rpms/apr-util/F-9 apr-util-1.2.12-billionlaughs.patch, NONE, 1.1 apr-util-1.2.12-strmatch.patch, NONE, 1.1 apr-util.spec, 1.49, 1.50

Bojan Smojver bojan at fedoraproject.org
Mon Jun 8 07:38:28 UTC 2009


Author: bojan

Update of /cvs/pkgs/rpms/apr-util/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25043

Modified Files:
	apr-util.spec 
Added Files:
	apr-util-1.2.12-billionlaughs.patch 
	apr-util-1.2.12-strmatch.patch 
Log Message:
CVE-2009-0023
"billion laughs" fix of apr_xml_* interface
off by one in apr_brigade_vprintf

apr-util-1.2.12-billionlaughs.patch:

--- NEW FILE apr-util-1.2.12-billionlaughs.patch ---
--- apr/apr-util/branches/0.9.x/xml/apr_xml.c	2009/06/03 15:37:44	781436
+++ apr/apr-util/branches/0.9.x/xml/apr_xml.c	2009/06/03 15:38:19	781437
@@ -339,6 +339,25 @@
     return APR_SUCCESS;
 }
 
+#if XML_MAJOR_VERSION > 1
+/* Stop the parser if an entity declaration is hit. */
+static void entity_declaration(void *userData, const XML_Char *entityName,
+                               int is_parameter_entity, const XML_Char *value,
+                               int value_length, const XML_Char *base,
+                               const XML_Char *systemId, const XML_Char *publicId,
+                               const XML_Char *notationName)
+{
+    apr_xml_parser *parser = userData;
+
+    XML_StopParser(parser->xp, XML_FALSE);
+}
+#else
+/* A noop default_handler. */
+static void default_handler(void *userData, const XML_Char *s, int len)
+{
+}
+#endif
+
 APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
 {
     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
@@ -364,6 +383,19 @@
     XML_SetElementHandler(parser->xp, start_handler, end_handler);
     XML_SetCharacterDataHandler(parser->xp, cdata_handler);
 
+    /* Prevent the "billion laughs" attack against expat by disabling
+     * internal entity expansion.  With 2.x, forcibly stop the parser
+     * if an entity is declared - this is safer and a more obvious
+     * failure mode.  With older versions, installing a noop
+     * DefaultHandler means that internal entities will be expanded as
+     * the empty string, which is also sufficient to prevent the
+     * attack. */
+#if XML_MAJOR_VERSION > 1
+    XML_SetEntityDeclHandler(parser->xp, entity_declaration);
+#else
+    XML_SetDefaultHandler(parser->xp, default_handler);
+#endif
+
     return parser;
 }
 

apr-util-1.2.12-strmatch.patch:

--- NEW FILE apr-util-1.2.12-strmatch.patch ---
--- apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c	2009/05/29 07:48:33	779879
+++ apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c	2009/05/29 07:48:45	779880
@@ -103,13 +103,13 @@
     if (case_sensitive) {
         pattern->compare = match_boyer_moore_horspool;
         for (i = 0; i < pattern->length - 1; i++) {
-            shift[(int)s[i]] = pattern->length - i - 1;
+            shift[(unsigned char)s[i]] = pattern->length - i - 1;
         }
     }
     else {
         pattern->compare = match_boyer_moore_horspool_nocase;
         for (i = 0; i < pattern->length - 1; i++) {
-            shift[apr_tolower(s[i])] = pattern->length - i - 1;
+            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
         }
     }
     pattern->context = shift;


Index: apr-util.spec
===================================================================
RCS file: /cvs/pkgs/rpms/apr-util/F-9/apr-util.spec,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- apr-util.spec	11 Jun 2008 15:52:00 -0000	1.49
+++ apr-util.spec	8 Jun 2009 07:37:57 -0000	1.50
@@ -4,7 +4,7 @@
 Summary: Apache Portable Runtime Utility library
 Name: apr-util
 Version: 1.2.12
-Release: 5%{?dist}.1
+Release: 6%{?dist}
 License: ASL 2.0
 Group: System Environment/Libraries
 URL: http://apr.apache.org/
@@ -12,6 +12,9 @@ Source0: http://www.apache.org/dist/apr/
 Patch0: apr-util-1.2.2-exports.patch
 Patch2: apr-util-1.2.7-pkgconf.patch
 Patch3: apr-util-1.2.8-dbddso.patch
+Patch4: apr-util-1.2.12-billionlaughs.patch
+Patch5: apr-util-1.2.12-strmatch.patch
+Patch6: apr-util-1.2.12-brigadevprintf.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildRequires: autoconf, apr-devel >= 1.2.0
 BuildRequires: openldap-devel, db4-devel, expat-devel, e2fsprogs-devel
@@ -68,6 +71,9 @@ This package provides the SQLite driver 
 %patch0 -p1 -b .exports
 %patch2 -p1 -b .pkgconf
 %patch3 -p1 -b .dbddso
+%patch4 -p4 -b .billionlaughs
+%patch5 -p4 -b .strmatch
+%patch6 -p4 -b .brigadevprintf
 
 %build
 autoheader && autoconf
@@ -144,6 +150,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Mon Jun  8 2009 Bojan Smojver <bojan at rexursive.com> - 1.2.12-6
+- CVE-2009-0023
+- "billion laughs" fix of apr_xml_* interface
+- off by one in apr_brigade_vprintf
+
 * Wed Jun 11 2008 Dennis Gilmore <dennis at ausil.us> - 1.2.12-5.1
 - minor rebuild on sparc
 




More information about the fedora-extras-commits mailing list