diff options
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2')
3 files changed, 93 insertions, 316 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch new file mode 100644 index 0000000000..264fde7104 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch @@ -0,0 +1,58 @@ +From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001 +From: Eric Covener <covener@apache.org> +Date: Wed, 4 Feb 2015 14:44:23 +0000 +Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A + maliciously crafted websockets PING after a script calls r:wsupgrade() + can cause a child process crash. [Edward Lu <Chaosed0 gmail.com>] + +Upstream-Status: BackPort + +Discovered by Guido Vranken <guidovranken gmail.com> + +Submitted by: Edward Lu +Committed by: covener + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68 + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + modules/lua/lua_request.c | 6 +++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index dded599..1200c55 100644 +--- a/modules/lua/lua_request.c ++++ b/modules/lua/lua_request.c +@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L) + { + apr_socket_t *sock; + apr_status_t rv; ++ int do_read = 1; + int n = 0; + apr_size_t len = 1; + apr_size_t plen = 0; +@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L) + mask_bytes = apr_pcalloc(r->pool, 4); + sock = ap_get_conn_socket(r->connection); + ++ while (do_read) { ++ do_read = 0; + /* Get opcode and FIN bit */ + if (plaintext) { + rv = apr_socket_recv(sock, &byte, &len); +@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L) + frame[0] = 0x8A; + frame[1] = 0; + apr_socket_send(sock, frame, &plen); /* Pong! */ +- lua_websocket_read(L); /* read the next frame instead */ ++ do_read = 1; + } + } + } ++ } + return 0; + } + +-- +1.9.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch deleted file mode 100644 index 8585f0bb30..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch +++ /dev/null @@ -1,289 +0,0 @@ -apache: CVE-2014-0117 - -The patch comes from upstream: -http://svn.apache.org/viewvc?view=revision&revision=1610674 - -SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a -reverse proxy configuration, a remote attacker could send a carefully crafted -request which could crash a server process, resulting in denial of service. - -Thanks to Marek Kroemeke working with HP's Zero Day Initiative for -reporting this issue. - -Upstream-Status: Backport - -Submitted by: Edward Lu, breser, covener -Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> ---- - modules/proxy/mod_proxy_http.c | 8 +++- - include/httpd.h | 17 ++++++++ - modules/proxy/proxy_util.c | 67 ++++++++++++++---------------- - server/util.c | 89 ++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 143 insertions(+), 38 deletions(-) - -diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c -index cffad2e..f11c16f 100644 ---- a/modules/proxy/mod_proxy_http.c -+++ b/modules/proxy/mod_proxy_http.c -@@ -1362,6 +1362,7 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, - */ - if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { - int major, minor; -+ int toclose; - - major = buffer[5] - '0'; - minor = buffer[7] - '0'; -@@ -1470,7 +1471,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, - te = apr_table_get(r->headers_out, "Transfer-Encoding"); - - /* strip connection listed hop-by-hop headers from response */ -- backend->close = ap_proxy_clear_connection_fn(r, r->headers_out); -+ toclose = ap_proxy_clear_connection_fn(r, r->headers_out); -+ backend->close = (toclose != 0); -+ if (toclose < 0) { -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, -+ "Malformed connection header"); -+ } - - if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { - ap_set_content_type(r, apr_pstrdup(p, buf)); -diff --git a/include/httpd.h b/include/httpd.h -index 36cd58d..9a2cf5c 100644 ---- a/include/httpd.h -+++ b/include/httpd.h -@@ -1528,6 +1528,23 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line, const char *t - AP_DECLARE(int) ap_find_etag_strong(apr_pool_t *p, const char *line, const char *tok); - - /** -+ * Retrieve an array of tokens in the format "1#token" defined in RFC2616. Only -+ * accepts ',' as a delimiter, does not accept quoted strings, and errors on -+ * any separator. -+ * @param p The pool to allocate from -+ * @param tok The line to read tokens from -+ * @param tokens Pointer to an array of tokens. If not NULL, must be an array -+ * of char*, otherwise it will be allocated on @a p when a token is found -+ * @param skip_invalid If true, when an invalid separator is encountered, it -+ * will be ignored. -+ * @return NULL on success, an error string otherwise. -+ * @remark *tokens may be NULL on output if NULL in input and no token is found -+ */ -+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, const char *tok, -+ apr_array_header_t **tokens, -+ int skip_invalid); -+ -+/** - * Retrieve a token, spacing over it and adjusting the pointer to - * the first non-white byte afterwards. Note that these tokens - * are delimited by semis and commas and can also be delimited -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index 67dc939..58daa21 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -2847,68 +2847,59 @@ PROXY_DECLARE(proxy_balancer_shared *) ap_proxy_find_balancershm(ap_slotmem_prov - typedef struct header_connection { - apr_pool_t *pool; - apr_array_header_t *array; -- const char *first; -- unsigned int closed:1; -+ const char *error; -+ int is_req; - } header_connection; - - static int find_conn_headers(void *data, const char *key, const char *val) - { - header_connection *x = data; -- const char *name; -- -- do { -- while (*val == ',' || *val == ';') { -- val++; -- } -- name = ap_get_token(x->pool, &val, 0); -- if (!strcasecmp(name, "close")) { -- x->closed = 1; -- } -- if (!x->first) { -- x->first = name; -- } -- else { -- const char **elt; -- if (!x->array) { -- x->array = apr_array_make(x->pool, 4, sizeof(char *)); -- } -- elt = apr_array_push(x->array); -- *elt = name; -- } -- } while (*val); - -- return 1; -+ x->error = ap_parse_token_list_strict(x->pool, val, &x->array, !x->is_req); -+ return !x->error; - } - - /** - * Remove all headers referred to by the Connection header. -+ * Returns -1 on error. Otherwise, returns 1 if 'Close' was seen in -+ * the Connection header tokens, and 0 if not. - */ - static int ap_proxy_clear_connection(request_rec *r, apr_table_t *headers) - { -- const char **name; -+ int closed = 0; - header_connection x; - - x.pool = r->pool; - x.array = NULL; -- x.first = NULL; -- x.closed = 0; -+ x.error = NULL; -+ x.is_req = (headers == r->headers_in); - - apr_table_unset(headers, "Proxy-Connection"); - - apr_table_do(find_conn_headers, &x, headers, "Connection", NULL); -- if (x.first) { -- /* fast path - no memory allocated for one header */ -- apr_table_unset(headers, "Connection"); -- apr_table_unset(headers, x.first); -+ apr_table_unset(headers, "Connection"); -+ -+ if (x.error) { -+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, APLOGNO() -+ "Error parsing Connection header: %s", x.error); -+ return -1; - } -+ - if (x.array) { -- /* two or more headers */ -- while ((name = apr_array_pop(x.array))) { -- apr_table_unset(headers, *name); -+ int i; -+ for (i = 0; i < x.array->nelts; i++) { -+ const char *name = APR_ARRAY_IDX(x.array, i, const char *); -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() -+ "Removing header '%s' listed in Connection header", -+ name); -+ if (!strcasecmp(name, "close")) { -+ closed = 1; -+ } -+ apr_table_unset(headers, name); - } - } - -- return x.closed; -+ return closed; - } - - PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, -@@ -3095,7 +3086,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - * apr is compiled with APR_POOL_DEBUG. - */ - headers_in_copy = apr_table_copy(r->pool, r->headers_in); -- ap_proxy_clear_connection(r, headers_in_copy); -+ if (ap_proxy_clear_connection(r, headers_in_copy) < 0) { -+ return HTTP_BAD_REQUEST; -+ } - /* send request headers */ - headers_in_array = apr_table_elts(headers_in_copy); - headers_in = (const apr_table_entry_t *) headers_in_array->elts; -diff --git a/server/util.c b/server/util.c -index e0ba5c2..541c9f0 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -1449,6 +1449,95 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line, - return find_list_item(p, line, tok, AP_ETAG_WEAK); - } - -+/* Grab a list of tokens of the format 1#token (from RFC7230) */ -+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, -+ const char *str_in, -+ apr_array_header_t **tokens, -+ int skip_invalid) -+{ -+ int in_leading_space = 1; -+ int in_trailing_space = 0; -+ int string_end = 0; -+ const char *tok_begin; -+ const char *cur; -+ -+ if (!str_in) { -+ return NULL; -+ } -+ -+ tok_begin = cur = str_in; -+ -+ while (!string_end) { -+ const unsigned char c = (unsigned char)*cur; -+ -+ if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP) && c != '\0') { -+ /* Non-separator character; we are finished with leading -+ * whitespace. We must never have encountered any trailing -+ * whitespace before the delimiter (comma) */ -+ in_leading_space = 0; -+ if (in_trailing_space) { -+ return "Encountered illegal whitespace in token"; -+ } -+ } -+ else if (c == ' ' || c == '\t') { -+ /* "Linear whitespace" only includes ASCII CRLF, space, and tab; -+ * we can't get a CRLF since headers are split on them already, -+ * so only look for a space or a tab */ -+ if (in_leading_space) { -+ /* We're still in leading whitespace */ -+ ++tok_begin; -+ } -+ else { -+ /* We must be in trailing whitespace */ -+ ++in_trailing_space; -+ } -+ } -+ else if (c == ',' || c == '\0') { -+ if (!in_leading_space) { -+ /* If we're out of the leading space, we know we've read some -+ * characters of a token */ -+ if (*tokens == NULL) { -+ *tokens = apr_array_make(p, 4, sizeof(char *)); -+ } -+ APR_ARRAY_PUSH(*tokens, char *) = -+ apr_pstrmemdup((*tokens)->pool, tok_begin, -+ (cur - tok_begin) - in_trailing_space); -+ } -+ /* We're allowed to have null elements, just don't add them to the -+ * array */ -+ -+ tok_begin = cur + 1; -+ in_leading_space = 1; -+ in_trailing_space = 0; -+ string_end = (c == '\0'); -+ } -+ else { -+ /* Encountered illegal separator char */ -+ if (skip_invalid) { -+ /* Skip to the next separator */ -+ const char *temp; -+ temp = ap_strchr_c(cur, ','); -+ if(!temp) { -+ temp = ap_strchr_c(cur, '\0'); -+ } -+ -+ /* Act like we haven't seen a token so we reset */ -+ cur = temp - 1; -+ in_leading_space = 1; -+ in_trailing_space = 0; -+ } -+ else { -+ return apr_psprintf(p, "Encountered illegal separator " -+ "'\\x%.2x'", (unsigned int)c); -+ } -+ } -+ -+ ++cur; -+ } -+ -+ return NULL; -+} -+ - /* Retrieve a token, spacing over it and returning a pointer to - * the first non-white byte afterwards. Note that these tokens - * are delimited by semis and commas; and can also be delimited --- diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch index 3a59fb0799..413dc535e4 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch @@ -1,52 +1,57 @@ ---- httpd-2.2.8.orig/build/ltmain.sh -+++ httpd-2.2.8/build/ltmain.sh -@@ -1515,7 +1515,7 @@ EOF - dir=`$echo "X$arg" | $Xsed -e 's/^-L//'` + build/ltmain.sh | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/build/ltmain.sh b/build/ltmain.sh +index 5eca4ae..805b461 100644 +--- a/build/ltmain.sh ++++ b/build/ltmain.sh +@@ -6944,7 +6944,7 @@ func_mode_link () + dir=$func_resolve_sysroot_result # We need an absolute path. case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; + =* | [\\/]* | [A-Za-z]:[\\/]*) ;; *) absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then -@@ -2558,7 +2558,7 @@ EOF - $echo "*** $linklib is not portable!" + test -z "$absdir" && \ +@@ -8137,7 +8137,7 @@ func_mode_link () + $ECHO "*** $linklib is not portable!" fi - if test "$linkmode" = lib && -- test "$hardcode_into_libs" = yes; then -+ test "x$wrs_use_rpaths" = "xyes" && test "$hardcode_into_libs" = yes; then + if test lib = "$linkmode" && +- test yes = "$hardcode_into_libs"; then ++ test "x$wrs_use_rpaths" = "xyes" && test "$hardcode_into_libs" = yes; then # Hardcode the library path. # Skip directories that are in the system default run-time # search path. -@@ -2832,7 +2832,7 @@ EOF +@@ -8404,7 +8404,7 @@ func_mode_link () - if test "$linkmode" = lib; then + if test lib = "$linkmode"; then if test -n "$dependency_libs" && -- { test "$hardcode_into_libs" != yes || -+ { test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" || - test "$build_old_libs" = yes || - test "$link_static" = yes; }; then +- { test yes != "$hardcode_into_libs" || ++ { test yes != "$hardcode_into_libs" || test "x$wrs_use_rpaths" != "xyes" || + test yes = "$build_old_libs" || + test yes = "$link_static"; }; then # Extract -R from dependency_libs -@@ -3426,7 +3426,8 @@ EOF - *) finalize_rpath="$finalize_rpath $libdir" ;; +@@ -9025,7 +9025,8 @@ func_mode_link () + *) func_append finalize_rpath " $libdir" ;; esac done -- if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then -+ if test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" || -+ test "$build_old_libs" = yes; then +- if test yes != "$hardcode_into_libs" || test yes = "$build_old_libs"; then ++ if test yes != "$hardcode_into_libs" || test "x$wrs_use_rpaths" != "xyes" || ++ test yes = "$build_old_libs"; then dependency_libs="$temp_xrpath $dependency_libs" fi fi -@@ -3843,7 +3844,7 @@ EOF - case $archive_cmds in - *\$LD\ *) wl= ;; +@@ -9473,7 +9474,7 @@ EOF + case $archive_cmds in + *\$LD\ *) wl= ;; esac -- if test "$hardcode_into_libs" = yes; then -+ if test "$hardcode_into_libs" = yes && test "x$wrs_use_rpaths" = "xyes" ; then +- if test yes = "$hardcode_into_libs"; then ++ if test yes = "$hardcode_into_libs" && test "x$wrs_use_rpaths" = "xyes"; then # Hardcode the library paths hardcode_libdirs= dep_rpath= -@@ -4397,6 +4398,27 @@ EOF +@@ -10211,6 +10212,27 @@ EOF # Now hardcode the library paths rpath= hardcode_libdirs= @@ -74,3 +79,6 @@ for libdir in $compile_rpath $finalize_rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then +-- +1.9.1 + |