From owner-freebsd-ports  Wed Jun  3 11:10:46 1998
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA26365
          for freebsd-ports-outgoing; Wed, 3 Jun 1998 11:10:46 -0700 (PDT)
          (envelope-from owner-freebsd-ports@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26357
          for <freebsd-ports@FreeBSD.org>; Wed, 3 Jun 1998 11:10:43 -0700 (PDT)
          (envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.8.8/8.8.5) id LAA19547;
	Wed, 3 Jun 1998 11:10:01 -0700 (PDT)
Received: from PeeCee.tbe.com (firewallx.tbe.com [192.88.94.254])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26342
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 3 Jun 1998 11:10:39 -0700 (PDT)
          (envelope-from dkelly@PeeCee.tbe.com)
Received: (from dkelly@localhost)
	by PeeCee.tbe.com (8.8.8/8.8.7) id NAA07198;
	Wed, 3 Jun 1998 13:09:59 -0500 (CDT)
	(envelope-from dkelly)
Message-Id: <199806031809.NAA07198@PeeCee.tbe.com>
Date: Wed, 3 Jun 1998 13:09:59 -0500 (CDT)
From: dkelly@nebula.tbe.com
Reply-To: dkelly@nebula.tbe.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: dkelly@PeeCee.tbe.com
X-Send-Pr-Version: 3.2
Subject: ports/6851: DFN-CERT and w3c-httpd
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6851
>Category:       ports
>Synopsis:       apply DFN-CERT#34784 to CGIParse.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun  3 11:10:01 PDT 1998
>Last-Modified:
>Originator:     David Kelly
>Organization:
>Release:        FreeBSD 2.2.6-STABLE i386
>Environment:

	

>Description:

http://www13.w3.org/Daemon/User/CGI/cgiparse.html says:

Security fix

In reply to DFN-CERT#34784, you should apply this diff to the latest (3.0) version of WWW/Daemon/CGIParse.c: 

296c296,297
<           printf("QUERY_STRING='%s'; export QUERY_STRING\n", query_string) ;
---
>           printf("QUERY_STRING=%s; export QUERY_STRING\n"
>                  , sh_escape(query_string)) ;

>How-To-Repeat:

	

>Fix:
	
add this patch file to w3c-httpd/patches:

begin 644 patch-ca.gz
M'XL("'*+=34``W!A=&-H+6-A`)V,3TO#0!!'S]E/\:,@3=UN;1K%I*$04"GQ
M(/8?11!"B-.Z8#9Q=P,MTN_NMEX4#X)S&=X,[PDA<%M05:N+K&K>J")E"RL=
MWDRSQT(;&I2#6LNMMZ87W+<*"!&,QF$T#JX0Q''$..=_)G[;E\&7G:80HSCL
M7X,?5X0T9?#.RU9C@F'"X$ANX$LE;0\?3'APTVBI[,;OS%9W\Z=\L9QG#]-)
M]\QT$]"NJ;7%]\^SZO3QWI+>Y\8Z<]M+&/]GQXF>><W)E$5#_H\H7!:G+.VD
2]8<G/+#C`0?V"6\[7EAJ`0``
`
end

Be warned I haven't tried it yet. Only have verified the above
patch applies the way I think it should.
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message