Bug 135310 - [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util
Summary: [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Philip M. Gollucci
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-06 11:00 UTC by Eygene Ryabinkin
Modified: 2009-06-08 06:20 UTC (History)
0 users

See Also:


Attachments
vuln.xml (1.88 KB, text/plain)
2009-06-06 11:00 UTC, Eygene Ryabinkin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-06-06 11:00:13 UTC
Multiple vulnerabilities were discovered in APR-util since 1.3.4: [1].
There are reports from various security teams about this: [2], [3].
There is a PoC at
  http://securityvulns.ru/files/apache-ied.pl
It works for me on Apache 2.2.11_4 with Subversion DAV -- all httpd
children are in the RUN state and MaxChild limit is easily reached.

Fix: This is the patch for Apache 2.2 port with all fixes backported.
It works on my servers for a couple of hours without any visible
regressions.

This is the patch that updates the devel/apr to the latest stable
version, thus fixing all 3 issues.  I had also made portlint happy
by using <Tab> after MAKE_JOBS_SAFE.  And since there are additional
libraries now installed, APU extras logics was a bit changed, because
there are two tests for inclusion of BDB/GDBM, not just WITH_<XXX>,
but also library existence check.

From 8d36501ac0c6c797a6b1ae59bd71e54b511abeae Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Jun 2009 12:21:27 +0400
Subject: [PATCH] devel/apr: update to 1.3.5 and apr-util to 1.3.7

There were 3 security vulnerabilities in apr-util since 1.3.4:
  http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 devel/apr/Makefile                 |   31 +++++++++++++++++++++----------
 devel/apr/distinfo                 |   12 ++++++------
 devel/apr/files/patch-apr_hints.m4 |    4 ++--
 devel/apr/pkg-plist                |   12 ++++++++++++
 4 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/devel/apr/Makefile b/devel/apr/Makefile
index 0771859..9bfa146 100644
--- a/devel/apr/Makefile
+++ b/devel/apr/Makefile
@@ -6,7 +6,6 @@
 
 PORTNAME=	apr
 PORTVERSION=	${APR_VERSION}.${APU_VERSION}
-PORTREVISION=	1
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_APACHE}
 MASTER_SITE_SUBDIR=	apr
@@ -17,7 +16,7 @@ COMMENT=	Apache Portability Library
 
 LIB_DEPENDS+=	expat.6:${PORTSDIR}/textproc/expat2
 
-MAKE_JOBS_SAFE=  yes
+MAKE_JOBS_SAFE=	yes
 
 OPTIONS=	THREADS "Enable Threads in apr"						on  \
 			IPV6	"Enable IPV6 Support in apr"				off \
@@ -28,8 +27,8 @@ OPTIONS=	THREADS "Enable Threads in apr"						on  \
 			MYSQL	"Enable MySQL suport in apr-util"			off \
 			PGSQL	"Enable Postgresql suport in apr-util"		off
 
-APR_VERSION=	1.3.3
-APU_VERSION=	1.3.4
+APR_VERSION=	1.3.5
+APU_VERSION=	1.3.7
 
 USE_ICONV=		yes
 USE_AUTOTOOLS=	automake:19 autoconf:262 libtool:15:env
@@ -52,12 +51,6 @@ APU_CONF_ARGS=	--with-apr=${APR_WRKDIR} \
 
 .include <bsd.port.pre.mk>
 
-.if defined(WITH_MYSQL) || defined(WITH_PGSQL) || defined (WITH_LDAP) 
-PLIST_SUB+=	APU_EXTRAS=""
-.else
-PLIST_SUB+=	APU_EXTRAS="@comment "
-.endif
-
 ########## APR Options
 .if defined(WITHOUT_THREADS)
 APR_CONF_ARGS+=	--disable-threads
@@ -83,8 +76,10 @@ PKGNAMESUFFIX=	-ipv6
 
 ######### APR-Util Options
 .if defined(WITHOUT_GDBM)
+PLIST_SUB+=	GDBM="@comment "
 APU_CONF_ARGS+=	--without-gdbm
 .elif defined(WITH_GDBM) || exists(${LOCALBASE}/lib/libgdbm.so.3)
+PLIST_SUB+=	GDBM=""
 LIB_DEPENDS+=	gdbm.3:${PORTSDIR}/databases/gdbm
 APU_CONF_ARGS+=	--with-gdbm=${LOCALBASE}
 .if defined(PKGNAMESUFFIX)
@@ -93,12 +88,16 @@ PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-gdbm
 PKGNAMESUFFIX=	-gdbm
 .endif
 .else
+PLIST_SUB+=	GDBM="@comment "
 APR_UTIL_CONF_ARGS+=	--without-gdbm
 .endif
 
 .if defined(WITHOUT_BDB)
+PLIST_SUB+=	BDB="@comment "
 APU_CONF_ARGS+=	--without-berkeley-db
 .elif defined(WITH_BDB) || exists(${LOCALBASE}/lib/libdb-4.2.so.2)
+APU_EXTRAS=	yes
+PLIST_SUB+=	BDB=""
 USE_BDB=	42+
 APU_CONF_ARGS+=	--with-berkeley-db=${BDB_INCLUDE_DIR}:${BDB_LIB_DIR}
 .if defined(PKGNAMESUFFIX)
@@ -109,8 +108,11 @@ PKGNAMESUFFIX=	-${BDB_INCLUDE_DIR:S,^${LOCALBASE}/include/,,}
 .endif
 
 .if defined(WITHOUT_NDBM)
+PLIST_SUB+=	NDBM="@comment "
 APU_CONF_ARGS+=	--without-ndbm
 .elif defined(WITH_NDBM)
+APU_EXTRAS=	yes
+PLIST_SUB+=	NDBM=""
 APU_CONF_ARGS+=	--with-ndbm=/usr
 .if defined(PKGNAMESUFFIX)
 PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-ndbm
@@ -120,6 +122,7 @@ PKGNAMESUFFIX=	-ndbm
 .endif
 
 .if defined(WITH_LDAP)
+APU_EXTRAS=	yes
 PLIST_SUB+=	LDAP=""
 USE_OPENLDAP=	yes
 APU_CONF_ARGS+=	--with-ldap-include=${LOCALBASE}/include \
@@ -134,6 +137,7 @@ PLIST_SUB+=	LDAP="@comment "
 .endif
 
 .if defined(WITH_MYSQL)
+APU_EXTRAS=	yes
 PLIST_SUB+=	MYSQL=""
 USE_MYSQL=	YES
 APU_CONF_ARGS+=	--with-mysql=${LOCALBASE}
@@ -150,6 +154,7 @@ PLIST_SUB+=	MYSQL="@comment "
 .endif
 
 .if defined(WITH_PGSQL)
+APU_EXTRAS=	yes
 PLIST_SUB+=	PGSQL=""
 USE_PGSQL=	YES
 APU_CONF_ARGS+=	--with-pgsql=${LOCALBASE}
@@ -163,6 +168,12 @@ PKGNAMESUFFIX=	-pgsql
 PLIST_SUB+=	PGSQL="@comment "
 .endif
 
+.if defined(APU_EXTRAS)
+PLIST_SUB+=	APU_EXTRAS=""
+.else
+PLIST_SUB+=	APU_EXTRAS="@comment "
+.endif
+
 post-patch:
 	${REINPLACE_CMD} -e 's/OSVERSION/'${OSVERSION}'/g' \
 		${APR_WRKDIR}/build/apr_hints.m4
diff --git a/devel/apr/distinfo b/devel/apr/distinfo
index 52713d4..7e787e6 100644
--- a/devel/apr/distinfo
+++ b/devel/apr/distinfo
@@ -1,6 +1,6 @@
-MD5 (apr-1.3.3.tar.gz) = b254a9abecaedb05efde71daa7517480
-SHA256 (apr-1.3.3.tar.gz) = 390af2f94c38d9fa03cd6caac3549058bb3e2c4d9f7408b7b829ad75bd5cc273
-SIZE (apr-1.3.3.tar.gz) = 1160542
-MD5 (apr-util-1.3.4.tar.gz) = a10e2ca150ff07f484c724c36142211f
-SHA256 (apr-util-1.3.4.tar.gz) = 3f07ffdb18fb853290c9b83e82cd5cae66b8fbc357bd391e846c0afdd24fed7e
-SIZE (apr-util-1.3.4.tar.gz) = 778902
+MD5 (apr-1.3.5.tar.gz) = 2a3f33c2186f456fd60a34a7c2989580
+SHA256 (apr-1.3.5.tar.gz) = f047422b39a5e5d933d598bd9fca2a1184e1506e4cd66364a990c7f2cd76960d
+SIZE (apr-1.3.5.tar.gz) = 1162875
+MD5 (apr-util-1.3.7.tar.gz) = 0a6802ef6d874db645150ae4a75f41fa
+SHA256 (apr-util-1.3.7.tar.gz) = fadd6a0c55596b2c21375942e3acefc33715e647ed4770dc398d08d8783a39e0
+SIZE (apr-util-1.3.7.tar.gz) = 788206
diff --git a/devel/apr/files/patch-apr_hints.m4 b/devel/apr/files/patch-apr_hints.m4
index 5549809..a360c89 100644
--- a/devel/apr/files/patch-apr_hints.m4
+++ b/devel/apr/files/patch-apr_hints.m4
@@ -1,5 +1,5 @@
---- apr-1.3.3/build/apr_hints.m4.orig	Wed Oct 27 11:12:28 2004
-+++ apr-1.3.3/build/apr_hints.m4	Wed Oct 27 11:25:32 2004
+--- apr-1.3.5/build/apr_hints.m4.orig	Wed Oct 27 11:12:28 2004
++++ apr-1.3.5/build/apr_hints.m4	Wed Oct 27 11:25:32 2004
 @@ -137,11 +137,7 @@
  	;;
      *-freebsd*)
diff --git a/devel/apr/pkg-plist b/devel/apr/pkg-plist
index 18e965e..a091c1c 100644
--- a/devel/apr/pkg-plist
+++ b/devel/apr/pkg-plist
@@ -84,6 +84,18 @@ lib/libaprutil-1.a
 lib/libaprutil-1.la
 lib/libaprutil-1.so
 lib/libaprutil-1.so.%%SHLIB_MAJOR%%
+%%BDB%%lib/apr-util-1/apr_dbm_db-1.so
+%%BDB%%lib/apr-util-1/apr_dbm_db.so
+%%BDB%%lib/apr-util-1/apr_dbm_db.la
+%%BDB%%lib/apr-util-1/apr_dbm_db.a
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm-1.so
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.so
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.la
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.a
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm-1.so
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.so
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.la
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.a
 %%LDAP%%lib/apr-util-1/apr_ldap-1.so
 %%LDAP%%lib/apr-util-1/apr_ldap.so
 %%LDAP%%lib/apr-util-1/apr_ldap.la
-- 
1.6.3.1
--- update-to-1.3.5-and-1.3.7.diff ends here ---

The following VuXML entry should be evaluated and added.


I have no time yet to look at Apache < 2.2, but may be there are also
these bugs in there.--eOWus0qrCLmXijMRDrYycZD5EVQkhtvIHG2TYOhEvuwRzNHL
Content-Type: text/plain; name="apache22-backport-apr-util-fixed.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="apache22-backport-apr-util-fixed.diff"

From 60b761ec3dfe066e0f2aae4a0aa69b96ec76d995 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Jun 2009 12:54:20 +0400

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 www/apache22/Makefile                              |    2 +-
 .../files/patch-apr-fix-apr_xml-expat-attack       |   51 ++++++++++++++++++++
 .../files/patch-apr-fix-brigade_vprintf_overflow   |   18 +++++++
 .../files/patch-apr-fix-strmatch-underflow         |   21 ++++++++
 4 files changed, 91 insertions(+), 1 deletions(-)
 create mode 100644 www/apache22/files/patch-apr-fix-apr_xml-expat-attack
 create mode 100644 www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
 create mode 100644 www/apache22/files/patch-apr-fix-strmatch-underflow

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 97cd44a..e470408 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.11
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
new file mode 100644
index 0000000..2040f08
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
@@ -0,0 +1,51 @@
+Taken from
+  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
+
+--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+ 
++#if XML_MAJOR_VERSION > 1
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *value,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser = userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#else
++/* A noop default_handler. */
++static void default_handler(void *userData, const XML_Char *s, int len)
++{
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,19 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ 
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, installing a noop
++     * DefaultHandler means that internal entities will be expanded as
++     * the empty string, which is also sufficient to prevent the
++     * attack. */
++#if XML_MAJOR_VERSION > 1
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, default_handler);
++#endif
++
+     return parser;
+ }
+ 
diff --git a/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
new file mode 100644
index 0000000..7ac9767
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
@@ -0,0 +1,18 @@
+Equal to the fix in the apr-util itself:
+  http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
+
+See discuission about original vulnerability at
+  http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
+
+--- srclib/apr-util/buckets/apr_brigade.c.orig	2009-06-06 12:32:12.000000000 +0400
++++ srclib/apr-util/buckets/apr_brigade.c	2009-06-06 12:35:30.000000000 +0400
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+ 
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) = '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
diff --git a/www/apache22/files/patch-apr-fix-strmatch-underflow b/www/apache22/files/patch-apr-fix-strmatch-underflow
new file mode 100644
index 0000000..c1e2523
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-strmatch-underflow
@@ -0,0 +1,21 @@
+Fix underflow in apr_strmatch_precompile,
+  http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
+
+--- srclib/apr-util/strmatch/apr_strmatch.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/strmatch/apr_strmatch.c	2009/05/29 07:47:52	779878
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare = match_boyer_moore_horspool;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] = pattern->length - i - 1;
++            shift[(unsigned char)s[i]] = pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare = match_boyer_moore_horspool_nocase;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+         }
+     }
+     pattern->context = shift;
-- 
1.6.3.1
How-To-Repeat: 
[1] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
[2] http://www.securityfocus.com/archive/1/504107
[3] https://bugzilla.redhat.com/show_bug.cgi?id=504390
Comment 1 Edwin Groothuis freebsd_committer 2009-06-06 11:00:31 UTC
Responsible Changed
From-To: freebsd-ports-bugs->pgollucci

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Eygene Ryabinkin 2009-06-06 17:13:53 UTC
Apache 2.0.63 seems to be vulnerable too: it has the same code sequences
as 2.2.11.

Here is the patch for 2.0.x:
--- apache20-backport-apr-util-fixes.diff begins here ---
=46rom 04771d6460c9d7325e6f2b4fc0efe14122997514 Mon Sep 17 00:00:00 2001
=46rom: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Jun 2009 18:54:40 +0400
Subject: [PATCH] www/apache20: backport fixes for bugs in apr-util

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 www/apache20/Makefile                              |    2 +-
 .../files/patch-apr-fix-apr_xml-expat-attack       |   51 ++++++++++++++++=
++++
 .../files/patch-apr-fix-brigade_vprintf_overflow   |   18 +++++++
 .../files/patch-apr-fix-strmatch-underflow         |   21 ++++++++
 4 files changed, 91 insertions(+), 1 deletions(-)
 create mode 100644 www/apache20/files/patch-apr-fix-apr_xml-expat-attack
 create mode 100644 www/apache20/files/patch-apr-fix-brigade_vprintf_overfl=
ow
 create mode 100644 www/apache20/files/patch-apr-fix-strmatch-underflow

diff --git a/www/apache20/Makefile b/www/apache20/Makefile
index 80653b5..6e22438 100644
--- a/www/apache20/Makefile
+++ b/www/apache20/Makefile
@@ -9,7 +9,7 @@
=20
 PORTNAME=3D	apache
 PORTVERSION=3D	2.0.63
-PORTREVISION=3D	2
+PORTREVISION=3D	3
 CATEGORIES=3D	www
 MASTER_SITES=3D	${MASTER_SITE_APACHE_HTTPD} \
 		${MASTER_SITE_LOCAL:S/$/:powerlogo/}
diff --git a/www/apache20/files/patch-apr-fix-apr_xml-expat-attack b/www/ap=
ache20/files/patch-apr-fix-apr_xml-expat-attack
new file mode 100644
index 0000000..2040f08
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-apr_xml-expat-attack
@@ -0,0 +1,51 @@
+Taken from
+  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=3D757729&r2=
=3D781403&view=3Dpatch
+
+--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+=20
++#if XML_MAJOR_VERSION > 1
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *v=
alue,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *=
publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser =3D userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#else
++/* A noop default_handler. */
++static void default_handler(void *userData, const XML_Char *s, int len)
++{
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser =3D apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,19 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+=20
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, installing a noop
++     * DefaultHandler means that internal entities will be expanded as
++     * the empty string, which is also sufficient to prevent the
++     * attack. */
++#if XML_MAJOR_VERSION > 1
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, default_handler);
++#endif
++
+     return parser;
+ }
+=20
diff --git a/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow b/ww=
w/apache20/files/patch-apr-fix-brigade_vprintf_overflow
new file mode 100644
index 0000000..7ac9767
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow
@@ -0,0 +1,18 @@
+Equal to the fix in the apr-util itself:
+  http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=3D76=
8417&r2=3D768416&pathrev=3D768417&view=3Dpatch
+
+See discuission about original vulnerability at
+  http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
+
+--- srclib/apr-util/buckets/apr_brigade.c.orig	2009-06-06 12:32:12.0000000=
00 +0400
++++ srclib/apr-util/buckets/apr_brigade.c	2009-06-06 12:35:30.000000000 +0=
400
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+=20
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) =3D '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
diff --git a/www/apache20/files/patch-apr-fix-strmatch-underflow b/www/apac=
he20/files/patch-apr-fix-strmatch-underflow
new file mode 100644
index 0000000..c1e2523
--- /dev/null
+++ b/www/apache20/files/patch-apr-fix-strmatch-underflow
@@ -0,0 +1,21 @@
+Fix underflow in apr_strmatch_precompile,
+  http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=3D=
757729&r2=3D779878&view=3Dpatch
+
+--- srclib/apr-util/strmatch/apr_strmatch.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/strmatch/apr_strmatch.c	2009/05/29 07:47:52	779878
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare =3D match_boyer_moore_horspool;
+         for (i =3D 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] =3D pattern->length - i - 1;
++            shift[(unsigned char)s[i]] =3D pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare =3D match_boyer_moore_horspool_nocase;
+         for (i =3D 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] =3D pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] =3D pattern->length -=
 i - 1;
+         }
+     }
+     pattern->context =3D shift;
--=20
1.6.3.1
--- apache20-backport-apr-util-fixes.diff ends here ---

Here's the updated VuXML entry:
--- vuln.xml begins here ---
  <vuln vid=3D"eb9212f7-526b-11de-bbf2-001b77d09812">
    <topic>apr -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>apr</name>
        <range><lt>1.3.5.1.3.7</lt></range>
      </package>
      <package>
        <name>apache</name>
        <range><ge>2.2.0</ge><lt>2.2.11_5</lt></range>
        <range><ge>2.0.0</ge><lt>2.0.63_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns=3D"http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite=3D"http://secunia.com/advisories/35284/">
          <p>Some vulnerabilities have been reported in APR-util, which
          can be exploited by malicious users and malicious people to
          cause a DoS (Denial of Service).</p>
          <p>A vulnerability is caused due to an error in the processing
          of XML files and can be exploited to exhaust all available
          memory via a specially crafted XML file containing a
          predefined entity inside an entity definition.</p>
          <p>A vulnerability is caused due to an error within the
          "apr_strmatch_precompile()" function in
          strmatch/apr_strmatch.c, which can be exploited to crash an
          application using the library.</p>
        </blockquote>
        <p>RedHat reports:</p>
        <blockquote
          cite=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D504390">
          <p>A single NULL byte buffer overflow flaw was found in
          apr-util's apr_brigade_vprintf() function.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0023</cvename>
      <bid>35221</bid>
      <url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>
      <url>http://secunia.com/advisories/35284/</url>
      <url>https://bugzilla.redhat.com/show_bug.cgi?id=3D504390</url>
    </references>
    <dates>
      <discovery>2009-06-05</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

All three patched ports build fine on my Tinderbox for 6.x, 7.x and 8.x.
--=20
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 3 dfilter service freebsd_committer 2009-06-08 03:54:24 UTC
pgollucci    2009-06-08 02:54:14 UTC

  FreeBSD ports repository

  Modified files:
    devel/apr            Makefile distinfo pkg-plist 
    devel/apr/files      patch-apr_hints.m4 
  Log:
  - Update to apr: 1.3.5, apr: 1.3.7
  - Pet Portlint
  - Fix APU_EXTRAs in pkg-plist
  
  Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
  PR:             ports/135310
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.79      +22 -11    ports/devel/apr/Makefile
  1.20      +6 -6      ports/devel/apr/distinfo
  1.15      +2 -2      ports/devel/apr/files/patch-apr_hints.m4
  1.20      +12 -0     ports/devel/apr/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 dfilter service freebsd_committer 2009-06-08 04:10:40 UTC
pgollucci    2009-06-08 03:10:25 UTC

  FreeBSD ports repository

  Modified files:
    www/apache22         Makefile 
  Added files:
    www/apache22/files   patch-apr-fix-apr_xml-expat-attack 
                         patch-apr-fix-brigade_vprintf_overflow 
                         patch-apr-fix-strmatch-underflow 
  Log:
  - Backport apr-util security fixes pending the 2.2.12 release (forthcomming)
  
  Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
  PR:             ports/135310
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  With Hat:       apache
  
  Revision  Changes    Path
  1.235     +1 -1      ports/www/apache22/Makefile
  1.1       +51 -0     ports/www/apache22/files/patch-apr-fix-apr_xml-expat-attack (new)
  1.1       +18 -0     ports/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow (new)
  1.1       +21 -0     ports/www/apache22/files/patch-apr-fix-strmatch-underflow (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Philip M. Gollucci 2009-06-08 04:13:10 UTC
Can you resubmit the patch for www/apache20 please. Its foobared.

Thanks

$ patch < apache20-backport-apr-util-fixes.diff
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|=46rom 04771d6460c9d7325e6f2b4fc0efe14122997514 Mon Sep 17 00:00:00 2001
|=46rom: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
|Date: Sat, 6 Jun 2009 18:54:40 +0400
|Subject: [PATCH] www/apache20: backport fixes for bugs in apr-util
|
|Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
|---
| www/apache20/Makefile                              |    2 +-
| .../files/patch-apr-fix-apr_xml-expat-attack       |   51
++++++++++++++++=
|++++
| .../files/patch-apr-fix-brigade_vprintf_overflow   |   18 +++++++
| .../files/patch-apr-fix-strmatch-underflow         |   21 ++++++++
| 4 files changed, 91 insertions(+), 1 deletions(-)
| create mode 100644 www/apache20/files/patch-apr-fix-apr_xml-expat-attack
| create mode 100644
www/apache20/files/patch-apr-fix-brigade_vprintf_overfl=
|ow
| create mode 100644 www/apache20/files/patch-apr-fix-strmatch-underflow
|
|diff --git a/www/apache20/Makefile b/www/apache20/Makefile
|index 80653b5..6e22438 100644
|--- a/www/apache20/Makefile
|+++ b/www/apache20/Makefile
--------------------------
Patching file Makefile using Plan A...
Hunk #1 failed at 9.
1 out of 1 hunks failed--saving rejects to Makefile.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/www/apache20/files/patch-apr-fix-apr_xml-expat-attack
b/www/ap=
|ache20/files/patch-apr-fix-apr_xml-expat-attack
|new file mode 100644
|index 0000000..2040f08
|--- /dev/null
|+++ b/www/apache20/files/patch-apr-fix-apr_xml-expat-attack
--------------------------
(Creating file patch-apr-fix-apr_xml-expat-attack...)
Patching file patch-apr-fix-apr_xml-expat-attack using Plan A...
patch: **** malformed patch at line 41: =3D781403&view=3Dpatch
Comment 6 Philip M. Gollucci freebsd_committer 2009-06-08 04:14:03 UTC
State Changed
From-To: open->feedback

Ask for submitter fix.
Comment 7 Eygene Ryabinkin 2009-06-08 05:52:33 UTC
Philip, good day.

Sun, Jun 07, 2009 at 11:13:10PM -0400, Philip M. Gollucci wrote:
> Can you resubmit the patch for www/apache20 please. Its foobared.

Here we go -- uuencoded version follows.
--- apache20-backport-apr-util-fixes.diff begins here ---
begin 600 apache20-backport-apr-util-fixes.diff
M1G)O;2`P-#<W,60V-#8P8SED-S,R-64V9C)B-&9C,&5F93$T,3(R.3DW-3$T
M($UO;B!397`@,3<@,#`Z,#`Z,#`@,C`P,0I&<F]M.B!%>6=E;F4@4GEA8FEN
M:VEN(#QR96$M9F)S9$!C;V1E;&%B<RYR=3X*1&%T93H@4V%T+"`V($IU;B`R
M,#`Y(#$X.C4T.C0P("LP-#`P"E-U8FIE8W0Z(%M0051#2%T@=W=W+V%P86-H
M93(P.B!B86-K<&]R="!F:7AE<R!F;W(@8G5G<R!I;B!A<'(M=71I;`H*4VEG
M;F5D+6]F9BUB>3H@17EG96YE(%)Y86)I;FMI;B`\<F5A+69B<V1`8V]D96QA
M8G,N<G4^"BTM+0H@=W=W+V%P86-H93(P+TUA:V5F:6QE("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@?"`@("`R("LM"B`N+BXO9FEL97,O<&%T8V@M
M87!R+69I>"UA<')?>&UL+65X<&%T+6%T=&%C:R`@("`@("!\("`@-3$@*RLK
M*RLK*RLK*RLK*RLK*RLK*RL*("XN+B]F:6QE<R]P871C:"UA<'(M9FEX+6)R
M:6=A9&5?=G!R:6YT9E]O=F5R9FQO=R`@('P@("`Q."`K*RLK*RLK"B`N+BXO
M9FEL97,O<&%T8V@M87!R+69I>"US=')M871C:"UU;F1E<F9L;W<@("`@("`@
M("!\("`@,C$@*RLK*RLK*RL*(#0@9FEL97,@8VAA;F=E9"P@.3$@:6YS97)T
M:6]N<R@K*2P@,2!D96QE=&EO;G,H+2D*(&-R96%T92!M;V1E(#$P,#8T-"!W
M=W<O87!A8VAE,C`O9FEL97,O<&%T8V@M87!R+69I>"UA<')?>&UL+65X<&%T
M+6%T=&%C:PH@8W)E871E(&UO9&4@,3`P-C0T('=W=R]A<&%C:&4R,"]F:6QE
M<R]P871C:"UA<'(M9FEX+6)R:6=A9&5?=G!R:6YT9E]O=F5R9FQO=PH@8W)E
M871E(&UO9&4@,3`P-C0T('=W=R]A<&%C:&4R,"]F:6QE<R]P871C:"UA<'(M
M9FEX+7-T<FUA=&-H+75N9&5R9FQO=PH*9&EF9B`M+6=I="!A+W=W=R]A<&%C
M:&4R,"]-86ME9FEL92!B+W=W=R]A<&%C:&4R,"]-86ME9FEL90II;F1E>"`X
M,#8U,V(U+BXV93(R-#,X(#$P,#8T-`HM+2T@82]W=W<O87!A8VAE,C`O36%K
M969I;&4**RLK(&(O=W=W+V%P86-H93(P+TUA:V5F:6QE"D!`("TY+#<@*SDL
M-R!`0`H@"B!03U)43D%-13T)87!A8VAE"B!03U)45D524TE/3CT),BXP+C8S
M"BU03U)44D5625-)3TX]"3(**U!/4E12159)4TE/3CT),PH@0T%414=/4DE%
M4ST)=W=W"B!-05-415)?4TE415,]"21[34%35$527U-)5$5?05!!0TA%7TA4
M5%!$?2!<"B`)"21[34%35$527U-)5$5?3$]#04PZ4R\D+SIP;W=E<FQO9V\O
M?0ID:69F("TM9VET(&$O=W=W+V%P86-H93(P+V9I;&5S+W!A=&-H+6%P<BUF
M:7@M87!R7WAM;"UE>'!A="UA='1A8VL@8B]W=W<O87!A8VAE,C`O9FEL97,O
M<&%T8V@M87!R+69I>"UA<')?>&UL+65X<&%T+6%T=&%C:PIN97<@9FEL92!M
M;V1E(#$P,#8T-`II;F1E>"`P,#`P,#`P+BXR,#0P9C`X"BTM+2`O9&5V+VYU
M;&P**RLK(&(O=W=W+V%P86-H93(P+V9I;&5S+W!A=&-H+6%P<BUF:7@M87!R
M7WAM;"UE>'!A="UA='1A8VL*0$`@+3`L,"`K,2PU,2!`0`HK5&%K96X@9G)O
M;0HK("!H='1P.B\O<W9N+F%P86-H92YO<F<O=FEE=W9C+V%P<B]A<'(O=')U
M;FLO>&UL+V%P<E]X;6PN8S]R,3TW-3<W,CDF<C(]-S@Q-#`S)G9I97<]<&%T
M8V@**PHK+2TM('-R8VQI8B]A<'(M=71I;"]X;6PO87!R7WAM;"YC"3(P,#DO
M,#,O,C0@,3$Z,3(Z,C<)-S4W-S(Y"BLK*RL@<W)C;&EB+V%P<BUU=&EL+WAM
M;"]A<')?>&UL+F,),C`P.2\P-B\P,R`Q-#HR-CHQ.0DW.#$T,#,**T!`("TS
M-#<L-B`K,S0W+#(U($!`"BL@("`@(')E='5R;B!!4%)?4U5#0T534SL**R!]
M"BL@"BLK(VEF(%A-3%]-04I/4E]615)324].(#X@,0HK*R\J(%-T;W`@=&AE
M('!A<G-E<B!I9B!A;B!E;G1I='D@9&5C;&%R871I;VX@:7,@:&ET+B`J+PHK
M*W-T871I8R!V;VED(&5N=&ET>5]D96-L87)A=&EO;BAV;VED("IU<V5R1&%T
M82P@8V]N<W0@6$U,7T-H87(@*F5N=&ET>4YA;64L"BLK("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@(&EN="!I<U]P87)A;65T97)?96YT:71Y+"!C
M;VYS="!834Q?0VAA<B`J=F%L=64L"BLK("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@(&EN="!V86QU95]L96YG=&@L(&-O;G-T(%A-3%]#:&%R("IB
M87-E+`HK*R`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!C;VYS="!8
M34Q?0VAA<B`J<WES=&5M260L(&-O;G-T(%A-3%]#:&%R("IP=6)L:6-)9"P*
M*RL@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@8V]N<W0@6$U,7T-H
M87(@*FYO=&%T:6]N3F%M92D**RM["BLK("`@(&%P<E]X;6Q?<&%R<V5R("IP
M87)S97(@/2!U<V5R1&%T83L**RL**RL@("`@6$U,7U-T;W!087)S97(H<&%R
M<V5R+3YX<"P@6$U,7T9!3%-%*3L**RM]"BLK(V5L<V4**RLO*B!!(&YO;W`@
M9&5F875L=%]H86YD;&5R+B`J+PHK*W-T871I8R!V;VED(&1E9F%U;'1?:&%N
M9&QE<BAV;VED("IU<V5R1&%T82P@8V]N<W0@6$U,7T-H87(@*G,L(&EN="!L
M96XI"BLK>PHK*WT**RLC96YD:68**RL**R!!4%5?1$5#3$%212AA<')?>&UL
M7W!A<G-E<B`J*2!A<')?>&UL7W!A<G-E<E]C<F5A=&4H87!R7W!O;VQ?="`J
M<&]O;"D**R!["BL@("`@(&%P<E]X;6Q?<&%R<V5R("IP87)S97(@/2!A<')?
M<&-A;&QO8RAP;V]L+"!S:7IE;V8H*G!A<G-E<BDI.PHK0$`@+3,W,BPV("LS
M.3$L,3D@0$`**R`@("`@6$U,7U-E=$5L96UE;G1(86YD;&5R*'!A<G-E<BT^
M>'`L('-T87)T7VAA;F1L97(L(&5N9%]H86YD;&5R*3L**R`@("`@6$U,7U-E
M=$-H87)A8W1E<D1A=&%(86YD;&5R*'!A<G-E<BT^>'`L(&-D871A7VAA;F1L
M97(I.PHK(`HK*R`@("`O*B!0<F5V96YT('1H92`B8FEL;&EO;B!L875G:',B
M(&%T=&%C:R!A9V%I;G-T(&5X<&%T(&)Y(&1I<V%B;&EN9PHK*R`@("`@*B!I
M;G1E<FYA;"!E;G1I='D@97AP86YS:6]N+B`@5VET:"`R+G@L(&9O<F-I8FQY
M('-T;W`@=&AE('!A<G-E<@HK*R`@("`@*B!I9B!A;B!E;G1I='D@:7,@9&5C
M;&%R960@+2!T:&ES(&ES('-A9F5R(&%N9"!A(&UO<F4@;V)V:6]U<PHK*R`@
M("`@*B!F86EL=7)E(&UO9&4N("!7:71H(&]L9&5R('9E<G-I;VYS+"!I;G-T
M86QL:6YG(&$@;F]O<`HK*R`@("`@*B!$969A=6QT2&%N9&QE<B!M96%N<R!T
M:&%T(&EN=&5R;F%L(&5N=&ET:65S('=I;&P@8F4@97AP86YD960@87,**RL@
M("`@("H@=&AE(&5M<'1Y('-T<FEN9RP@=VAI8V@@:7,@86QS;R!S=69F:6-I
M96YT('1O('!R979E;G0@=&AE"BLK("`@("`J(&%T=&%C:RX@*B\**RLC:68@
M6$U,7TU!2D]27U9%4E-)3TX@/B`Q"BLK("`@(%A-3%]3971%;G1I='E$96-L
M2&%N9&QE<BAP87)S97(M/GAP+"!E;G1I='E?9&5C;&%R871I;VXI.PHK*R-E
M;'-E"BLK("`@(%A-3%]3971$969A=6QT2&%N9&QE<BAP87)S97(M/GAP+"!D
M969A=6QT7VAA;F1L97(I.PHK*R-E;F1I9@HK*PHK("`@("!R971U<FX@<&%R
M<V5R.PHK('T**R`*9&EF9B`M+6=I="!A+W=W=R]A<&%C:&4R,"]F:6QE<R]P
M871C:"UA<'(M9FEX+6)R:6=A9&5?=G!R:6YT9E]O=F5R9FQO=R!B+W=W=R]A
M<&%C:&4R,"]F:6QE<R]P871C:"UA<'(M9FEX+6)R:6=A9&5?=G!R:6YT9E]O
M=F5R9FQO=PIN97<@9FEL92!M;V1E(#$P,#8T-`II;F1E>"`P,#`P,#`P+BXW
M86,Y-S8W"BTM+2`O9&5V+VYU;&P**RLK(&(O=W=W+V%P86-H93(P+V9I;&5S
M+W!A=&-H+6%P<BUF:7@M8G)I9V%D95]V<')I;G1F7V]V97)F;&]W"D!`("TP
M+#`@*S$L,3@@0$`**T5Q=6%L('1O('1H92!F:7@@:6X@=&AE(&%P<BUU=&EL
M(&ET<V5L9CH**R`@:'1T<#HO+W-V;BYA<&%C:&4N;W)G+W9I97=V8R]A<'(O
M87!R+W1R=6YK+V)U8VME=',O87!R7V)R:6=A9&4N8S]R,3TW-C@T,3<F<C(]
M-S8X-#$V)G!A=&AR978]-S8X-#$W)G9I97<]<&%T8V@**PHK4V5E(&1I<V-U
M:7-S:6]N(&%B;W5T(&]R:6=I;F%L('9U;&YE<F%B:6QI='D@870**R`@:'1T
M<#HO+W=W=RYM86EL+6%R8VAI=F4N8V]M+V1E=D!A<'(N87!A8VAE+F]R9R]M
M<V<R,34Y,BYH=&UL"BL**RTM+2!S<F-L:6(O87!R+75T:6PO8G5C:V5T<R]A
M<')?8G)I9V%D92YC+F]R:6<),C`P.2TP-BTP-B`Q,CHS,CHQ,BXP,#`P,#`P
M,#`@*S`T,#`**RLK*R!S<F-L:6(O87!R+75T:6PO8G5C:V5T<R]A<')?8G)I
M9V%D92YC"3(P,#DM,#8M,#8@,3(Z,S4Z,S`N,#`P,#`P,#`P("LP-#`P"BM`
M0"`M-C@Y+#D@*S8X.2PV($!`"BL@("`@("`@<F5T=7)N("TQ.PHK("`@("!]
M"BL@"BLM("`@("\J('1A8VL@;VX@;G5L;"!T97)M:6YA=&]R('1O(')E;6%I
M;FEN9R!S=')I;F<@*B\**RT@("`@*BAV9"YV8G5F9BYC=7)P;W,I(#T@)UPP
M)SL**RT**R`@("`@+RH@=W)I=&4@;W5T('=H870@<F5M86EN<R!I;B!T:&4@
M8G5F9F5R("HO"BL@("`@(')E='5R;B!A<')?8G)I9V%D95]W<FET92AB+"!F
M;'5S:"P@8W1X+"!B=68L('9D+G9B=69F+F-U<G!O<R`M(&)U9BD["BL@?0ID
M:69F("TM9VET(&$O=W=W+V%P86-H93(P+V9I;&5S+W!A=&-H+6%P<BUF:7@M
M<W1R;6%T8V@M=6YD97)F;&]W(&(O=W=W+V%P86-H93(P+V9I;&5S+W!A=&-H
M+6%P<BUF:7@M<W1R;6%T8V@M=6YD97)F;&]W"FYE=R!F:6QE(&UO9&4@,3`P
M-C0T"FEN9&5X(#`P,#`P,#`N+F,Q93(U,C,*+2TM("]D978O;G5L;`HK*RL@
M8B]W=W<O87!A8VAE,C`O9FEL97,O<&%T8V@M87!R+69I>"US=')M871C:"UU
M;F1E<F9L;W<*0$`@+3`L,"`K,2PR,2!`0`HK1FEX('5N9&5R9FQO=R!I;B!A
M<')?<W1R;6%T8VA?<')E8V]M<&EL92P**R`@:'1T<#HO+W-V;BYA<&%C:&4N
M;W)G+W9I97=V8R]A<'(O87!R+W1R=6YK+W-T<FUA=&-H+V%P<E]S=')M871C
M:"YC/W(Q/3<U-S<R.29R,CTW-SDX-S@F=FEE=SUP871C:`HK"BLM+2T@<W)C
M;&EB+V%P<BUU=&EL+W-T<FUA=&-H+V%P<E]S=')M871C:"YC"3(P,#DO,#,O
M,C0@,3$Z,3(Z,C<)-S4W-S(Y"BLK*RL@<W)C;&EB+V%P<BUU=&EL+W-T<FUA
M=&-H+V%P<E]S=')M871C:"YC"3(P,#DO,#4O,CD@,#<Z-#<Z-3()-S<Y.#<X
M"BM`0"`M,3`S+#$S("LQ,#,L,3,@0$`**R`@("`@:68@*&-A<V5?<V5N<VET
M:79E*2!["BL@("`@("`@("!P871T97)N+3YC;VUP87)E(#T@;6%T8VA?8F]Y
M97)?;6]O<F5?:&]R<W!O;VP["BL@("`@("`@("!F;W(@*&D@/2`P.R!I(#P@
M<&%T=&5R;BT^;&5N9W1H("T@,3L@:2LK*2!["BLM("`@("`@("`@("`@<VAI
M9G1;*&EN="ES6VE=72`]('!A='1E<FXM/FQE;F=T:"`M(&D@+2`Q.PHK*R`@
M("`@("`@("`@('-H:69T6RAU;G-I9VYE9"!C:&%R*7-;:5U=(#T@<&%T=&5R
M;BT^;&5N9W1H("T@:2`M(#$["BL@("`@("`@("!]"BL@("`@('T**R`@("`@
M96QS92!["BL@("`@("`@("!P871T97)N+3YC;VUP87)E(#T@;6%T8VA?8F]Y
M97)?;6]O<F5?:&]R<W!O;VQ?;F]C87-E.PHK("`@("`@("`@9F]R("AI(#T@
M,#L@:2`\('!A='1E<FXM/FQE;F=T:"`M(#$[(&DK*RD@>PHK+2`@("`@("`@
M("`@('-H:69T6V%P<E]T;VQO=V5R*'-;:5TI72`]('!A='1E<FXM/FQE;F=T
M:"`M(&D@+2`Q.PHK*R`@("`@("`@("`@('-H:69T6RAU;G-I9VYE9"!C:&%R
M*6%P<E]T;VQO=V5R*'-;:5TI72`]('!A='1E<FXM/FQE;F=T:"`M(&D@+2`Q
M.PHK("`@("`@("`@?0HK("`@("!]"BL@("`@('!A='1E<FXM/F-O;G1E>'0@
6/2!S:&EF=#L*+2T@"C$N-BXS+C$*"@``
`
end
--- apache20-backport-apr-util-fixes.diff ends here ---
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
Comment 8 dfilter service freebsd_committer 2009-06-08 06:11:23 UTC
pgollucci    2009-06-08 05:11:09 UTC

  FreeBSD ports repository

  Modified files:
    www/apache20         Makefile 
  Added files:
    www/apache20/files   patch-apr-fix-apr_xml-expat-attack 
                         patch-apr-fix-brigade_vprintf_overflow 
                         patch-apr-fix-strmatch-underflow 
  Log:
  - Backport apr-util security fixes pending the 2.2.12 release (forthcomming)
  
  Security:       http://www.vuxml.org/freebsd/eb9212f7-526b-11de-bbf2-001b77d09812
  PR:             ports/135310
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  With Hat:       apache
  
  Revision  Changes    Path
  1.260     +1 -1      ports/www/apache20/Makefile
  1.1       +51 -0     ports/www/apache20/files/patch-apr-fix-apr_xml-expat-attack (new)
  1.1       +18 -0     ports/www/apache20/files/patch-apr-fix-brigade_vprintf_overflow (new)
  1.1       +21 -0     ports/www/apache20/files/patch-apr-fix-strmatch-underflow (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 9 Philip M. Gollucci freebsd_committer 2009-06-08 06:11:30 UTC
State Changed
From-To: feedback->closed

Committed. Thanks!