Date: Sat, 6 Jun 2009 13:51:51 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/135310: [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util Message-ID: <20090606095151.0E55217156@amnesiac.at.no.dns> Resent-Message-ID: <200906061000.n56A0EUS003406@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 135310 >Category: ports >Synopsis: [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 06 10:00:13 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 8.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 8.0-CURRENT amd64 >Description: Multiple vulnerabilities were discovered in APR-util since 1.3.4: [1]. There are reports from various security teams about this: [2], [3]. There is a PoC at http://securityvulns.ru/files/apache-ied.pl It works for me on Apache 2.2.11_4 with Subversion DAV -- all httpd children are in the RUN state and MaxChild limit is easily reached. >How-To-Repeat: [1] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 [2] http://www.securityfocus.com/archive/1/504107 [3] https://bugzilla.redhat.com/show_bug.cgi?id=504390 >Fix: This is the patch for Apache 2.2 port with all fixes backported. It works on my servers for a couple of hours without any visible regressions. --- apache22-backport-apr-util-fixed.diff begins here --- >From 60b761ec3dfe066e0f2aae4a0aa69b96ec76d995 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 6 Jun 2009 12:54:20 +0400 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- www/apache22/Makefile | 2 +- .../files/patch-apr-fix-apr_xml-expat-attack | 51 ++++++++++++++++++++ .../files/patch-apr-fix-brigade_vprintf_overflow | 18 +++++++ .../files/patch-apr-fix-strmatch-underflow | 21 ++++++++ 4 files changed, 91 insertions(+), 1 deletions(-) create mode 100644 www/apache22/files/patch-apr-fix-apr_xml-expat-attack create mode 100644 www/apache22/files/patch-apr-fix-brigade_vprintf_overflow create mode 100644 www/apache22/files/patch-apr-fix-strmatch-underflow diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 97cd44a..e470408 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -9,7 +9,7 @@ PORTNAME= apache PORTVERSION= 2.2.11 -PORTREVISION?= 4 +PORTREVISION?= 5 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} diff --git a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack new file mode 100644 index 0000000..2040f08 --- /dev/null +++ b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack @@ -0,0 +1,51 @@ +Taken from + http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch + +--- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729 ++++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403 +@@ -347,6 +347,25 @@ + return APR_SUCCESS; + } + ++#if XML_MAJOR_VERSION > 1 ++/* Stop the parser if an entity declaration is hit. */ ++static void entity_declaration(void *userData, const XML_Char *entityName, ++ int is_parameter_entity, const XML_Char *value, ++ int value_length, const XML_Char *base, ++ const XML_Char *systemId, const XML_Char *publicId, ++ const XML_Char *notationName) ++{ ++ apr_xml_parser *parser = userData; ++ ++ XML_StopParser(parser->xp, XML_FALSE); ++} ++#else ++/* A noop default_handler. */ ++static void default_handler(void *userData, const XML_Char *s, int len) ++{ ++} ++#endif ++ + APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool) + { + apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser)); +@@ -372,6 +391,19 @@ + XML_SetElementHandler(parser->xp, start_handler, end_handler); + XML_SetCharacterDataHandler(parser->xp, cdata_handler); + ++ /* Prevent the "billion laughs" attack against expat by disabling ++ * internal entity expansion. With 2.x, forcibly stop the parser ++ * if an entity is declared - this is safer and a more obvious ++ * failure mode. With older versions, installing a noop ++ * DefaultHandler means that internal entities will be expanded as ++ * the empty string, which is also sufficient to prevent the ++ * attack. */ ++#if XML_MAJOR_VERSION > 1 ++ XML_SetEntityDeclHandler(parser->xp, entity_declaration); ++#else ++ XML_SetDefaultHandler(parser->xp, default_handler); ++#endif ++ + return parser; + } + diff --git a/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow new file mode 100644 index 0000000..7ac9767 --- /dev/null +++ b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow @@ -0,0 +1,18 @@ +Equal to the fix in the apr-util itself: + http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch + +See discuission about original vulnerability at + http://www.mail-archive.com/dev@apr.apache.org/msg21592.html + +--- srclib/apr-util/buckets/apr_brigade.c.orig 2009-06-06 12:32:12.000000000 +0400 ++++ srclib/apr-util/buckets/apr_brigade.c 2009-06-06 12:35:30.000000000 +0400 +@@ -689,9 +689,6 @@ + return -1; + } + +- /* tack on null terminator to remaining string */ +- *(vd.vbuff.curpos) = '\0'; +- + /* write out what remains in the buffer */ + return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf); + } diff --git a/www/apache22/files/patch-apr-fix-strmatch-underflow b/www/apache22/files/patch-apr-fix-strmatch-underflow new file mode 100644 index 0000000..c1e2523 --- /dev/null +++ b/www/apache22/files/patch-apr-fix-strmatch-underflow @@ -0,0 +1,21 @@ +Fix underflow in apr_strmatch_precompile, + http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch + +--- srclib/apr-util/strmatch/apr_strmatch.c 2009/03/24 11:12:27 757729 ++++ srclib/apr-util/strmatch/apr_strmatch.c 2009/05/29 07:47:52 779878 +@@ -103,13 +103,13 @@ + if (case_sensitive) { + pattern->compare = match_boyer_moore_horspool; + for (i = 0; i < pattern->length - 1; i++) { +- shift[(int)s[i]] = pattern->length - i - 1; ++ shift[(unsigned char)s[i]] = pattern->length - i - 1; + } + } + else { + pattern->compare = match_boyer_moore_horspool_nocase; + for (i = 0; i < pattern->length - 1; i++) { +- shift[apr_tolower(s[i])] = pattern->length - i - 1; ++ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1; + } + } + pattern->context = shift; -- 1.6.3.1 --- apache22-backport-apr-util-fixed.diff ends here --- This is the patch that updates the devel/apr to the latest stable version, thus fixing all 3 issues. I had also made portlint happy by using <Tab> after MAKE_JOBS_SAFE. And since there are additional libraries now installed, APU extras logics was a bit changed, because there are two tests for inclusion of BDB/GDBM, not just WITH_<XXX>, but also library existence check. --- update-to-1.3.5-and-1.3.7.diff begins here --- >From 8d36501ac0c6c797a6b1ae59bd71e54b511abeae Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 6 Jun 2009 12:21:27 +0400 Subject: [PATCH] devel/apr: update to 1.3.5 and apr-util to 1.3.7 There were 3 security vulnerabilities in apr-util since 1.3.4: http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- devel/apr/Makefile | 31 +++++++++++++++++++++---------- devel/apr/distinfo | 12 ++++++------ devel/apr/files/patch-apr_hints.m4 | 4 ++-- devel/apr/pkg-plist | 12 ++++++++++++ 4 files changed, 41 insertions(+), 18 deletions(-) diff --git a/devel/apr/Makefile b/devel/apr/Makefile index 0771859..9bfa146 100644 --- a/devel/apr/Makefile +++ b/devel/apr/Makefile @@ -6,7 +6,6 @@ PORTNAME= apr PORTVERSION= ${APR_VERSION}.${APU_VERSION} -PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_APACHE} MASTER_SITE_SUBDIR= apr @@ -17,7 +16,7 @@ COMMENT= Apache Portability Library LIB_DEPENDS+= expat.6:${PORTSDIR}/textproc/expat2 -MAKE_JOBS_SAFE= yes +MAKE_JOBS_SAFE= yes OPTIONS= THREADS "Enable Threads in apr" on \ IPV6 "Enable IPV6 Support in apr" off \ @@ -28,8 +27,8 @@ OPTIONS= THREADS "Enable Threads in apr" on \ MYSQL "Enable MySQL suport in apr-util" off \ PGSQL "Enable Postgresql suport in apr-util" off -APR_VERSION= 1.3.3 -APU_VERSION= 1.3.4 +APR_VERSION= 1.3.5 +APU_VERSION= 1.3.7 USE_ICONV= yes USE_AUTOTOOLS= automake:19 autoconf:262 libtool:15:env @@ -52,12 +51,6 @@ APU_CONF_ARGS= --with-apr=${APR_WRKDIR} \ .include <bsd.port.pre.mk> -.if defined(WITH_MYSQL) || defined(WITH_PGSQL) || defined (WITH_LDAP) -PLIST_SUB+= APU_EXTRAS="" -.else -PLIST_SUB+= APU_EXTRAS="@comment " -.endif - ########## APR Options .if defined(WITHOUT_THREADS) APR_CONF_ARGS+= --disable-threads @@ -83,8 +76,10 @@ PKGNAMESUFFIX= -ipv6 ######### APR-Util Options .if defined(WITHOUT_GDBM) +PLIST_SUB+= GDBM="@comment " APU_CONF_ARGS+= --without-gdbm .elif defined(WITH_GDBM) || exists(${LOCALBASE}/lib/libgdbm.so.3) +PLIST_SUB+= GDBM="" LIB_DEPENDS+= gdbm.3:${PORTSDIR}/databases/gdbm APU_CONF_ARGS+= --with-gdbm=${LOCALBASE} .if defined(PKGNAMESUFFIX) @@ -93,12 +88,16 @@ PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-gdbm PKGNAMESUFFIX= -gdbm .endif .else +PLIST_SUB+= GDBM="@comment " APR_UTIL_CONF_ARGS+= --without-gdbm .endif .if defined(WITHOUT_BDB) +PLIST_SUB+= BDB="@comment " APU_CONF_ARGS+= --without-berkeley-db .elif defined(WITH_BDB) || exists(${LOCALBASE}/lib/libdb-4.2.so.2) +APU_EXTRAS= yes +PLIST_SUB+= BDB="" USE_BDB= 42+ APU_CONF_ARGS+= --with-berkeley-db=${BDB_INCLUDE_DIR}:${BDB_LIB_DIR} .if defined(PKGNAMESUFFIX) @@ -109,8 +108,11 @@ PKGNAMESUFFIX= -${BDB_INCLUDE_DIR:S,^${LOCALBASE}/include/,,} .endif .if defined(WITHOUT_NDBM) +PLIST_SUB+= NDBM="@comment " APU_CONF_ARGS+= --without-ndbm .elif defined(WITH_NDBM) +APU_EXTRAS= yes +PLIST_SUB+= NDBM="" APU_CONF_ARGS+= --with-ndbm=/usr .if defined(PKGNAMESUFFIX) PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-ndbm @@ -120,6 +122,7 @@ PKGNAMESUFFIX= -ndbm .endif .if defined(WITH_LDAP) +APU_EXTRAS= yes PLIST_SUB+= LDAP="" USE_OPENLDAP= yes APU_CONF_ARGS+= --with-ldap-include=${LOCALBASE}/include \ @@ -134,6 +137,7 @@ PLIST_SUB+= LDAP="@comment " .endif .if defined(WITH_MYSQL) +APU_EXTRAS= yes PLIST_SUB+= MYSQL="" USE_MYSQL= YES APU_CONF_ARGS+= --with-mysql=${LOCALBASE} @@ -150,6 +154,7 @@ PLIST_SUB+= MYSQL="@comment " .endif .if defined(WITH_PGSQL) +APU_EXTRAS= yes PLIST_SUB+= PGSQL="" USE_PGSQL= YES APU_CONF_ARGS+= --with-pgsql=${LOCALBASE} @@ -163,6 +168,12 @@ PKGNAMESUFFIX= -pgsql PLIST_SUB+= PGSQL="@comment " .endif +.if defined(APU_EXTRAS) +PLIST_SUB+= APU_EXTRAS="" +.else +PLIST_SUB+= APU_EXTRAS="@comment " +.endif + post-patch: ${REINPLACE_CMD} -e 's/OSVERSION/'${OSVERSION}'/g' \ ${APR_WRKDIR}/build/apr_hints.m4 diff --git a/devel/apr/distinfo b/devel/apr/distinfo index 52713d4..7e787e6 100644 --- a/devel/apr/distinfo +++ b/devel/apr/distinfo @@ -1,6 +1,6 @@ -MD5 (apr-1.3.3.tar.gz) = b254a9abecaedb05efde71daa7517480 -SHA256 (apr-1.3.3.tar.gz) = 390af2f94c38d9fa03cd6caac3549058bb3e2c4d9f7408b7b829ad75bd5cc273 -SIZE (apr-1.3.3.tar.gz) = 1160542 -MD5 (apr-util-1.3.4.tar.gz) = a10e2ca150ff07f484c724c36142211f -SHA256 (apr-util-1.3.4.tar.gz) = 3f07ffdb18fb853290c9b83e82cd5cae66b8fbc357bd391e846c0afdd24fed7e -SIZE (apr-util-1.3.4.tar.gz) = 778902 +MD5 (apr-1.3.5.tar.gz) = 2a3f33c2186f456fd60a34a7c2989580 +SHA256 (apr-1.3.5.tar.gz) = f047422b39a5e5d933d598bd9fca2a1184e1506e4cd66364a990c7f2cd76960d +SIZE (apr-1.3.5.tar.gz) = 1162875 +MD5 (apr-util-1.3.7.tar.gz) = 0a6802ef6d874db645150ae4a75f41fa +SHA256 (apr-util-1.3.7.tar.gz) = fadd6a0c55596b2c21375942e3acefc33715e647ed4770dc398d08d8783a39e0 +SIZE (apr-util-1.3.7.tar.gz) = 788206 diff --git a/devel/apr/files/patch-apr_hints.m4 b/devel/apr/files/patch-apr_hints.m4 index 5549809..a360c89 100644 --- a/devel/apr/files/patch-apr_hints.m4 +++ b/devel/apr/files/patch-apr_hints.m4 @@ -1,5 +1,5 @@ ---- apr-1.3.3/build/apr_hints.m4.orig Wed Oct 27 11:12:28 2004 -+++ apr-1.3.3/build/apr_hints.m4 Wed Oct 27 11:25:32 2004 +--- apr-1.3.5/build/apr_hints.m4.orig Wed Oct 27 11:12:28 2004 ++++ apr-1.3.5/build/apr_hints.m4 Wed Oct 27 11:25:32 2004 @@ -137,11 +137,7 @@ ;; *-freebsd*) diff --git a/devel/apr/pkg-plist b/devel/apr/pkg-plist index 18e965e..a091c1c 100644 --- a/devel/apr/pkg-plist +++ b/devel/apr/pkg-plist @@ -84,6 +84,18 @@ lib/libaprutil-1.a lib/libaprutil-1.la lib/libaprutil-1.so lib/libaprutil-1.so.%%SHLIB_MAJOR%% +%%BDB%%lib/apr-util-1/apr_dbm_db-1.so +%%BDB%%lib/apr-util-1/apr_dbm_db.so +%%BDB%%lib/apr-util-1/apr_dbm_db.la +%%BDB%%lib/apr-util-1/apr_dbm_db.a +%%GDBM%%lib/apr-util-1/apr_dbm_gdbm-1.so +%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.so +%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.la +%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.a +%%NDBM%%lib/apr-util-1/apr_dbm_ndbm-1.so +%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.so +%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.la +%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.a %%LDAP%%lib/apr-util-1/apr_ldap-1.so %%LDAP%%lib/apr-util-1/apr_ldap.so %%LDAP%%lib/apr-util-1/apr_ldap.la -- 1.6.3.1 --- update-to-1.3.5-and-1.3.7.diff ends here --- The following VuXML entry should be evaluated and added. --- vuln.xml begins here --- <vuln vid="eb9212f7-526b-11de-bbf2-001b77d09812"> <topic>apr -- multiple vulnerabilities</topic> <affects> <package> <name>apr</name> <range><lt>1.3.5.1.3.7</lt></range> </package> <package> <name>apache</name> <range><ge>2.2.0</ge><lt>2.2.11_5</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/35284/"> <p>Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).</p> <p>A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.</p> <p>A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library.</p> </blockquote> <p>RedHat reports:</p> <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=504390"> <p>A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-0023</cvename> <bid>35221</bid> <url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url> <url>http://secunia.com/advisories/35284/</url> <url>https://bugzilla.redhat.com/show_bug.cgi?id=504390</url> </references> <dates> <discovery>2009-06-05</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- I have no time yet to look at Apache < 2.2, but may be there are also these bugs in there. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090606095151.0E55217156>