diff options
| author | Dirk Meyer <dinoex@FreeBSD.org> | 2007-09-10 08:00:17 +0000 |
|---|---|---|
| committer | Dirk Meyer <dinoex@FreeBSD.org> | 2007-09-10 08:00:17 +0000 |
| commit | 1818c12920dbfab06ce3272318ad57bdac8ee825 (patch) | |
| tree | 2fed5576ab13f3333d998f0c14d1d7dcc408eee1 /www/apache13-modssl/files | |
| parent | 5a69d8eede88177a49e131b77335c37e434dd3ff (diff) | |
| download | ports-1818c12920dbfab06ce3272318ad57bdac8ee825.tar.gz ports-1818c12920dbfab06ce3272318ad57bdac8ee825.zip | |
Notes
Diffstat (limited to 'www/apache13-modssl/files')
| -rw-r--r-- | www/apache13-modssl/files/patch-CVE-2007-3304 | 348 |
1 files changed, 348 insertions, 0 deletions
diff --git a/www/apache13-modssl/files/patch-CVE-2007-3304 b/www/apache13-modssl/files/patch-CVE-2007-3304 new file mode 100644 index 000000000000..235aae2214b1 --- /dev/null +++ b/www/apache13-modssl/files/patch-CVE-2007-3304 @@ -0,0 +1,348 @@ +--- src/CHANGES.orig Thu Jul 27 20:19:46 2006 ++++ src/CHANGES Mon Sep 10 09:25:24 2007 +@@ -1,3 +1,22 @@ ++Changes with Apache 1.3.39 ++ ++ *) SECURITY: CVE-2006-5752 (cve.mitre.org) ++ mod_status: Fix a possible XSS attack against a site with a public ++ server-status page and ExtendedStatus enabled, for browsers which ++ perform charset "detection". Reported by Stefan Esser. [Joe Orton] ++ ++ *) SECURITY: CVE-2007-3304 (cve.mitre.org) ++ Ensure that the parent process cannot be forced to kill non-child ++ processes by checking scoreboard PID data with parent process ++ privately stored PID data. [Jim Jagielski] ++ ++ *) mime.types: Many updates to sync with IANA registry and common ++ unregistered types that the owners refuse to register. Admins ++ are encouraged to update their installed mime.types file. ++ PR: 35550, 37798, 39317, 31483 [Roy T. Fielding] ++ ++There was no Apache 1.3.38 ++ + Changes with Apache 1.3.37 + + *) SECURITY: CVE-2006-3747 (cve.mitre.org) +@@ -25,10 +44,11 @@ + *) core: Allow usage of the "Include" configuration directive within + previously "Include"d files. [Colm MacCarthaigh] + +- *) HTML-escape the Expect error message. Not classed as security as +- an attacker has no way to influence the Expect header a victim will +- send to a target site. Reported by Thiago Zaninotti +- <thiango nstalker.com>. [Mark Cox] ++ *) SECURITY: CVE-2006-3918 (cve.mitre.org) ++ HTML-escape the Expect error message. Only a security issue if ++ an attacker can influence the Expect header a victim will send to a ++ target site (it's known that some versions of Flash can do this) ++ Reported by Thiago Zaninotti <thiango nstalker.com>. [Mark Cox] + + *) mod_cgi: Remove block on OPTIONS method so that scripts can + respond to OPTIONS directly rather than via server default. +--- src/Configure.orig Mon Sep 10 09:25:22 2007 ++++ src/Configure Mon Sep 10 09:25:24 2007 +@@ -457,7 +457,7 @@ + PLATOSVERS=`echo $PLAT | sed 's/^.*freebsd//'` + OS="FreeBSD $PLATOSVERS" + case "$PLATOSVERS" in +- [2345]*) ++ [234567]*) + DEF_WANTHSREGEX=no + CFLAGS="$CFLAGS -funsigned-char" + ;; +@@ -2002,7 +2002,7 @@ + # select the special subtarget for shared core generation + SUBTARGET=target_shared + # determine additional suffixes for libhttpd.so +- V=1 R=3 P=37 ++ V=1 R=3 P=39 + if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then + SHLIB_SUFFIX_LIST="" + fi +--- src/include/httpd.h.orig Mon Sep 10 09:25:22 2007 ++++ src/include/httpd.h Mon Sep 10 09:25:24 2007 +@@ -419,7 +419,7 @@ + + #define SERVER_BASEVENDOR "Apache Group" + #define SERVER_BASEPRODUCT "Apache" +-#define SERVER_BASEREVISION "1.3.37" ++#define SERVER_BASEREVISION "1.3.39" + #define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION + + #define SERVER_PRODUCT SERVER_BASEPRODUCT +@@ -443,7 +443,7 @@ + * Always increases along the same track as the source branch. + * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'. + */ +-#define APACHE_RELEASE 10337100 ++#define APACHE_RELEASE 10339100 + + #define SERVER_PROTOCOL "HTTP/1.1" + #ifndef SERVER_SUPPORT +--- src/main/NWGNUmakefile.mak.orig Mon Oct 31 18:00:43 2005 ++++ src/main/NWGNUmakefile.mak Mon Sep 10 09:25:24 2007 +@@ -39,10 +39,8 @@ + $(EOLIST) + + ifdef MULTIPROC +-XLFLAGS += \ +- XDCData $(NWOS)\apache.xdc \ +- $(EOLIST) +-endif ++XDCDATA = $(NWOS)\apache.xdc ++endif + + # + # These values will be appended to the correct variables based on the value of +--- src/NWGNUmakefile.mak.orig Mon Oct 31 18:00:43 2005 ++++ src/NWGNUmakefile.mak Mon Sep 10 09:25:24 2007 +@@ -40,10 +40,8 @@ + $(EOLIST) + + ifdef MULTIPROC +-XLFLAGS += \ +- XDCData $(NWOS)\apache.xdc \ +- $(EOLIST) +-endif ++XDCDATA = $(NWOS)\apache.xdc ++endif + + # + # These values will be appended to the correct variables based on the value of +--- src/main/http_main.c.orig Mon Sep 10 09:25:22 2007 ++++ src/main/http_main.c Mon Sep 10 09:28:31 2007 +@@ -357,9 +357,17 @@ + char tpf_mutex_key[TPF_MUTEX_KEY_SIZE]; + #endif /* TPF */ + ++/* ++ * Shared memory scoreboard ++ */ + scoreboard *ap_scoreboard_image = NULL; + + /* ++ * Parent process local storage of child pids ++ */ ++static table *pid_table; ++ ++/* + * Pieces for managing the contents of the Server response header + * field. + */ +@@ -375,6 +383,33 @@ + API_VAR_EXPORT int ap_change_shmem_uid = 0; + + /* ++ * Check the pid table to see if the actual pid exists ++ */ ++ ++static int in_pid_table(int pid) { ++ char apid[64]; /* WAY generous! */ ++ const char *spid; ++ ap_snprintf(apid, sizeof(apid), "%d", pid); ++ spid = ap_table_get(pid_table, apid); ++ if (spid && spid[0] == '1' && spid[1] == '\0') ++ return 1; ++ else ++ return 0; ++} ++ ++static void set_pid_table(int pid) { ++ char apid[64]; ++ ap_snprintf(apid, sizeof(apid), "%d", pid); ++ ap_table_set(pid_table, apid, "1"); ++} ++ ++static void unset_pid_table(int pid) { ++ char apid[64]; ++ ap_snprintf(apid, sizeof(apid), "%d", pid); ++ ap_table_unset(pid_table, apid); ++} ++ ++/* + * This routine is called when the pconf pool is vacuumed. It resets the + * server version string to a known value and [re]enables modifications + * (which are disabled by configuration completion). +@@ -2829,9 +2864,15 @@ + if (pid == my_pid || pid == 0) + continue; + ++ if (!in_pid_table(pid)) { ++ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf, ++ "Bad pid (%d) in scoreboard slot %d", pid, i); ++ continue; ++ } + waitret = waitpid(pid, &status, WNOHANG); + if (waitret == pid || waitret == -1) { + ap_scoreboard_image->parent[i].pid = 0; ++ unset_pid_table(pid); + continue; + } + ++not_dead_yet; +@@ -2929,13 +2970,22 @@ + + for (n = 0; n < max_daemons_limit; ++n) { + ap_sync_scoreboard_image(); +- if (ap_scoreboard_image->servers[n].status != SERVER_DEAD && +- kill((pid = ap_scoreboard_image->parent[n].pid), 0) == -1) { +- ap_update_child_status(n, SERVER_DEAD, NULL); +- /* just mark it as having a successful exit status */ +- bzero((char *) status, sizeof(ap_wait_t)); +- return(pid); +- } ++ pid = ap_scoreboard_image->parent[n].pid; ++ if (ap_scoreboard_image->servers[n].status != SERVER_DEAD) { ++ if (in_pid_table(pid)) { ++ if (kill(pid, 0) == -1) { ++ ap_update_child_status(n, SERVER_DEAD, NULL); ++ /* just mark it as having a successful exit status */ ++ bzero((char *) status, sizeof(ap_wait_t)); ++ unset_pid_table(pid); /* to be safe */ ++ return(pid); ++ } ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf, ++ "Bad pid (%d) in scoreboard slot %d", pid, n); ++ } ++ } + } + return 0; + } +@@ -2958,15 +3008,21 @@ + #define MAXWAITOBJ MAXIMUM_WAIT_OBJECTS + HANDLE h[MAXWAITOBJ]; + int e[MAXWAITOBJ]; +- int round, pi, hi, rv, err; ++ int round, pi, hi, rv, err, pid; + for (round = 0; round <= (HARD_SERVER_LIMIT - 1) / MAXWAITOBJ + 1; round++) { + hi = 0; + for (pi = round * MAXWAITOBJ; + (pi < (round + 1) * MAXWAITOBJ) && (pi < HARD_SERVER_LIMIT); + pi++) { + if (ap_scoreboard_image->servers[pi].status != SERVER_DEAD) { +- e[hi] = pi; +- h[hi++] = (HANDLE) ap_scoreboard_image->parent[pi].pid; ++ e[hi] = pi; ++ pid = ap_scoreboard_image->parent[pi].pid; ++ if (in_pid_table(pid)) ++ h[hi++] = (HANDLE) pid; ++ else { ++ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf, ++ "Bad pid (%d) in scoreboard slot %d", pid, pi); ++ } + } + + } +@@ -4408,6 +4464,8 @@ + ap_server_pre_read_config = ap_make_array(pcommands, 1, sizeof(char *)); + ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *)); + ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *)); ++ ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *)); ++ pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT); + + #ifdef EAPI + ap_hook_init(); +@@ -5081,6 +5139,7 @@ + ap_scoreboard_image->parent[slot].last_rtime = now; + #endif + ap_scoreboard_image->parent[slot].pid = pid; ++ set_pid_table(pid); + #ifdef SCOREBOARD_FILE + lseek(scoreboard_fd, XtOffsetOf(scoreboard, parent[slot]), 0); + force_write(scoreboard_fd, &ap_scoreboard_image->parent[slot], +@@ -5143,6 +5202,7 @@ + int i; + int to_kill; + int idle_count; ++ int pid; + short_score *ss; + time_t now = time(NULL); + int free_length; +@@ -5207,8 +5267,15 @@ + else if (ps->last_rtime + ss->timeout_len < now) { + /* no progress, and the timeout length has been exceeded */ + ss->timeout_len = 0; +- kill(ps->pid, SIG_TIMEOUT_KILL); +- } ++ pid = ps->pid; ++ if (in_pid_table(pid)) { ++ kill(pid, SIG_TIMEOUT_KILL); ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf, ++ "Bad pid (%d) in scoreboard slot %d", pid, i); ++ } ++ } + } + #endif + } +@@ -5220,11 +5287,18 @@ + * while we were counting. Use the define SIG_IDLE_KILL to reflect + * which signal should be used on the specific OS. + */ +- kill(ap_scoreboard_image->parent[to_kill].pid, SIG_IDLE_KILL); +- idle_spawn_rate = 1; ++ pid = ap_scoreboard_image->parent[to_kill].pid; ++ if (in_pid_table(pid)) { ++ kill(pid, SIG_IDLE_KILL); ++ idle_spawn_rate = 1; + #ifdef TPF +- ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL); ++ ap_update_child_status(to_kill, SERVER_DEAD, (request_rec *)NULL); + #endif ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, server_conf, ++ "Bad pid (%d) in scoreboard slot %d", pid, to_kill); ++ } + } + else if (idle_count < ap_daemons_min_free) { + /* terminate the free list */ +@@ -5471,6 +5545,7 @@ + } + #endif + if (pid >= 0) { ++ unset_pid_table(pid); + process_child_status(pid, status); + /* non-fatal death... note that it's gone in the scoreboard. */ + ap_sync_scoreboard_image(); +@@ -5796,7 +5871,7 @@ + if (!tpf_child) { + memcpy(tpf_server_name, input_parms.parent.servname, + INETD_SERVNAME_LENGTH); +- tpf_server_name[INETD_SERVNAME_LENGTH + 1] = '\0'; ++ tpf_server_name[INETD_SERVNAME_LENGTH] = '\0'; + sprintf(tpf_mutex_key, "%.*x", (int) TPF_MUTEX_KEY_SIZE - 1, getpid()); + tpf_parent_pid = getppid(); + ap_open_logs(server_conf, plog); +--- src/modules/standard/mod_status.c.orig Mon Sep 10 09:25:24 2007 ++++ src/modules/standard/mod_status.c Mon Sep 10 09:25:24 2007 +@@ -221,7 +221,7 @@ + if (r->method_number != M_GET) + return DECLINED; + +- r->content_type = "text/html"; ++ r->content_type = "text/html; charset=ISO-8859-1"; + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -247,7 +247,7 @@ + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- r->content_type = "text/plain"; ++ r->content_type = "text/plain; charset=ISO-8859-1"; + short_report = 1; + break; + } +@@ -591,7 +591,8 @@ + ap_rputs(")\n", r); + ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n", + ap_escape_html(r->pool, score_record.client), +- ap_escape_html(r->pool, score_record.request), ++ ap_escape_html(r->pool, ++ ap_escape_logitem(r->pool, score_record.request)), + vhost ? ap_escape_html(r->pool, + vhost->server_hostname) : "(unavailable)"); + } |