Skip site navigation (1)Skip section navigation (2)
Date:      Sat,  6 Jun 2009 13:51:51 +0400 (MSD)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/135310: [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util
Message-ID:  <20090606095151.0E55217156@amnesiac.at.no.dns>
Resent-Message-ID: <200906061000.n56A0EUS003406@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         135310
>Category:       ports
>Synopsis:       [patch][vuxml] devel/apr, www/apache22: fix recent vulnerabilities in APR-util
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 06 10:00:13 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 8.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 8.0-CURRENT amd64

>Description:

Multiple vulnerabilities were discovered in APR-util since 1.3.4: [1].
There are reports from various security teams about this: [2], [3].
There is a PoC at
  http://securityvulns.ru/files/apache-ied.pl
It works for me on Apache 2.2.11_4 with Subversion DAV -- all httpd
children are in the RUN state and MaxChild limit is easily reached.

>How-To-Repeat:

[1] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
[2] http://www.securityfocus.com/archive/1/504107
[3] https://bugzilla.redhat.com/show_bug.cgi?id=504390

>Fix:

This is the patch for Apache 2.2 port with all fixes backported.
It works on my servers for a couple of hours without any visible
regressions.

--- apache22-backport-apr-util-fixed.diff begins here ---
>From 60b761ec3dfe066e0f2aae4a0aa69b96ec76d995 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Jun 2009 12:54:20 +0400

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 www/apache22/Makefile                              |    2 +-
 .../files/patch-apr-fix-apr_xml-expat-attack       |   51 ++++++++++++++++++++
 .../files/patch-apr-fix-brigade_vprintf_overflow   |   18 +++++++
 .../files/patch-apr-fix-strmatch-underflow         |   21 ++++++++
 4 files changed, 91 insertions(+), 1 deletions(-)
 create mode 100644 www/apache22/files/patch-apr-fix-apr_xml-expat-attack
 create mode 100644 www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
 create mode 100644 www/apache22/files/patch-apr-fix-strmatch-underflow

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 97cd44a..e470408 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -9,7 +9,7 @@
 
 PORTNAME=	apache
 PORTVERSION=	2.2.11
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE_HTTPD}
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache22/files/patch-apr-fix-apr_xml-expat-attack b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
new file mode 100644
index 0000000..2040f08
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-apr_xml-expat-attack
@@ -0,0 +1,51 @@
+Taken from
+  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch
+
+--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403
+@@ -347,6 +347,25 @@
+     return APR_SUCCESS;
+ }
+ 
++#if XML_MAJOR_VERSION > 1
++/* Stop the parser if an entity declaration is hit. */
++static void entity_declaration(void *userData, const XML_Char *entityName,
++                               int is_parameter_entity, const XML_Char *value,
++                               int value_length, const XML_Char *base,
++                               const XML_Char *systemId, const XML_Char *publicId,
++                               const XML_Char *notationName)
++{
++    apr_xml_parser *parser = userData;
++
++    XML_StopParser(parser->xp, XML_FALSE);
++}
++#else
++/* A noop default_handler. */
++static void default_handler(void *userData, const XML_Char *s, int len)
++{
++}
++#endif
++
+ APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
+ {
+     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
+@@ -372,6 +391,19 @@
+     XML_SetElementHandler(parser->xp, start_handler, end_handler);
+     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ 
++    /* Prevent the "billion laughs" attack against expat by disabling
++     * internal entity expansion.  With 2.x, forcibly stop the parser
++     * if an entity is declared - this is safer and a more obvious
++     * failure mode.  With older versions, installing a noop
++     * DefaultHandler means that internal entities will be expanded as
++     * the empty string, which is also sufficient to prevent the
++     * attack. */
++#if XML_MAJOR_VERSION > 1
++    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
++#else
++    XML_SetDefaultHandler(parser->xp, default_handler);
++#endif
++
+     return parser;
+ }
+ 
diff --git a/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
new file mode 100644
index 0000000..7ac9767
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-brigade_vprintf_overflow
@@ -0,0 +1,18 @@
+Equal to the fix in the apr-util itself:
+  http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch
+
+See discuission about original vulnerability at
+  http://www.mail-archive.com/dev@apr.apache.org/msg21592.html
+
+--- srclib/apr-util/buckets/apr_brigade.c.orig	2009-06-06 12:32:12.000000000 +0400
++++ srclib/apr-util/buckets/apr_brigade.c	2009-06-06 12:35:30.000000000 +0400
+@@ -689,9 +689,6 @@
+       return -1;
+     }
+ 
+-    /* tack on null terminator to remaining string */
+-    *(vd.vbuff.curpos) = '\0';
+-
+     /* write out what remains in the buffer */
+     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);
+ }
diff --git a/www/apache22/files/patch-apr-fix-strmatch-underflow b/www/apache22/files/patch-apr-fix-strmatch-underflow
new file mode 100644
index 0000000..c1e2523
--- /dev/null
+++ b/www/apache22/files/patch-apr-fix-strmatch-underflow
@@ -0,0 +1,21 @@
+Fix underflow in apr_strmatch_precompile,
+  http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch
+
+--- srclib/apr-util/strmatch/apr_strmatch.c	2009/03/24 11:12:27	757729
++++ srclib/apr-util/strmatch/apr_strmatch.c	2009/05/29 07:47:52	779878
+@@ -103,13 +103,13 @@
+     if (case_sensitive) {
+         pattern->compare = match_boyer_moore_horspool;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[(int)s[i]] = pattern->length - i - 1;
++            shift[(unsigned char)s[i]] = pattern->length - i - 1;
+         }
+     }
+     else {
+         pattern->compare = match_boyer_moore_horspool_nocase;
+         for (i = 0; i < pattern->length - 1; i++) {
+-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
++            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
+         }
+     }
+     pattern->context = shift;
-- 
1.6.3.1
--- apache22-backport-apr-util-fixed.diff ends here ---

This is the patch that updates the devel/apr to the latest stable
version, thus fixing all 3 issues.  I had also made portlint happy
by using <Tab> after MAKE_JOBS_SAFE.  And since there are additional
libraries now installed, APU extras logics was a bit changed, because
there are two tests for inclusion of BDB/GDBM, not just WITH_<XXX>,
but also library existence check.

--- update-to-1.3.5-and-1.3.7.diff begins here ---
>From 8d36501ac0c6c797a6b1ae59bd71e54b511abeae Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sat, 6 Jun 2009 12:21:27 +0400
Subject: [PATCH] devel/apr: update to 1.3.5 and apr-util to 1.3.7

There were 3 security vulnerabilities in apr-util since 1.3.4:
  http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 devel/apr/Makefile                 |   31 +++++++++++++++++++++----------
 devel/apr/distinfo                 |   12 ++++++------
 devel/apr/files/patch-apr_hints.m4 |    4 ++--
 devel/apr/pkg-plist                |   12 ++++++++++++
 4 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/devel/apr/Makefile b/devel/apr/Makefile
index 0771859..9bfa146 100644
--- a/devel/apr/Makefile
+++ b/devel/apr/Makefile
@@ -6,7 +6,6 @@
 
 PORTNAME=	apr
 PORTVERSION=	${APR_VERSION}.${APU_VERSION}
-PORTREVISION=	1
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_APACHE}
 MASTER_SITE_SUBDIR=	apr
@@ -17,7 +16,7 @@ COMMENT=	Apache Portability Library
 
 LIB_DEPENDS+=	expat.6:${PORTSDIR}/textproc/expat2
 
-MAKE_JOBS_SAFE=  yes
+MAKE_JOBS_SAFE=	yes
 
 OPTIONS=	THREADS "Enable Threads in apr"						on  \
 			IPV6	"Enable IPV6 Support in apr"				off \
@@ -28,8 +27,8 @@ OPTIONS=	THREADS "Enable Threads in apr"						on  \
 			MYSQL	"Enable MySQL suport in apr-util"			off \
 			PGSQL	"Enable Postgresql suport in apr-util"		off
 
-APR_VERSION=	1.3.3
-APU_VERSION=	1.3.4
+APR_VERSION=	1.3.5
+APU_VERSION=	1.3.7
 
 USE_ICONV=		yes
 USE_AUTOTOOLS=	automake:19 autoconf:262 libtool:15:env
@@ -52,12 +51,6 @@ APU_CONF_ARGS=	--with-apr=${APR_WRKDIR} \
 
 .include <bsd.port.pre.mk>
 
-.if defined(WITH_MYSQL) || defined(WITH_PGSQL) || defined (WITH_LDAP) 
-PLIST_SUB+=	APU_EXTRAS=""
-.else
-PLIST_SUB+=	APU_EXTRAS="@comment "
-.endif
-
 ########## APR Options
 .if defined(WITHOUT_THREADS)
 APR_CONF_ARGS+=	--disable-threads
@@ -83,8 +76,10 @@ PKGNAMESUFFIX=	-ipv6
 
 ######### APR-Util Options
 .if defined(WITHOUT_GDBM)
+PLIST_SUB+=	GDBM="@comment "
 APU_CONF_ARGS+=	--without-gdbm
 .elif defined(WITH_GDBM) || exists(${LOCALBASE}/lib/libgdbm.so.3)
+PLIST_SUB+=	GDBM=""
 LIB_DEPENDS+=	gdbm.3:${PORTSDIR}/databases/gdbm
 APU_CONF_ARGS+=	--with-gdbm=${LOCALBASE}
 .if defined(PKGNAMESUFFIX)
@@ -93,12 +88,16 @@ PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-gdbm
 PKGNAMESUFFIX=	-gdbm
 .endif
 .else
+PLIST_SUB+=	GDBM="@comment "
 APR_UTIL_CONF_ARGS+=	--without-gdbm
 .endif
 
 .if defined(WITHOUT_BDB)
+PLIST_SUB+=	BDB="@comment "
 APU_CONF_ARGS+=	--without-berkeley-db
 .elif defined(WITH_BDB) || exists(${LOCALBASE}/lib/libdb-4.2.so.2)
+APU_EXTRAS=	yes
+PLIST_SUB+=	BDB=""
 USE_BDB=	42+
 APU_CONF_ARGS+=	--with-berkeley-db=${BDB_INCLUDE_DIR}:${BDB_LIB_DIR}
 .if defined(PKGNAMESUFFIX)
@@ -109,8 +108,11 @@ PKGNAMESUFFIX=	-${BDB_INCLUDE_DIR:S,^${LOCALBASE}/include/,,}
 .endif
 
 .if defined(WITHOUT_NDBM)
+PLIST_SUB+=	NDBM="@comment "
 APU_CONF_ARGS+=	--without-ndbm
 .elif defined(WITH_NDBM)
+APU_EXTRAS=	yes
+PLIST_SUB+=	NDBM=""
 APU_CONF_ARGS+=	--with-ndbm=/usr
 .if defined(PKGNAMESUFFIX)
 PKGNAMESUFFIX:=	${PKGNAMESUFFIX}-ndbm
@@ -120,6 +122,7 @@ PKGNAMESUFFIX=	-ndbm
 .endif
 
 .if defined(WITH_LDAP)
+APU_EXTRAS=	yes
 PLIST_SUB+=	LDAP=""
 USE_OPENLDAP=	yes
 APU_CONF_ARGS+=	--with-ldap-include=${LOCALBASE}/include \
@@ -134,6 +137,7 @@ PLIST_SUB+=	LDAP="@comment "
 .endif
 
 .if defined(WITH_MYSQL)
+APU_EXTRAS=	yes
 PLIST_SUB+=	MYSQL=""
 USE_MYSQL=	YES
 APU_CONF_ARGS+=	--with-mysql=${LOCALBASE}
@@ -150,6 +154,7 @@ PLIST_SUB+=	MYSQL="@comment "
 .endif
 
 .if defined(WITH_PGSQL)
+APU_EXTRAS=	yes
 PLIST_SUB+=	PGSQL=""
 USE_PGSQL=	YES
 APU_CONF_ARGS+=	--with-pgsql=${LOCALBASE}
@@ -163,6 +168,12 @@ PKGNAMESUFFIX=	-pgsql
 PLIST_SUB+=	PGSQL="@comment "
 .endif
 
+.if defined(APU_EXTRAS)
+PLIST_SUB+=	APU_EXTRAS=""
+.else
+PLIST_SUB+=	APU_EXTRAS="@comment "
+.endif
+
 post-patch:
 	${REINPLACE_CMD} -e 's/OSVERSION/'${OSVERSION}'/g' \
 		${APR_WRKDIR}/build/apr_hints.m4
diff --git a/devel/apr/distinfo b/devel/apr/distinfo
index 52713d4..7e787e6 100644
--- a/devel/apr/distinfo
+++ b/devel/apr/distinfo
@@ -1,6 +1,6 @@
-MD5 (apr-1.3.3.tar.gz) = b254a9abecaedb05efde71daa7517480
-SHA256 (apr-1.3.3.tar.gz) = 390af2f94c38d9fa03cd6caac3549058bb3e2c4d9f7408b7b829ad75bd5cc273
-SIZE (apr-1.3.3.tar.gz) = 1160542
-MD5 (apr-util-1.3.4.tar.gz) = a10e2ca150ff07f484c724c36142211f
-SHA256 (apr-util-1.3.4.tar.gz) = 3f07ffdb18fb853290c9b83e82cd5cae66b8fbc357bd391e846c0afdd24fed7e
-SIZE (apr-util-1.3.4.tar.gz) = 778902
+MD5 (apr-1.3.5.tar.gz) = 2a3f33c2186f456fd60a34a7c2989580
+SHA256 (apr-1.3.5.tar.gz) = f047422b39a5e5d933d598bd9fca2a1184e1506e4cd66364a990c7f2cd76960d
+SIZE (apr-1.3.5.tar.gz) = 1162875
+MD5 (apr-util-1.3.7.tar.gz) = 0a6802ef6d874db645150ae4a75f41fa
+SHA256 (apr-util-1.3.7.tar.gz) = fadd6a0c55596b2c21375942e3acefc33715e647ed4770dc398d08d8783a39e0
+SIZE (apr-util-1.3.7.tar.gz) = 788206
diff --git a/devel/apr/files/patch-apr_hints.m4 b/devel/apr/files/patch-apr_hints.m4
index 5549809..a360c89 100644
--- a/devel/apr/files/patch-apr_hints.m4
+++ b/devel/apr/files/patch-apr_hints.m4
@@ -1,5 +1,5 @@
---- apr-1.3.3/build/apr_hints.m4.orig	Wed Oct 27 11:12:28 2004
-+++ apr-1.3.3/build/apr_hints.m4	Wed Oct 27 11:25:32 2004
+--- apr-1.3.5/build/apr_hints.m4.orig	Wed Oct 27 11:12:28 2004
++++ apr-1.3.5/build/apr_hints.m4	Wed Oct 27 11:25:32 2004
 @@ -137,11 +137,7 @@
  	;;
      *-freebsd*)
diff --git a/devel/apr/pkg-plist b/devel/apr/pkg-plist
index 18e965e..a091c1c 100644
--- a/devel/apr/pkg-plist
+++ b/devel/apr/pkg-plist
@@ -84,6 +84,18 @@ lib/libaprutil-1.a
 lib/libaprutil-1.la
 lib/libaprutil-1.so
 lib/libaprutil-1.so.%%SHLIB_MAJOR%%
+%%BDB%%lib/apr-util-1/apr_dbm_db-1.so
+%%BDB%%lib/apr-util-1/apr_dbm_db.so
+%%BDB%%lib/apr-util-1/apr_dbm_db.la
+%%BDB%%lib/apr-util-1/apr_dbm_db.a
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm-1.so
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.so
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.la
+%%GDBM%%lib/apr-util-1/apr_dbm_gdbm.a
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm-1.so
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.so
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.la
+%%NDBM%%lib/apr-util-1/apr_dbm_ndbm.a
 %%LDAP%%lib/apr-util-1/apr_ldap-1.so
 %%LDAP%%lib/apr-util-1/apr_ldap.so
 %%LDAP%%lib/apr-util-1/apr_ldap.la
-- 
1.6.3.1
--- update-to-1.3.5-and-1.3.7.diff ends here ---

The following VuXML entry should be evaluated and added.
--- vuln.xml begins here ---
  <vuln vid="eb9212f7-526b-11de-bbf2-001b77d09812">
    <topic>apr -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>apr</name>
        <range><lt>1.3.5.1.3.7</lt></range>
      </package>
      <package>
        <name>apache</name>
        <range><ge>2.2.0</ge><lt>2.2.11_5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/35284/">;
          <p>Some vulnerabilities have been reported in APR-util, which
          can be exploited by malicious users and malicious people to
          cause a DoS (Denial of Service).</p>
          <p>A vulnerability is caused due to an error in the processing
          of XML files and can be exploited to exhaust all available
          memory via a specially crafted XML file containing a
          predefined entity inside an entity definition.</p>
          <p>A vulnerability is caused due to an error within the
          "apr_strmatch_precompile()" function in
          strmatch/apr_strmatch.c, which can be exploited to crash an
          application using the library.</p>
        </blockquote>
        <p>RedHat reports:</p>
        <blockquote
          cite="https://bugzilla.redhat.com/show_bug.cgi?id=504390">;
          <p>A single NULL byte buffer overflow flaw was found in
          apr-util's apr_brigade_vprintf() function.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0023</cvename>
      <bid>35221</bid>
      <url>http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3</url>;
      <url>http://secunia.com/advisories/35284/</url>;
      <url>https://bugzilla.redhat.com/show_bug.cgi?id=504390</url>;
    </references>
    <dates>
      <discovery>2009-06-05</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

I have no time yet to look at Apache < 2.2, but may be there are also
these bugs in there.
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090606095151.0E55217156>