Date: Tue, 11 Aug 2009 10:52:56 +0900 (JST) From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: turutani@scphys.kyoto-u.ac.jp Subject: ports/137651: upgrade www/apache22 Message-ID: <200908110152.n7B1quKU092763@h120.65.226.10.32118.vlan.kuins.net> Resent-Message-ID: <200908110200.n7B20CQK019732@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137651 >Category: ports >Synopsis: upgrade www/apache22 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Aug 11 02:00:12 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Tsurutani Naoki >Release: FreeBSD 7.2-STABLE i386 >Organization: >Environment: System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 7.2-STABLE FreeBSD 7.2-STABLE #19: Sun Jun 21 20:36:09 JST 2009 turutani@h120.65.226.10.32118.vlan.kuins.net:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386 >Description: apache 2.2.13 has been released. it might not be necessary, for many patched are already included in ports, but i think it is better to upgrade if possible. thank you for many workers maintaining this ports. >How-To-Repeat: >Fix: here is a patch: diff -urN apache22.orig/Makefile apache22/Makefile --- apache22.orig/Makefile 2009-08-07 05:59:22.000000000 +0900 +++ apache22/Makefile 2009-08-11 09:36:53.000000000 +0900 @@ -8,8 +8,7 @@ # PORTNAME= apache -PORTVERSION= 2.2.11 -PORTREVISION?= 7 +PORTVERSION= 2.2.13 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} DISTNAME= httpd-${PORTVERSION} diff -urN apache22.orig/distinfo apache22/distinfo --- apache22.orig/distinfo 2008-12-19 20:45:52.000000000 +0900 +++ apache22/distinfo 2009-08-11 09:38:20.000000000 +0900 @@ -1,3 +1,3 @@ -MD5 (apache22/httpd-2.2.11.tar.bz2) = 3e98bcb14a7122c274d62419566431bb -SHA256 (apache22/httpd-2.2.11.tar.bz2) = 5ce34825c5b84d1808605a22f8d16d44c6f91882a538bb98a3affed8f5dff6fe -SIZE (apache22/httpd-2.2.11.tar.bz2) = 5230130 +MD5 (apache22/httpd-2.2.13.tar.bz2) = 8d8d904e7342125825ec70f03c5745ef +SHA256 (apache22/httpd-2.2.13.tar.bz2) = 24a812e010d936a3114141bad56461fcaa1089aa720bd16355feb3516ab8d6d6 +SIZE (apache22/httpd-2.2.13.tar.bz2) = 5300199 diff -urN apache22.orig/files/patch-apr-fix-apr_xml-expat-attack apache22/files/patch-apr-fix-apr_xml-expat-attack --- apache22.orig/files/patch-apr-fix-apr_xml-expat-attack 2009-06-08 12:10:25.000000000 +0900 +++ apache22/files/patch-apr-fix-apr_xml-expat-attack 1970-01-01 09:00:00.000000000 +0900 @@ -1,51 +0,0 @@ -Taken from - http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch - ---- srclib/apr-util/xml/apr_xml.c 2009/03/24 11:12:27 757729 -+++ srclib/apr-util/xml/apr_xml.c 2009/06/03 14:26:19 781403 -@@ -347,6 +347,25 @@ - return APR_SUCCESS; - } - -+#if XML_MAJOR_VERSION > 1 -+/* Stop the parser if an entity declaration is hit. */ -+static void entity_declaration(void *userData, const XML_Char *entityName, -+ int is_parameter_entity, const XML_Char *value, -+ int value_length, const XML_Char *base, -+ const XML_Char *systemId, const XML_Char *publicId, -+ const XML_Char *notationName) -+{ -+ apr_xml_parser *parser = userData; -+ -+ XML_StopParser(parser->xp, XML_FALSE); -+} -+#else -+/* A noop default_handler. */ -+static void default_handler(void *userData, const XML_Char *s, int len) -+{ -+} -+#endif -+ - APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool) - { - apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser)); -@@ -372,6 +391,19 @@ - XML_SetElementHandler(parser->xp, start_handler, end_handler); - XML_SetCharacterDataHandler(parser->xp, cdata_handler); - -+ /* Prevent the "billion laughs" attack against expat by disabling -+ * internal entity expansion. With 2.x, forcibly stop the parser -+ * if an entity is declared - this is safer and a more obvious -+ * failure mode. With older versions, installing a noop -+ * DefaultHandler means that internal entities will be expanded as -+ * the empty string, which is also sufficient to prevent the -+ * attack. */ -+#if XML_MAJOR_VERSION > 1 -+ XML_SetEntityDeclHandler(parser->xp, entity_declaration); -+#else -+ XML_SetDefaultHandler(parser->xp, default_handler); -+#endif -+ - return parser; - } - diff -urN apache22.orig/files/patch-apr-fix-brigade_vprintf_overflow apache22/files/patch-apr-fix-brigade_vprintf_overflow --- apache22.orig/files/patch-apr-fix-brigade_vprintf_overflow 2009-06-08 12:10:25.000000000 +0900 +++ apache22/files/patch-apr-fix-brigade_vprintf_overflow 1970-01-01 09:00:00.000000000 +0900 @@ -1,18 +0,0 @@ -Equal to the fix in the apr-util itself: - http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch - -See discuission about original vulnerability at - http://www.mail-archive.com/dev@apr.apache.org/msg21592.html - ---- srclib/apr-util/buckets/apr_brigade.c.orig 2009-06-06 12:32:12.000000000 +0400 -+++ srclib/apr-util/buckets/apr_brigade.c 2009-06-06 12:35:30.000000000 +0400 -@@ -689,9 +689,6 @@ - return -1; - } - -- /* tack on null terminator to remaining string */ -- *(vd.vbuff.curpos) = '\0'; -- - /* write out what remains in the buffer */ - return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf); - } diff -urN apache22.orig/files/patch-apr-fix-strmatch-underflow apache22/files/patch-apr-fix-strmatch-underflow --- apache22.orig/files/patch-apr-fix-strmatch-underflow 2009-06-08 12:10:25.000000000 +0900 +++ apache22/files/patch-apr-fix-strmatch-underflow 1970-01-01 09:00:00.000000000 +0900 @@ -1,21 +0,0 @@ -Fix underflow in apr_strmatch_precompile, - http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch - ---- srclib/apr-util/strmatch/apr_strmatch.c 2009/03/24 11:12:27 757729 -+++ srclib/apr-util/strmatch/apr_strmatch.c 2009/05/29 07:47:52 779878 -@@ -103,13 +103,13 @@ - if (case_sensitive) { - pattern->compare = match_boyer_moore_horspool; - for (i = 0; i < pattern->length - 1; i++) { -- shift[(int)s[i]] = pattern->length - i - 1; -+ shift[(unsigned char)s[i]] = pattern->length - i - 1; - } - } - else { - pattern->compare = match_boyer_moore_horspool_nocase; - for (i = 0; i < pattern->length - 1; i++) { -- shift[apr_tolower(s[i])] = pattern->length - i - 1; -+ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1; - } - } - pattern->context = shift; diff -urN apache22.orig/files/patch-libtool22 apache22/files/patch-libtool22 --- apache22.orig/files/patch-libtool22 2009-08-03 04:35:57.000000000 +0900 +++ apache22/files/patch-libtool22 1970-01-01 09:00:00.000000000 +0900 @@ -1,122 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 025_libtool_2.x_fixes.dpatch by <jsw@debian.org> -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Update build system to work with libtool 2.x -## DP: -## DP: This corresponds to upstream revisions: -## DP: 733052 -## DP: 742752 -## DP: 748902 -## DP: 757363 -diff --git a/buildconf b/buildconf -index bc0e9fd..11554ed 100755 ---- srclib/apr/buildconf -+++ srclib/apr/buildconf -@@ -35,17 +35,20 @@ fi - # Note: APR supplies its own config.guess and config.sub -- we do not - # rely on libtool's versions - # --echo "Copying libtool helper files ..." -+echo "buildconf: copying libtool helper files using $libtoolize" - - # Remove any libtool files so one can switch between libtool 1.3 - # and libtool 1.4 by simply rerunning the buildconf script. --(cd build ; rm -f ltconfig ltmain.sh libtool.m4) -- --$libtoolize --copy --automake -- --if [ -f libtool.m4 ]; then -- ltfile=`pwd`/libtool.m4 --else -+(cd build ; rm -f ltconfig ltmain.sh libtool.m4 ltoptions.m4 ltsugar.m4 ltversion.m4 lt~obsolete.m4) -+ -+lt_pversion=`$libtoolize --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'` -+lt_version=`echo $lt_pversion|sed -e 's/\([a-z]*\)$/.\1/'` -+IFS=.; set $lt_version; IFS=' ' -+if test "$1" = "1"; then -+ $libtoolize --copy --automake -+ if [ -f libtool.m4 ]; then -+ ltfile=`pwd`/libtool.m4 -+ else - ltfindcmd="`sed -n \"/=[^\\\`]/p;/libtool_m4=/{s/.*=/echo /p;q;}\" \ - < $libtoolize`" - ltfile=${LIBTOOL_M4-`eval "$ltfindcmd"`} -@@ -54,21 +57,21 @@ else - ltpath=`dirname $libtoolize` - ltfile=`cd $ltpath/../share/aclocal ; pwd`/libtool.m4 - fi --fi -- --if [ ! -f $ltfile ]; then -+ fi -+ if [ ! -f $ltfile ]; then - echo "$ltfile not found" - exit 1 -+ fi -+ # Do we need this anymore? -+ echo "buildconf: Using libtool.m4 at ${ltfile}." -+ cat $ltfile | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4 - fi -- --echo "buildconf: Using libtool.m4 at ${ltfile}." -- --cat $ltfile | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4 -- --# libtool.m4 from 1.6 requires ltsugar.m4 --if [ -f ltsugar.m4 ]; then -- rm -f build/ltsugar.m4 -- mv ltsugar.m4 build/ltsugar.m4 -+if test "$1" = "2"; then -+ $libtoolize --copy -+ # Wouldn't it just be better to define top_builddir?? -+ mv build/libtool.m4 build/libtool.m4.$$ -+ cat build/libtool.m4.$$ | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4 -+ rm build/libtool.m4.$$ - fi - - # Clean up any leftovers -diff --git a/configure.in b/configure.in -index 46b4b32..2ac1439 100644 ---- srclib/apr/configure.in -+++ srclib/apr/configure.in -@@ -9,6 +9,7 @@ AC_PREREQ(2.50) - AC_INIT(build/apr_common.m4) - AC_CONFIG_HEADER(include/arch/unix/apr_private.h) - AC_CONFIG_AUX_DIR(build) -+AC_CONFIG_MACRO_DIR(build) - - dnl - dnl Include our own M4 macros along with those for libtool -@@ -20,6 +21,10 @@ sinclude(build/apr_win32.m4) - sinclude(build/apr_hints.m4) - sinclude(build/libtool.m4) - sinclude(build/ltsugar.m4) -+sinclude(build/argz.m4) -+sinclude(build/ltoptions.m4) -+sinclude(build/ltversion.m4) -+sinclude(build/lt~obsolete.m4) - - dnl Hard-coded inclusion at the tail end of apr_private.h: - AH_BOTTOM([ -@@ -117,6 +122,8 @@ dnl can only be used once within a configure script, so this prevents a - dnl preload section from invoking the macro to get compiler info. - AC_PROG_CC - -+AC_PROG_SED -+ - dnl Preload - APR_PRELOAD - -@@ -160,6 +167,11 @@ echo "performing libtool configuration..." - AC_ARG_ENABLE(experimental-libtool,[ --enable-experimental-libtool Use experimental custom libtool], - [experimental_libtool=$enableval],[experimental_libtool=no]) - -+dnl Workarounds for busted Libtool 2.x when we don't call AC_PROG_LIBTOOL -+if test "x$Xsed" = "x"; then -+ Xsed="$SED -e 1s/^X//" -+fi -+ - case $host in - *-os2*) - # Use a custom-made libtool replacement diff -urN apache22.orig/files/patch-server__mpm__prefork__prefork.c apache22/files/patch-server__mpm__prefork__prefork.c --- apache22.orig/files/patch-server__mpm__prefork__prefork.c 2009-06-12 09:33:30.000000000 +0900 +++ apache22/files/patch-server__mpm__prefork__prefork.c 1970-01-01 09:00:00.000000000 +0900 @@ -1,42 +0,0 @@ ---- ./server/mpm/prefork/prefork.c.orig 2008-05-31 07:58:46.000000000 -0400 -+++ ./server/mpm/prefork/prefork.c 2009-06-11 20:10:12.151389121 -0400 -@@ -573,19 +573,27 @@ - apr_int32_t numdesc; - const apr_pollfd_t *pdesc; - -- /* timeout == -1 == wait forever */ -- status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc); -+ /* check for termination first so we don't sleep for a while in -+ * poll if already signalled -+ */ -+ if (one_process && shutdown_pending) { -+ SAFE_ACCEPT(accept_mutex_off()); -+ return; -+ } -+ else if (die_now) { -+ /* In graceful stop/restart; drop the mutex -+ * and terminate the child. */ -+ SAFE_ACCEPT(accept_mutex_off()); -+ clean_child_exit(0); -+ } -+ /* timeout == 10 seconds to avoid a hang at graceful restart/stop -+ * caused by the closing of sockets by the signal handler -+ */ -+ status = apr_pollset_poll(pollset, apr_time_from_sec(10), -+ &numdesc, &pdesc); - if (status != APR_SUCCESS) { -- if (APR_STATUS_IS_EINTR(status)) { -- if (one_process && shutdown_pending) { -- return; -- } -- else if (die_now) { -- /* In graceful stop/restart; drop the mutex -- * and terminate the child. */ -- SAFE_ACCEPT(accept_mutex_off()); -- clean_child_exit(0); -- } -+ if (APR_STATUS_IS_TIMEUP(status) || -+ APR_STATUS_IS_EINTR(status)) { - continue; - } - /* Single Unix documents select as returning errnos diff -urN apache22.orig/files/patch-srclib-apr-buildconf apache22/files/patch-srclib-apr-buildconf --- apache22.orig/files/patch-srclib-apr-buildconf 2009-08-07 05:59:22.000000000 +0900 +++ apache22/files/patch-srclib-apr-buildconf 2009-08-11 10:14:56.000000000 +0900 @@ -4,12 +4,12 @@ # build/buildcheck.sh || exit 1 --libtoolize=`build/PrintPath glibtoolize libtoolize15 libtoolize14 libtoolize` +-libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize15 libtoolize14 libtoolize` +libtoolize="${LIBTOOLIZE}" if [ "x$libtoolize" = "x" ]; then echo "libtoolize not found in path" exit 1 -@@ -52,7 +52,7 @@ +@@ -60,7 +60,7 @@ # Expecting the code above to be very portable, but just in case... if [ -z "$ltfile" -o ! -f "$ltfile" ]; then ltpath=`dirname $libtoolize` @@ -18,7 +18,7 @@ fi fi -@@ -87,8 +87,11 @@ +@@ -95,8 +95,11 @@ # Remove autoconf 2.5x's cache directory rm -rf autom4te*.cache diff -urN apache22.orig/files/patch-srclib:apr:build:buildcheck.sh apache22/files/patch-srclib:apr:build:buildcheck.sh --- apache22.orig/files/patch-srclib:apr:build:buildcheck.sh 2006-09-26 20:25:38.000000000 +0900 +++ apache22/files/patch-srclib:apr:build:buildcheck.sh 2009-08-11 10:17:17.000000000 +0900 @@ -20,7 +20,7 @@ # output is multiline from 1.5 onwards # Require libtool 1.4 or newer --libtool=`build/PrintPath glibtool libtool libtool15 libtool14` +-libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` +libtool=${LIBTOOL} lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'` if test -z "$lt_pversion"; then >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908110152.n7B1quKU092763>