diff --git a/apr-util-1.2.12-billionlaughs.patch b/apr-util-1.2.12-billionlaughs.patch new file mode 100644 index 0000000..a1affaa --- /dev/null +++ b/apr-util-1.2.12-billionlaughs.patch @@ -0,0 +1,48 @@ +--- apr/apr-util/branches/0.9.x/xml/apr_xml.c 2009/06/03 15:37:44 781436 ++++ apr/apr-util/branches/0.9.x/xml/apr_xml.c 2009/06/03 15:38:19 781437 +@@ -339,6 +339,25 @@ + return APR_SUCCESS; + } + ++#if XML_MAJOR_VERSION > 1 ++/* Stop the parser if an entity declaration is hit. */ ++static void entity_declaration(void *userData, const XML_Char *entityName, ++ int is_parameter_entity, const XML_Char *value, ++ int value_length, const XML_Char *base, ++ const XML_Char *systemId, const XML_Char *publicId, ++ const XML_Char *notationName) ++{ ++ apr_xml_parser *parser = userData; ++ ++ XML_StopParser(parser->xp, XML_FALSE); ++} ++#else ++/* A noop default_handler. */ ++static void default_handler(void *userData, const XML_Char *s, int len) ++{ ++} ++#endif ++ + APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool) + { + apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser)); +@@ -364,6 +383,19 @@ + XML_SetElementHandler(parser->xp, start_handler, end_handler); + XML_SetCharacterDataHandler(parser->xp, cdata_handler); + ++ /* Prevent the "billion laughs" attack against expat by disabling ++ * internal entity expansion. With 2.x, forcibly stop the parser ++ * if an entity is declared - this is safer and a more obvious ++ * failure mode. With older versions, installing a noop ++ * DefaultHandler means that internal entities will be expanded as ++ * the empty string, which is also sufficient to prevent the ++ * attack. */ ++#if XML_MAJOR_VERSION > 1 ++ XML_SetEntityDeclHandler(parser->xp, entity_declaration); ++#else ++ XML_SetDefaultHandler(parser->xp, default_handler); ++#endif ++ + return parser; + } + diff --git a/apr-util-1.2.12-strmatch.patch b/apr-util-1.2.12-strmatch.patch new file mode 100644 index 0000000..2c11269 --- /dev/null +++ b/apr-util-1.2.12-strmatch.patch @@ -0,0 +1,18 @@ +--- apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c 2009/05/29 07:48:33 779879 ++++ apr/apr-util/branches/1.3.x/strmatch/apr_strmatch.c 2009/05/29 07:48:45 779880 +@@ -103,13 +103,13 @@ + if (case_sensitive) { + pattern->compare = match_boyer_moore_horspool; + for (i = 0; i < pattern->length - 1; i++) { +- shift[(int)s[i]] = pattern->length - i - 1; ++ shift[(unsigned char)s[i]] = pattern->length - i - 1; + } + } + else { + pattern->compare = match_boyer_moore_horspool_nocase; + for (i = 0; i < pattern->length - 1; i++) { +- shift[apr_tolower(s[i])] = pattern->length - i - 1; ++ shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1; + } + } + pattern->context = shift; diff --git a/apr-util.spec b/apr-util.spec index 3233766..39142e5 100644 --- a/apr-util.spec +++ b/apr-util.spec @@ -4,7 +4,7 @@ Summary: Apache Portable Runtime Utility library Name: apr-util Version: 1.2.12 -Release: 5%{?dist}.1 +Release: 6%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: http://apr.apache.org/ @@ -12,6 +12,9 @@ Source0: http://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2 Patch0: apr-util-1.2.2-exports.patch Patch2: apr-util-1.2.7-pkgconf.patch Patch3: apr-util-1.2.8-dbddso.patch +Patch4: apr-util-1.2.12-billionlaughs.patch +Patch5: apr-util-1.2.12-strmatch.patch +Patch6: apr-util-1.2.12-brigadevprintf.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot BuildRequires: autoconf, apr-devel >= 1.2.0 BuildRequires: openldap-devel, db4-devel, expat-devel, e2fsprogs-devel @@ -68,6 +71,9 @@ This package provides the SQLite driver for the apr-util DBD %patch0 -p1 -b .exports %patch2 -p1 -b .pkgconf %patch3 -p1 -b .dbddso +%patch4 -p4 -b .billionlaughs +%patch5 -p4 -b .strmatch +%patch6 -p4 -b .brigadevprintf %build autoheader && autoconf @@ -144,6 +150,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/*.pc %changelog +* Mon Jun 8 2009 Bojan Smojver - 1.2.12-6 +- CVE-2009-0023 +- "billion laughs" fix of apr_xml_* interface +- off by one in apr_brigade_vprintf + * Wed Jun 11 2008 Dennis Gilmore - 1.2.12-5.1 - minor rebuild on sparc