rpms/apr-util/F-9 apr-util-1.2.12-billionlaughs.patch, NONE, 1.1 apr-util-1.2.12-strmatch.patch, NONE, 1.1 apr-util.spec, 1.49, 1.50
Bojan Smojver
bojan at fedoraproject.org
Mon Jun 8 07:38:28 UTC 2009
- Previous message (by thread): rpms/icu/devel .cvsignore, 1.17, 1.18 icu.spec, 1.90, 1.91 sources, 1.18, 1.19
- Next message (by thread): rpms/hunspell-pl/devel .cvsignore, 1.41, 1.42 hunspell-pl.spec, 1.45, 1.46 sources, 1.41, 1.42
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: bojan
Update of /cvs/pkgs/rpms/apr-util/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25043
Modified Files:
apr-util.spec
Added Files:
apr-util-1.2.12-billionlaughs.patch
apr-util-1.2.12-strmatch.patch
Log Message:
CVE-2009-0023
"billion laughs" fix of apr_xml_* interface
off by one in apr_brigade_vprintf
apr-util-1.2.12-billionlaughs.patch:
--- NEW FILE apr-util-1.2.12-billionlaughs.patch ---
--- apr/apr-util/branches/0.9.x/xml/apr_xml.c 2009/06/03 15:37:44 781436
+++ apr/apr-util/branches/0.9.x/xml/apr_xml.c 2009/06/03 15:38:19 781437
@@ -339,6 +339,25 @@
return APR_SUCCESS;
}
+#if XML_MAJOR_VERSION > 1
+/* Stop the parser if an entity declaration is hit. */
+static void entity_declaration(void *userData, const XML_Char *entityName,
+ int is_parameter_entity, const XML_Char *value,
+ int value_length, const XML_Char *base,
+ const XML_Char *systemId, const XML_Char *publicId,
+ const XML_Char *notationName)
+{
+ apr_xml_parser *parser = userData;
+
+ XML_StopParser(parser->xp, XML_FALSE);
+}
+#else
+/* A noop default_handler. */
+static void default_handler(void *userData, const XML_Char *s, int len)
+{
+}
+#endif
+
APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)
{
apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));
@@ -364,6 +383,19 @@
XML_SetElementHandler(parser->xp, start_handler, end_handler);
XML_SetCharacterDataHandler(parser->xp, cdata_handler);
+ /* Prevent the "billion laughs" attack against expat by disabling
+ * internal entity expansion. With 2.x, forcibly stop the parser
+ * if an entity is declared - this is safer and a more obvious
+ * failure mode. With older versions, installing a noop
+ * DefaultHandler means that internal entities will be expanded as
+ * the empty string, which is also sufficient to prevent the
+ * attack. */
+#if XML_MAJOR_VERSION > 1
+ XML_SetEntityDeclHandler(parser->xp, entity_declaration);
+#else
+ XML_SetDefaultHandler(parser->xp, default_handler);
+#endif
+
return parser;
}
apr-util-1.2.12-strmatch.patch:
--- NEW FILE apr-util-1.2.12-strmatch.patch ---
--- apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c 2009/05/29 07:48:33 779879
+++ apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c 2009/05/29 07:48:45 779880
@@ -103,13 +103,13 @@
if (case_sensitive) {
pattern->compare = match_boyer_moore_horspool;
for (i = 0; i < pattern->length - 1; i++) {
- shift[(int)s[i]] = pattern->length - i - 1;
+ shift[(unsigned char)s[i]] = pattern->length - i - 1;
}
}
else {
pattern->compare = match_boyer_moore_horspool_nocase;
for (i = 0; i < pattern->length - 1; i++) {
- shift[apr_tolower(s[i])] = pattern->length - i - 1;
+ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;
}
}
pattern->context = shift;
Index: apr-util.spec
===================================================================
RCS file: /cvs/pkgs/rpms/apr-util/F-9/apr-util.spec,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- apr-util.spec 11 Jun 2008 15:52:00 -0000 1.49
+++ apr-util.spec 8 Jun 2009 07:37:57 -0000 1.50
@@ -4,7 +4,7 @@
Summary: Apache Portable Runtime Utility library
Name: apr-util
Version: 1.2.12
-Release: 5%{?dist}.1
+Release: 6%{?dist}
License: ASL 2.0
Group: System Environment/Libraries
URL: http://apr.apache.org/
@@ -12,6 +12,9 @@ Source0: http://www.apache.org/dist/apr/
Patch0: apr-util-1.2.2-exports.patch
Patch2: apr-util-1.2.7-pkgconf.patch
Patch3: apr-util-1.2.8-dbddso.patch
+Patch4: apr-util-1.2.12-billionlaughs.patch
+Patch5: apr-util-1.2.12-strmatch.patch
+Patch6: apr-util-1.2.12-brigadevprintf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: autoconf, apr-devel >= 1.2.0
BuildRequires: openldap-devel, db4-devel, expat-devel, e2fsprogs-devel
@@ -68,6 +71,9 @@ This package provides the SQLite driver
%patch0 -p1 -b .exports
%patch2 -p1 -b .pkgconf
%patch3 -p1 -b .dbddso
+%patch4 -p4 -b .billionlaughs
+%patch5 -p4 -b .strmatch
+%patch6 -p4 -b .brigadevprintf
%build
autoheader && autoconf
@@ -144,6 +150,11 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/pkgconfig/*.pc
%changelog
+* Mon Jun 8 2009 Bojan Smojver <bojan at rexursive.com> - 1.2.12-6
+- CVE-2009-0023
+- "billion laughs" fix of apr_xml_* interface
+- off by one in apr_brigade_vprintf
+
* Wed Jun 11 2008 Dennis Gilmore <dennis at ausil.us> - 1.2.12-5.1
- minor rebuild on sparc
- Previous message (by thread): rpms/icu/devel .cvsignore, 1.17, 1.18 icu.spec, 1.90, 1.91 sources, 1.18, 1.19
- Next message (by thread): rpms/hunspell-pl/devel .cvsignore, 1.41, 1.42 hunspell-pl.spec, 1.45, 1.46 sources, 1.41, 1.42
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list