Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Jun 2012 07:05:31 GMT
From:      Kenji Rikitake <kenji.rikitake@acm.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/169363: www/yaws needs to be updated to 1.93 for a security fix
Message-ID:  <201206240705.q5O75Vxp066714@red.freebsd.org>
Resent-Message-ID: <201206240710.q5O7AAsl084814@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         169363
>Category:       misc
>Synopsis:       www/yaws needs to be updated to 1.93 for a security fix
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 24 07:10:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Kenji Rikitake
>Release:        9.0-STABLE
>Organization:
>Environment:
FreeBSD minimax.priv.k2r.org 9.0-STABLE FreeBSD 9.0-STABLE #5: Wed Jun 13 12:46:09 JST 2012     root@minimax.priv.k2r.org:/usr/obj/usr/src/sys/MINIMAX  amd64
>Description:
Yaws 1.92 has a critical vulnerability when using cookies which may result in session hijacking.  This vulnerability is addressesd on 1.93. Details:
http://sourceforge.net/mailarchive/message.php?msg_id=29435297



>How-To-Repeat:
Yaws 1.92 or the older version has the vulnerability.
>Fix:
Updating yaws to 1.93 will fix this issue.  The patch included is a diff for a quick fix from the current port (yaws 1.92 based) to the 1.93. (use patch -p1 to apply)
The details are also on GitHub at:
https://github.com/jj1bdx/yaws-freebsd-port

Patch attached with submission follows:

diff --git a/yaws/Makefile b/yaws/Makefile
index 363aac2..d1bd67b 100644
--- a/yaws/Makefile
+++ b/yaws/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	yaws
-PORTVERSION=	1.92
+PORTVERSION=	1.93
 CATEGORIES=	www
 MASTER_SITES=	http://yaws.hyber.org/download/
 
@@ -32,6 +32,8 @@ APPDIR=${PREFIX}/lib/erlang/lib/yaws-${PORTVERSION}
 
 SUB_FILES=      pkg-message
 
+CONFIGURE_ARGS+=--prefix=${PREFIX} --localstatedir=/var
+
 .include <bsd.port.pre.mk>
 
 .if defined(WITH_SENDFILE)
@@ -55,16 +57,22 @@ do-install:
 	@${MKDIR} ${ETCDIR}
 	@${INSTALL_DATA} ${FILESDIR}/yaws.conf.sample ${ETCDIR}
 	@${MKDIR} ${APPDIR}/ebin
+	@${MKDIR} ${APPDIR}/examples
+	@${MKDIR} ${APPDIR}/examples/ebin
+	@${MKDIR} ${APPDIR}/examples/src
 	@${MKDIR} ${APPDIR}/include
 	@${MKDIR} ${APPDIR}/priv
 	@${MKDIR} ${APPDIR}/priv/lib
 	@${MKDIR} ${APPDIR}/src
 	@${MKDIR} ${PREFIX}/www/yaws
 	@${INSTALL_DATA} ${WRKSRC}/ebin/* ${APPDIR}/ebin
-.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd epam
+	@${INSTALL_DATA} ${WRKSRC}/examples/ebin/* ${APPDIR}/examples/ebin
+	@${INSTALL_DATA} ${WRKSRC}/examples/src/* ${APPDIR}/examples/src
+.for FILE in envelope.xsd mime.types soap.xsd wsdl.xsd soap-envelope.xsd wsdl11soap12.xsd xml.xsd
 	@${INSTALL_DATA} ${WRKSRC}/priv/${FILE} ${APPDIR}/priv
 .endfor
-	@${INSTALL_DATA} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
+	@${INSTALL_PROGRAM} ${WRKSRC}/priv/epam ${APPDIR}/priv
+	@${INSTALL_LIB} ${WRKSRC}/priv/lib/* ${APPDIR}/priv/lib
 	@${INSTALL_DATA} ${WRKSRC}/include/* ${APPDIR}/include
 	@${INSTALL_DATA} ${WRKSRC}/src/*.?rl ${APPDIR}/src
 	@cd ${WRKSRC}/www && (${FIND} * | ${CPIO} -pu ${WWWDIR})
diff --git a/yaws/distinfo b/yaws/distinfo
index 6e0db3d..276d47f 100644
--- a/yaws/distinfo
+++ b/yaws/distinfo
@@ -1,2 +1,2 @@
-SHA256 (yaws-1.92.tar.gz) = cde83ca55d8e1b10a89094e1cfdc3e78d91ba9b1036cb5ea4e1994f5922c2357
-SIZE (yaws-1.92.tar.gz) = 894749
+SHA256 (yaws-1.93.tar.gz) = 56e26ebbbb7cac15993dcab431f01a120510603567e696b9e09fa0a9e644a38f
+SIZE (yaws-1.93.tar.gz) = 1138147
diff --git a/yaws/files/patch-man_yaws.conf.5 b/yaws/files/patch-man_yaws.conf.5
index 51b9adf..2fce0af 100644
--- a/yaws/files/patch-man_yaws.conf.5
+++ b/yaws/files/patch-man_yaws.conf.5
@@ -1,4 +1,4 @@
-
+Modified by Kenji Rikitake
 $FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 olgeni Exp $
 
 --- man/yaws.conf.5.orig
@@ -6,8 +6,8 @@ $FreeBSD: ports/www/yaws/files/patch-man_yaws.conf.5,v 1.4 2010/03/20 16:30:16 o
 @@ -1,6 +1,6 @@
  .TH YAWS.CONF "5" "" "" "User Commands"
  .SH NAME
--/etc/yaws/yaws.conf \- Configuration file for the yaws web server
-+!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the yaws web server
+-/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
++!!PREFIX!!/etc/yaws/yaws.conf \- Configuration file for the Yaws web server
  .SH DESCRIPTION
  .\" Add any additional description here
  .PP
diff --git a/yaws/files/patch-scripts__gen-yaws b/yaws/files/patch-scripts__gen-yaws
new file mode 100644
index 0000000..50a7352
--- /dev/null
+++ b/yaws/files/patch-scripts__gen-yaws
@@ -0,0 +1,20 @@
+--- scripts/gen-yaws.ORIG	2012-06-24 15:27:11.000000000 +0900
++++ scripts/gen-yaws	2012-06-24 15:33:26.000000000 +0900
+@@ -1,13 +1,15 @@
+ #!/bin/sh
+ 
++# CAUTION: Modified for FreeBSD Port installation
++# referring yawsdir in the installed yaws library
++
+ # Used by scripts/Makefile and scripts/rebar-pre-script to generate
+ # the yaws execution script
+ 
+ set -e
+ 
+-topdir=`cd .. && pwd`
+ cat yaws.template | \
+-    ./Subst %yawsdir% "${topdir}" | \
++    ./Subst %yawsdir% "/usr/local/lib/erlang/lib/yaws" | \
+     ./Subst %vardir% "${VARDIR}" | \
+     ./Subst %run_erl% "${ERLBINDIR}/run_erl" | \
+     ./Subst %to_erl% "${ERLBINDIR}/to_erl" | \
diff --git a/yaws/pkg-plist b/yaws/pkg-plist
index fc34021..3238b3d 100644
--- a/yaws/pkg-plist
+++ b/yaws/pkg-plist
@@ -1,6 +1,5 @@
 bin/yaws
 %%ETCDIR%%/yaws.conf.sample
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/authmod_gssapi.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/haxe.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/json2.beam
@@ -38,29 +37,42 @@ bin/yaws
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_server.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_session_server.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_shaper.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap12_lib.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_lib.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_soap_srv.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_stats.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_sup_restarts.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_ticker.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_trace.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_vdir.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_websockets.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_xmlrpc.beam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/ebin/yaws_zlib.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/advanced_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/authmod_gssapi.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/basic_echo_callback.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/myappmod.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/ebin/shopcart.beam
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/advanced_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/authmod_gssapi.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/examples/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap-envelope.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/soap.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/wsdl11soap12.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_api.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_dav.hrl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/include/yaws_soap.hrl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/envelope.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/epam
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/lib/setuid_drv.so
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/mime.types
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap-envelope.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/soap.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl.xsd
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/advanced_echo_callback.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/authmod_gssapi.erl
-%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/basic_echo_callback.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/wsdl11soap12.xsd
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/priv/xml.xsd
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/haxe.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/json2.erl
@@ -99,12 +111,14 @@ bin/yaws
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_server.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_session_server.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_shaper.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap12_lib.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_lib.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_soap_srv.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_stats.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_sup_restarts.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_ticker.erl
+%%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_trace.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_vdir.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_websockets.erl
 %%LIB32DIR%%/erlang/lib/yaws-%%VERSION%%/src/yaws_xmlrpc.erl
@@ -269,6 +283,7 @@ bin/yaws
 %%WWWDIR%%/json_intro.yaws
 %%WWWDIR%%/json_sample.html
 %%WWWDIR%%/json_sample.yaws
+%%WWWDIR%%/logger_mod.yaws
 %%WWWDIR%%/man.yaws
 %%WWWDIR%%/motivation.yaws
 %%WWWDIR%%/news
@@ -328,6 +343,7 @@ bin/yaws
 %%WWWDIR%%/websockets_example_endpoint.yaws
 %%WWWDIR%%/yapp_intro.yaws
 %%WWWDIR%%/yaws-1.55_to_1.56.patch
+%%WWWDIR%%/yaws.eps
 %%WWWDIR%%/ybed.erl
 %%WWWDIR%%/ybed_sup.erl
 %%WWWDIR%%/yman.yaws


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201206240705.q5O75Vxp066714>