21 @@ ## WITH_APR_FROM_PORTS: Utilise apr and apr-utils from ## ${PORTSDIR}/devel/apr ## +## Optionnal patches: +## WITH_EXPERIMENTAL_PATCHES Add performance patches (generally backported +## from apr/httpd CVS) +## WITH_WINDOWSUPDATEFIX Add a fix to use apache as proxy with +## Windows Update service. +## ## Available make targets: ## show-options: prints this message ## show-modules: prints list of available modules +## show-categories: prints list of modules sorted by category ## ## Examples: -## make WITHOUT_SSL=yes WITH_EXTRA_MODULES="bucketeer case_filter \ -## case_filter_in" WITHOUT_PROXY=yes -## make WITH_STATIC_MODULES="ssl rewrite include" WITH_EXPERIMENTAL=yes \ +## make WITH_STATIC_MODULES="ssl rewrite include" WITH_EXPERIMENTAL_MODULES=yes \ ## WITH_CUSTOM_AUTH="auth auth_dbm" -## make WITH_EXPERIMENTAL=yes WITHOUT_MODULES="access speling status" +## make WITHOUT_MODULES="access speling status" WITH_PROXY_MODULES=yes ## make WITH_MODULES="include rewrite auth" ## diff --git a/www/apache2/Makefile.modules.3rd b/www/apache2/Makefile.modules.3rd index ccd62d3ddb9c..dd3a040a2648 100644 --- a/www/apache2/Makefile.modules.3rd +++ b/www/apache2/Makefile.modules.3rd @@ -170,7 +170,7 @@ CONFIGURE_ARGS+= --disable-so WITH_ALL_STATIC_MODULES= YES .endif -.if defined(WITH_SUEXEC) +.if defined(WITH_SUEXEC) || defined(WITH_SUEXEC_MODULES) .if ${WANT_APACHE} == common13 SUEXEC_CONFARGS= suexec CONFIGURE_ARGS+= --enable-suexec diff --git a/www/apache2/files/patch-secfix-modules:dav:fs:lock.c b/www/apache2/files/patch-secfix-modules:dav:fs:lock.c new file mode 100644 index 000000000000..802456eb8c51 --- /dev/null +++ b/www/apache2/files/patch-secfix-modules:dav:fs:lock.c @@ -0,0 +1,46 @@ +=================================================================== +RCS file: /home/cvspublic/httpd-2.0/modules/dav/fs/lock.c,v +retrieving revision 1.25.2.5 +retrieving revision 1.25.2.6 +diff -u -r1.25.2.5 -r1.25.2.6 +--- modules/dav/fs/lock.c 2004/04/26 15:45:52 1.25.2.5 ++++ modules/dav/fs/lock.c 2004/09/15 08:26:48 1.25.2.6 +@@ -66,7 +66,7 @@ + ** INDIRECT LOCK: [char (DAV_LOCK_INDIRECT), + ** apr_uuid_t locktoken, + ** time_t expires, +-** int key_size, ++** apr_size_t key_size, + ** char[] key] + ** The key is to the collection lock that resulted in this indirect lock + */ +@@ -157,7 +157,7 @@ + /* Stored indirect lock info - lock token and apr_datum_t */ + #define dav_size_indirect(a) (1 + sizeof(apr_uuid_t) \ + + sizeof(time_t) \ +- + sizeof(int) + (a)->key.dsize) ++ + sizeof((a)->key.dsize) + (a)->key.dsize) + + /* + ** The lockdb structure. +@@ -1469,13 +1469,13 @@ + } + if (dav_fs_do_refresh(dp_scan, ltl, new_time)) { + /* the lock was refreshed. return the lock. */ +- newlock = dav_fs_alloc_lock(lockdb, ip->key, dp->locktoken); ++ newlock = dav_fs_alloc_lock(lockdb, ip->key, dp_scan->locktoken); + newlock->is_locknull = !resource->exists; +- newlock->scope = dp->f.scope; +- newlock->type = dp->f.type; +- newlock->depth = dp->f.depth; +- newlock->timeout = dp->f.timeout; +- newlock->owner = dp->owner; ++ newlock->scope = dp_scan->f.scope; ++ newlock->type = dp_scan->f.type; ++ newlock->depth = dp_scan->f.depth; ++ newlock->timeout = dp_scan->f.timeout; ++ newlock->owner = dp_scan->owner; + newlock->auth_user = dp_scan->auth_user; + + newlock->next = *locks; + diff --git a/www/apache2/files/patch-secfix-server:utils.c b/www/apache2/files/patch-secfix-server:utils.c new file mode 100644 index 000000000000..ed56554a3360 --- /dev/null +++ b/www/apache2/files/patch-secfix-server:utils.c @@ -0,0 +1,132 @@ +diff -Nur httpd-2.0~/server/util.c httpd-2.0/server/util.c +--- server/util.c ++++ server/util.c +@@ -722,7 +722,7 @@ + + *resp++ = '\0'; + #if RESOLVE_ENV_PER_TOKEN +- return ap_resolve_env(p,result); ++ return (char *)ap_resolve_env(p,result); + #else + return result; + #endif +@@ -782,39 +782,87 @@ + */ + AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word) + { +- char tmp[ MAX_STRING_LEN ]; +- const char *s, *e; +- tmp[0] = '\0'; +- +- if (!(s=ap_strchr_c(word,'$'))) +- return word; +- +- do { +- /* XXX - relies on strncat() to add '\0' +- */ +- strncat(tmp,word,s - word); +- if ((s[1] == '{') && (e=ap_strchr_c(s,'}'))) { +- const char *e2 = e; +- char *var; +- word = e + 1; +- var = apr_pstrndup(p, s+2, e2-(s+2)); +- e = getenv(var); +- if (e) { +- strcat(tmp,e); +- } else { +- strncat(tmp, s, e2-s); +- strcat(tmp,"}"); +- } +- } else { +- /* ignore invalid strings */ +- word = s+1; +- strcat(tmp,"$"); +- }; +- } while ((s=ap_strchr_c(word,'$'))); +- strcat(tmp,word); ++# define SMALL_EXPANSION 5 ++ struct sll { ++ struct sll *next; ++ const char *string; ++ apr_size_t len; ++ } *result, *current, sresult[SMALL_EXPANSION]; ++ char *res_buf, *cp; ++ const char *s, *e, *ep; ++ unsigned spc; ++ apr_size_t outlen; ++ ++ s = ap_strchr_c(word, '$'); ++ if (!s) { ++ return word; ++ } ++ ++ /* well, actually something to do */ ++ ep = word + strlen(word); ++ spc = 0; ++ result = current = &(sresult[spc++]); ++ current->next = NULL; ++ current->string = word; ++ current->len = s - word; ++ outlen = current->len; ++ ++ do { ++ /* prepare next entry */ ++ if (current->len) { ++ current->next = (spc < SMALL_EXPANSION) ++ ? &(sresult[spc++]) ++ : (struct sll *)apr_palloc(p, ++ sizeof(*current->next)); ++ current = current->next; ++ current->next = NULL; ++ current->len = 0; ++ } + +- return apr_pstrdup(p,tmp); ++ if (*s == '$') { ++ if (s[1] == '{' && (e = ap_strchr_c(s, '}'))) { ++ word = getenv(apr_pstrndup(p, s+2, e-s-2)); ++ if (word) { ++ current->string = word; ++ current->len = strlen(word); ++ outlen += current->len; ++ } ++ else { ++ current->string = s; ++ current->len = e - s + 1; ++ outlen += current->len; ++ } ++ s = e + 1; ++ } ++ else { ++ current->string = s++; ++ current->len = 1; ++ ++outlen; ++ } ++ } ++ else { ++ word = s; ++ s = ap_strchr_c(s, '$'); ++ current->string = word; ++ current->len = s ? s - word : ep - word; ++ outlen += current->len; ++ } ++ } while (s && *s); ++ ++ /* assemble result */ ++ res_buf = cp = apr_palloc(p, outlen + 1); ++ do { ++ if (result->len) { ++ memcpy(cp, result->string, result->len); ++ cp += result->len; ++ } ++ result = result->next; ++ } while (result); ++ res_buf[outlen] = '\0'; ++ ++ return res_buf; + } ++ + AP_DECLARE(int) ap_cfg_closefile(ap_configfile_t *cfp) + { + #ifdef DEBUG + diff --git a/www/apache2/files/patch-secfix-srclib:apr-util:test:testuri.c b/www/apache2/files/patch-secfix-srclib:apr-util:test:testuri.c new file mode 100644 index 000000000000..2efb768f9c79 --- /dev/null +++ b/www/apache2/files/patch-secfix-srclib:apr-util:test:testuri.c @@ -0,0 +1,33 @@ +--- srclib/apr-util/test/testuri.c ++++ srclib/apr-util/test/testuri.c +@@ -36,6 +37,10 @@ + + struct aup_test aup_tests[] = + { ++ { "http://[/::1]/index.html", APR_EGENERAL }, ++ { "http://[", APR_EGENERAL }, ++ { "http://[?::1]/index.html", APR_EGENERAL }, ++ + { + "http://127.0.0.1:9999/asdf.html", + 0, "http", "127.0.0.1:9999", NULL, NULL, "127.0.0.1", "9999", "/asdf.html", NULL, NULL, 9999 +--- srclib/apr-util/uri/apr_uri.c ++++ srclib/apr-util/uri/apr_uri.c +@@ -307,11 +307,11 @@ + if (*hostinfo == '[') { + v6_offset1 = 1; + v6_offset2 = 2; +- s = uri; +- do { +- --s; +- } while (s >= hostinfo && *s != ':' && *s != ']'); +- if (s < hostinfo || *s == ']') { ++ s = memchr(hostinfo, ']', uri - hostinfo); ++ if (s == NULL) { ++ return APR_EGENERAL; ++ } ++ if (*++s != ':') { + s = NULL; /* no port */ + } + } + |