[Pkg-apache-commits] r944 - in /branches/etch-apr-util: changelog patches/00list patches/017_CVE-2009-0023.dpatch patches/018_expat_entity_expansion.dpatch

sf at alioth.debian.org sf at alioth.debian.org
Thu Jun 4 18:25:41 UTC 2009


Author: sf
Date: Thu Jun  4 18:25:40 2009
New Revision: 944

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=944
Log:
security update

Added:
    branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch
    branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch
Modified:
    branches/etch-apr-util/changelog
    branches/etch-apr-util/patches/00list

Modified: branches/etch-apr-util/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/changelog?rev=944&op=diff
==============================================================================
--- branches/etch-apr-util/changelog (original)
+++ branches/etch-apr-util/changelog Thu Jun  4 18:25:40 2009
@@ -1,3 +1,12 @@
+apr-util (1.2.7+dfsg-2+etch2) oldstable-security; urgency=high
+
+  * CVE-2009-0023: Fix underflow in apr_strmatch_precompile() which causes
+    remotely exploitable DoS vulnerabilities in mod_dav_svn and libapreq2.
+  * Fix DoS vulnerability (memory consumption) in handling of internal xml
+    entities.
+
+ -- Stefan Fritsch <sf at debian.org>  Wed, 03 Jun 2009 23:12:43 +0200
+
 apr-util (1.2.7+dfsg-2) unstable; urgency=low
 
   * Fix stupid code duplication in apr_md[45].c resulting from C&P.

Modified: branches/etch-apr-util/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/00list?rev=944&op=diff
==============================================================================
--- branches/etch-apr-util/patches/00list (original)
+++ branches/etch-apr-util/patches/00list Thu Jun  4 18:25:40 2009
@@ -4,4 +4,6 @@
 004_debian_layout_fix
 013_ship_find_apu.m4
 014_apu_config_dont_list_indep_libs
-099_alternate_md4_md5_impl
+017_CVE-2009-0023
+018_expat_entity_expansion.dpatch
+099_alternate_md4_md5_impl

Added: branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch?rev=944&op=file
==============================================================================
--- branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch (added)
+++ branches/etch-apr-util/patches/017_CVE-2009-0023.dpatch Thu Jun  4 18:25:40 2009
@@ -1,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c
+--- apr-util-1.2.12+dfsg~/strmatch/apr_strmatch.c	2009-06-02 18:58:49.000000000 +0200
++++ apr-util-1.2.12+dfsg/strmatch/apr_strmatch.c	2009-06-03 23:03:55.650337096 +0200
+@@ -74,7 +74,7 @@
+             }
+             s_tmp--;
+         }
+-        s_next += shift[apr_tolower(*s_next)];
++        s_next += shift[(unsigned char)apr_tolower(*s_next)];
+     }
+     return NULL;
+ }
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare = match_boyer_moore_horspool;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] = pattern->length - i - 1;
++            shift[(unsigned char)s[i]] = pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare = match_boyer_moore_horspool_nocase;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+         }
+     }
+     pattern->context = shift;

Added: branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch?rev=944&op=file
==============================================================================
--- branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch (added)
+++ branches/etch-apr-util/patches/018_expat_entity_expansion.dpatch Thu Jun  4 18:25:40 2009
@@ -1,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 018_expat_entity_expansion.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad apr-util-1.2.12+dfsg~/xml/apr_xml.c apr-util-1.2.12+dfsg/xml/apr_xml.c
+--- apr-util-1.2.12+dfsg~/xml/apr_xml.c	2007-11-01 15:07:19.000000000 +0100
++++ apr-util-1.2.12+dfsg/xml/apr_xml.c	2009-06-02 19:02:28.063634350 +0200
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+ 
++#if XML_MAJOR_VERSION > 0
++/* XML_StopParser is present in expat 2.x */
++#define HAVE_XML_STOPPARSER
++#endif
++
++#ifdef HAVE_XML_STOPPARSER
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *value,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser = userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,17 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ 
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, simply prevent expenansion
++     * of such entities. */
++#ifdef HAVE_XML_STOPPARSER
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, NULL);
++#endif
++
+     return parser;
+ }
+ 




More information about the Pkg-apache-commits mailing list