diff options
Diffstat (limited to 'www/apache13-modssl/files/patch-CVE-2007-6388')
| -rw-r--r-- | www/apache13-modssl/files/patch-CVE-2007-6388 | 399 |
1 files changed, 399 insertions, 0 deletions
diff --git a/www/apache13-modssl/files/patch-CVE-2007-6388 b/www/apache13-modssl/files/patch-CVE-2007-6388 new file mode 100644 index 000000000000..473e953d1a7e --- /dev/null +++ b/www/apache13-modssl/files/patch-CVE-2007-6388 @@ -0,0 +1,399 @@ +diff -ur conf/mime.types apache_1.3.41/conf/mime.types +--- conf/mime.types 2007-09-01 00:03:39.000000000 +0200 ++++ apache_1.3.41/conf/mime.types 2008-01-02 23:12:12.000000000 +0100 +@@ -82,6 +82,10 @@ + application/mbox mbox + application/mediaservercontrol+xml mscml + application/mikey ++application/moss-keys ++application/moss-signature ++application/mosskey-data ++application/mosskey-request + application/mp4 mp4s + application/mpeg4-generic + application/mpeg4-iod +@@ -135,6 +139,10 @@ + application/samlassertion+xml + application/samlmetadata+xml + application/sbml+xml sbml ++application/scvp-cv-request scq ++application/scvp-cv-response scs ++application/scvp-vp-request spq ++application/scvp-vp-response spp + application/sdp sdp + application/set-payment + application/set-payment-initiation setpay +@@ -152,6 +160,8 @@ + application/smil+xml smi smil + application/soap+fastinfoset + application/soap+xml ++application/sparql-query rq ++application/sparql-results+xml srx + application/spirits-event+xml + application/srgs gram + application/srgs+xml grxml +@@ -159,6 +169,7 @@ + application/timestamp-query + application/timestamp-reply + application/tve-trigger ++application/ulpfec + application/vemmi + application/vividence.scriptfile + application/vnd.3gpp.bsf+xml +@@ -168,6 +179,7 @@ + application/vnd.3gpp.sms + application/vnd.3gpp2.bcmcsinfo+xml + application/vnd.3gpp2.sms ++application/vnd.3gpp2.tcap tcap + application/vnd.3m.post-it-notes pwn + application/vnd.accpac.simply.aso aso + application/vnd.accpac.simply.imp imp +@@ -317,6 +329,7 @@ + application/vnd.japannet-verification-wakeup + application/vnd.jcp.javame.midlet-rms rms + application/vnd.jisp jisp ++application/vnd.joost.joda-archive joda + application/vnd.kahootz ktz ktr + application/vnd.kde.karbon karbon + application/vnd.kde.kchart chrt +@@ -393,9 +406,13 @@ + application/vnd.ms-xpsdocument xps + application/vnd.mseq mseq + application/vnd.msign ++application/vnd.multiad.creator ++application/vnd.multiad.creator.cif + application/vnd.music-niff + application/vnd.musician mus ++application/vnd.muvee.style msty + application/vnd.ncd.control ++application/vnd.ncd.reference + application/vnd.nervana + application/vnd.netfpx + application/vnd.neurolanguage.nlu nlu +@@ -455,7 +472,10 @@ + application/vnd.oma.dd2+xml dd2 + application/vnd.oma.drm.risd+xml + application/vnd.oma.group-usage-list+xml ++application/vnd.oma.poc.detailed-progress-report+xml ++application/vnd.oma.poc.final-report+xml + application/vnd.oma.poc.groups+xml ++application/vnd.oma.poc.optimized-progress-report+xml + application/vnd.oma.xcap-directory+xml + application/vnd.omads-email+xml + application/vnd.omads-file+xml +@@ -495,6 +515,7 @@ + application/vnd.rn-realmedia rm + application/vnd.ruckus.download + application/vnd.s3sms ++application/vnd.sbm.mid2 + application/vnd.scribus + application/vnd.sealed.3df + application/vnd.sealed.csf +@@ -571,6 +592,7 @@ + application/vnd.wap.wmlscriptc wmlsc + application/vnd.webturbo wtb + application/vnd.wfa.wsc ++application/vnd.wmc + application/vnd.wordperfect wpd + application/vnd.wqd wqd + application/vnd.wrq-hp3000-labelled +@@ -742,6 +764,7 @@ + audio/t38 + audio/telephone-event + audio/tone ++audio/ulpfec + audio/vdvi + audio/vmr-wb + audio/vnd.3gpp.iufp +@@ -812,7 +835,7 @@ + image/vnd.fujixerox.edmics-mmr mmr + image/vnd.fujixerox.edmics-rlc rlc + image/vnd.globalgraphics.pgb +-image/vnd.microsoft.icon ico ++image/vnd.microsoft.icon + image/vnd.mix + image/vnd.ms-modi mdi + image/vnd.net-fpx npx +@@ -824,7 +847,7 @@ + image/vnd.xiff xif + image/x-cmu-raster ras + image/x-cmx cmx +-image/x-icon ++image/x-icon ico + image/x-pcx pcx + image/x-pict pic pct + image/x-portable-anymap pnm +@@ -847,6 +870,7 @@ + message/sip + message/sipfrag + message/tracking-status ++message/vnd.si.simp + model/iges igs iges + model/mesh msh mesh silo + model/vnd.dwf dwf +@@ -894,6 +918,7 @@ + text/t140 + text/tab-separated-values tsv + text/troff t tr roff man me ms ++text/ulpfec + text/uri-list uri uris urls + text/vnd.abc + text/vnd.curl +@@ -909,6 +934,7 @@ + text/vnd.motorola.reflex + text/vnd.ms-mediapackage + text/vnd.net2phone.commcenter.command ++text/vnd.si.uricatalogue + text/vnd.sun.j2me.app-descriptor jad + text/vnd.trolltech.linguist + text/vnd.wap.si +@@ -957,6 +983,7 @@ + video/rtp-enc-aescm128 + video/rtx + video/smpte292m ++video/ulpfec + video/vc1 + video/vnd.dlna.mpeg-tts + video/vnd.fvt fvt +diff -ur src/CHANGES apache_1.3.41/src/CHANGES +--- src/CHANGES 2007-09-04 14:28:53.000000000 +0200 ++++ apache_1.3.41/src/CHANGES 2008-01-09 15:33:07.000000000 +0100 +@@ -1,3 +1,29 @@ ++Changes with Apache 1.3.41 ++ ++ *) SECURITY: CVE-2007-6388 (cve.mitre.org) ++ mod_status: Ensure refresh parameter is numeric to prevent ++ a possible XSS attack caused by redirecting to other URLs. ++ Reported by SecurityReason. [Mark Cox] ++ ++Changes with Apache 1.3.40 (not released) ++ ++ *) SECURITY: CVE-2007-5000 (cve.mitre.org) ++ mod_imap: Fix cross-site scripting issue. Reported by JPCERT. ++ [Joe Orton] ++ ++ *) SECURITY: CVE-2007-3847 (cve.mitre.org) ++ mod_proxy: Prevent reading past the end of a buffer when parsing ++ date-related headers. PR 41144. ++ With Apache 1.3, the denial of service vulnerability applies only ++ to the Windows and NetWare platforms. ++ [Jeff Trawick] ++ ++ *) More efficient implementation of the CVE-2007-3304 PID table ++ patch. This fixes issues with excessive memory usage by the ++ parent process if long-running and with a high number of child ++ process forks during that timeframe. Also fixes bogus "Bad pid" ++ errors. [Jim Jagielski, Jeff Trawick] ++ + Changes with Apache 1.3.39 + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) +diff -ur src/Configure apache_1.3.41/src/Configure +--- src/Configure 2007-08-10 17:45:50.000000000 +0200 ++++ apache_1.3.41/src/Configure 2008-01-04 15:40:05.000000000 +0100 +@@ -1936,7 +1936,7 @@ + # select the special subtarget for shared core generation + SUBTARGET=target_shared + # determine additional suffixes for libhttpd.so +- V=1 R=3 P=39 ++ V=1 R=3 P=41 + if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then + SHLIB_SUFFIX_LIST="" + fi +diff -ur src/include/httpd.h apache_1.3.41/src/include/httpd.h +--- src/include/httpd.h 2007-09-04 14:28:53.000000000 +0200 ++++ apache_1.3.41/src/include/httpd.h 2008-01-10 17:20:45.000000000 +0100 +@@ -389,7 +389,7 @@ + + #define SERVER_BASEVENDOR "Apache Group" + #define SERVER_BASEPRODUCT "Apache" +-#define SERVER_BASEREVISION "1.3.39" ++#define SERVER_BASEREVISION "1.3.41" + #define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION + + #define SERVER_PRODUCT SERVER_BASEPRODUCT +@@ -410,7 +410,7 @@ + * Always increases along the same track as the source branch. + * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'. + */ +-#define APACHE_RELEASE 10339100 ++#define APACHE_RELEASE 10341100 + + #define SERVER_PROTOCOL "HTTP/1.1" + #ifndef SERVER_SUPPORT +diff -ur src/main/http_main.c apache_1.3.41/src/main/http_main.c +--- src/main/http_main.c 2007-06-04 21:26:21.000000000 +0200 ++++ apache_1.3.41/src/main/http_main.c 2007-11-15 22:31:15.000000000 +0100 +@@ -362,7 +362,7 @@ + /* + * Parent process local storage of child pids + */ +-static table *pid_table; ++static int pid_table[HARD_SERVER_LIMIT]; + + /* + * Pieces for managing the contents of the Server response header +@@ -384,26 +384,34 @@ + */ + + static int in_pid_table(int pid) { +- char apid[64]; /* WAY generous! */ +- const char *spid; +- ap_snprintf(apid, sizeof(apid), "%d", pid); +- spid = ap_table_get(pid_table, apid); +- if (spid && spid[0] == '1' && spid[1] == '\0') +- return 1; +- else +- return 0; ++ int i; ++ for (i = 0; i < HARD_SERVER_LIMIT; i++) { ++ if (pid_table[i] == pid) { ++ return 1; ++ } ++ } ++ return 0; + } + + static void set_pid_table(int pid) { +- char apid[64]; +- ap_snprintf(apid, sizeof(apid), "%d", pid); +- ap_table_set(pid_table, apid, "1"); ++ int i; ++ for (i = 0; i < HARD_SERVER_LIMIT; i++) { ++ if (pid_table[i] == 0) { ++ pid_table[i] = pid; ++ break; ++ } ++ } ++ /* NOTE: Error detection?? */ + } + + static void unset_pid_table(int pid) { +- char apid[64]; +- ap_snprintf(apid, sizeof(apid), "%d", pid); +- ap_table_unset(pid_table, apid); ++ int i; ++ for (i = 0; i < HARD_SERVER_LIMIT; i++) { ++ if (pid_table[i] == pid) { ++ pid_table[i] = 0; ++ break; ++ } ++ } + } + + /* +@@ -2680,7 +2688,10 @@ + ss->vhostrec = r->server; + } + } +- if (status == SERVER_STARTING && r == NULL) { ++ if (status == SERVER_DEAD) { ++ ap_scoreboard_image->parent[child_num].pid = 0; ++ } ++ else if (status == SERVER_STARTING && r == NULL) { + /* clean up the slot's vhostrec pointer (maybe re-used) + * and mark the slot as belonging to a new generation. + */ +@@ -4370,6 +4381,7 @@ + */ + static void common_init(void) + { ++ int i; + INIT_SIGLIST() + #ifdef AUX3 + (void) set42sig(); +@@ -4465,6 +4477,9 @@ + ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *)); + ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *)); +- pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT); ++ /* overkill since static */ ++ for (i = 0; i < HARD_SERVER_LIMIT; i++) { ++ pid_table[i] = 0; ++ } + + #ifdef EAPI + ap_hook_init(); +diff -ur src/modules/proxy/proxy_util.c apache_1.3.41/src/modules/proxy/proxy_util.c +--- src/modules/proxy/proxy_util.c 2006-07-12 10:16:05.000000000 +0200 ++++ apache_1.3.41/src/modules/proxy/proxy_util.c 2007-10-30 20:17:03.000000000 +0100 +@@ -282,7 +282,8 @@ + *q = ','; + if (wk == 7) + return x; /* not a valid date */ +- if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' || ++ if (strlen(q) != 24 || ++ q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' || + q[17] != ':' || strcmp(&q[20], " GMT") != 0) + return x; + if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year, +@@ -294,8 +295,9 @@ + year += 1900; + } + else { +-/* check for acstime() date */ +- if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' || ++/* check for asctime() date */ ++ if (strlen(x) != 24 || ++ x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' || + x[16] != ':' || x[19] != ' ' || x[24] != '\0') + return x; + if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour, +diff -ur src/modules/standard/mod_imap.c apache_1.3.41/src/modules/standard/mod_imap.c +--- src/modules/standard/mod_imap.c 2006-07-12 10:16:05.000000000 +0200 ++++ apache_1.3.41/src/modules/standard/mod_imap.c 2007-12-12 13:36:54.000000000 +0100 +@@ -463,7 +463,7 @@ + + static void menu_header(request_rec *r, char *menu) + { +- r->content_type = "text/html"; ++ r->content_type = "text/html; charset=ISO-8859-1"; + ap_send_http_header(r); + #ifdef CHARSET_EBCDIC + /* Server-generated response, converted */ +@@ -471,11 +471,13 @@ + #endif + ap_hard_timeout("send menu", r); /* killed in menu_footer */ + +- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri, +- "</title>\n</head><body>\n", NULL); ++ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", ++ ap_escape_html(r->pool, r->uri), ++ "</title>\n</head><body>\n", NULL); + + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL); ++ ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri), ++ "</h1>\n<hr>\n\n", NULL); + } + + return; +diff -ur src/modules/standard/mod_status.c apache_1.3.41/src/modules/standard/mod_status.c +--- src/modules/standard/mod_status.c 2007-07-24 20:03:56.000000000 +0200 ++++ apache_1.3.41/src/modules/standard/mod_status.c 2008-01-07 03:31:11.000000000 +0100 +@@ -232,17 +232,15 @@ + while (status_options[i].id != STAT_OPT_END) { + if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) { + switch (status_options[i].id) { +- case STAT_OPT_REFRESH: +- if (*(loc + strlen(status_options[i].form_data_str)) == '=' +- && atol(loc + strlen(status_options[i].form_data_str) +- + 1) > 0) +- ap_table_set(r->headers_out, +- status_options[i].hdr_out_str, +- loc + strlen(status_options[i].hdr_out_str) + 1); +- else +- ap_table_set(r->headers_out, +- status_options[i].hdr_out_str, "1"); +- break; ++ case STAT_OPT_REFRESH: { ++ long refreshtime = 0; ++ if (*(loc + strlen(status_options[i].form_data_str)) == '=') ++ refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1); ++ ap_table_set(r->headers_out, ++ status_options[i].hdr_out_str, ++ ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime)); ++ break; ++ } + case STAT_OPT_NOTABLE: + no_table_report = 1; + break; |