[Pkg-apache-commits] r944 - in /branches/etch-apr-util: changelog patches/00list patches/017_CVE-2009-0023.dpatch patches/018_expat_entity_expansion.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Thu Jun 4 18:25:41 UTC 2009
Author: sf
Date: Thu Jun 4 18:25:40 2009
New Revision: 944
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=944
Log:
security update
Added:
branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch
branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch
Modified:
branches/etch-apr-util/changelog
branches/etch-apr-util/patches/00list
Modified: branches/etch-apr-util/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/changelog?rev=944&op=diff
==============================================================================
--- branches/etch-apr-util/changelog (original)
+++ branches/etch-apr-util/changelog Thu Jun 4 18:25:40 2009
@@ -1,3 +1,12 @@
+apr-util (1.2.7+dfsg-2+etch2) oldstable-security; urgency=high
+
+ * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
+ remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2.
+ * Fix DoS vulnerability (memory consumption) in handling of internal xml
+ entities.
+
+ -- Stefan Fritsch <sf at debian.org> Wed, 03 Jun 2009 23:12:43 +0200
+
apr-util (1.2.7+dfsg-2) unstable; urgency=low
* Fix stupid code duplication in apr_md[45].c resulting from C&P.
Modified: branches/etch-apr-util/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/00list?rev=944&op=diff
==============================================================================
--- branches/etch-apr-util/patches/00list (original)
+++ branches/etch-apr-util/patches/00list Thu Jun 4 18:25:40 2009
@@ -4,4 +4,6 @@
004_debian_layout_fix
013_ship_find_apu.m4
014_apu_config_dont_list_indep_libs
-099_alternate_md4_md5_impl
+017_CVE-2009-0023
+018_expat_entity_expansion.dpatch
+099_alternate_md4_md5_impl
Added: branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch?rev=944&op=file
==============================================================================
--- branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch (added)
+++ branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch Thu Jun 4 18:25:40 2009
@@ -1,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c
+--- apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c 2009-06-02 18:58:49.000000000 +0200
++++ apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c 2009-06-03 23:03:55.650337096 +0200
+@@ -74,7 +74,7 @@
+ }
+ s_tmp--;
+ }
+- s_next += shift[apr_tolower(*s_next)];
++ s_next += shift[(unsigned char)apr_tolower(*s_next)];
+ }
+ return NULL;
+ }
+@@ -103,13 +103,13 @@
+ if (case_sensitive) {
+ pattern->compare = match_boyer_moore_horspool;
+ for (i = 0; i < pattern->length - 1; i++) {
+- shift[(int)s[i]] = pattern->length - i - 1;
++ shift[(unsigned char)s[i]] = pattern->length - i - 1;
+ }
+ }
+ else {
+ pattern->compare = match_boyer_moore_horspool_nocase;
+ for (i = 0; i < pattern->length - 1; i++) {
+- shift[apr_tolower(s[i])] = pattern->length - i - 1;
++ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+ }
+ }
+ pattern->context = shift;
Added: branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch?rev=944&op=file
==============================================================================
--- branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch (added)
+++ branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch Thu Jun 4 18:25:40 2009
@@ -1,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/xml/apr_xml.c apr-util-1.2.12+dfsg/xml/apr_xml.c
+--- apr-util-1.2.12+dfsg~/xml/apr_xml.c 2007-11-01 15:07:19.000000000 +0100
++++ apr-util-1.2.12+dfsg/xml/apr_xml.c 2009-06-02 19:02:28.063634350 +0200
+@@ -347,6 +347,25 @@
+ return APR_SUCCESS;
+ }
+
++#if XML_MAJOR_VERSION > 0
++/* XML_StopParser is present in expat 2.x */
++#define HAVE_XML_STOPPARSER
++#endif
++
++#ifdef HAVE_XML_STOPPARSER
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++ int is_parameter_entity, const XML_Char *value,
++ int value_length, const XML_Char *base,
++ const XML_Char *systemId, const XML_Char *publicId,
++ const XML_Char *notationName)
++{
++ apr_xml_parser *parser = userData;
++
++ XML_StopParser(parser->xp, XML_FALSE);
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+ apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,17 @@
+ XML_SetElementHandler(parser->xp, start_handler, end_handler);
+ XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+
++ /* Prevent the "billion laughs" attack against expat by disabling
++ * internal entity expansion. With 2.x, forcibly stop the parser
++ * if an entity is declared - this is safer and a more obvious
++ * failure mode. With older versions, simply prevent expenansion
++ * of such entities. */
++#ifdef HAVE_XML_STOPPARSER
++ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++ XML_SetDefaultHandler(parser->xp, NULL);
++#endif
++
+ return parser;
+ }
+
More information about the Pkg-apache-commits
mailing list