Bug 113988 - [patch] Fix CVE-2007-1349 in www/mod_perl2
Summary: [patch] Fix CVE-2007-1349 in www/mod_perl2
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-24 14:30 UTC by Henrik Brix Andersen
Modified: 2007-06-27 21:50 UTC (History)
1 user (show)

See Also:


Attachments
mod_perl2.diff (1.31 KB, patch)
2007-06-24 14:30 UTC, Henrik Brix Andersen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Henrik Brix Andersen 2007-06-24 14:30:02 UTC
RegistryCooker.pm in mod_perl 2.x does not properly escape PATH_INFO
before use in a regular expression as noted in CVE-2007-1349:

http://www.freebsd.org/ports/portaudit/ef2ffb03-f2b0-11db-ad25-0010b5a0a860.html

Fix: The patch below fixes this in www/mod_perl2 by disabling pattern
metacharacters in the regex.

The patch was obtained from Gentoo Linux Bugzilla bug #172676:

http://bugs.gentoo.org/172676

Note that vuxml also needs to be updated to reflect the fix of this
problem in www/mod_perl2.
Comment 1 Edwin Groothuis freebsd_committer 2007-06-24 14:30:12 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 2 dfilter service freebsd_committer 2007-06-27 21:43:04 UTC
erwin       2007-06-27 20:42:58 UTC

  FreeBSD ports repository

  Modified files:
    www/mod_perl2        Makefile 
  Added files:
    www/mod_perl2/files  patch-RegistryCooker.pm 
  Log:
  mod_perl 2.x does not properly escape PATH_INFO before use in a
  regular expression
  
  PR:             113988
  Submitted by:   Henrik Brix Andersen <henrik@brixandersen.dk>
  Approved by:    maintainer override (3 days, security)
  Security:       CVE-2007-1349,
                  VuXML ef2ffb03-f2b0-11db-ad25-0010b5a0a860
  
  Revision  Changes    Path
  1.56      +4 -1      ports/www/mod_perl2/Makefile
  1.1       +12 -0     ports/www/mod_perl2/files/patch-RegistryCooker.pm (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Erwin Lansing freebsd_committer 2007-06-27 21:44:47 UTC
State Changed
From-To: feedback->closed

Committed with modification, thanks!