[pkgsrc/trunk]: pkgsrc/www/apache2 Add patch from apache's CVS to fix SSL_Uti...

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/c90ec2e56782
branches:  trunk
changeset: 476229:c90ec2e56782
user:      taca <taca%pkgsrc.org@localhost>
date:      Sat Jun 05 16:21:44 2004 +0000

description:
Add patch from apache's CVS to fix SSL_Util_UUEncode_Binaty stack buffer
overflow vulnerability.

        http://www.securityfocus.com/bid/10355

Bump package revision.

diffstat:

 www/apache2/Makefile         |   4 ++--
 www/apache2/distinfo         |   3 ++-
 www/apache2/patches/patch-as |  35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 3 deletions(-)

diffs (66 lines):

diff -r 1c73d8b55a43 -r c90ec2e56782 www/apache2/Makefile
--- a/www/apache2/Makefile      Sat Jun 05 14:09:42 2004 +0000
+++ b/www/apache2/Makefile      Sat Jun 05 16:21:44 2004 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.35 2004/03/26 02:27:56 wiz Exp $
+# $NetBSD: Makefile,v 1.36 2004/06/05 16:21:44 taca Exp $
 
 PKGNAME=               apache-${APACHE_VERSION}
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            www
 
 HOMEPAGE=              http://httpd.apache.org/
diff -r 1c73d8b55a43 -r c90ec2e56782 www/apache2/distinfo
--- a/www/apache2/distinfo      Sat Jun 05 14:09:42 2004 +0000
+++ b/www/apache2/distinfo      Sat Jun 05 16:21:44 2004 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2004/03/22 19:50:16 reed Exp $
+$NetBSD: distinfo,v 1.25 2004/06/05 16:21:44 taca Exp $
 
 SHA1 (httpd-2.0.49.tar.gz) = 7fe1f9bc835b91d5e55aa39a792b0050a634485b
 Size (httpd-2.0.49.tar.gz) = 5919279 bytes
@@ -10,3 +10,4 @@
 SHA1 (patch-al) = 29cc52616c50b7ec998339cca386112a8f1611cc
 SHA1 (patch-am) = ff60a7b69ad949363ebec194141e9b95cb796426
 SHA1 (patch-ar) = de5f57dd0757b7fdc1039c00f6e18de72007f5d8
+SHA1 (patch-as) = 9cdb5eaa3d49728c4139ecf7a628772328bc8a55
diff -r 1c73d8b55a43 -r c90ec2e56782 www/apache2/patches/patch-as
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache2/patches/patch-as      Sat Jun 05 16:21:44 2004 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-as,v 1.1 2004/06/05 16:21:44 taca Exp $
+
+--- modules/ssl/ssl_engine_kernel.c.orig       2004-02-10 05:53:20.000000000 +0900
++++ modules/ssl/ssl_engine_kernel.c
+@@ -793,7 +793,6 @@ int ssl_hook_UserCheck(request_rec *r)
+     SSLConnRec *sslconn = myConnConfig(r->connection);
+     SSLSrvConfigRec *sc = mySrvConfig(r->server);
+     SSLDirConfigRec *dc = myDirConfig(r);
+-    char buf1[MAX_STRING_LEN], buf2[MAX_STRING_LEN];
+     char *clientdn;
+     const char *auth_line, *username, *password;
+ 
+@@ -872,14 +871,16 @@ int ssl_hook_UserCheck(request_rec *r)
+      * adding the string "xxj31ZMTZzkVA" as the password in the user file.
+      * This is just the crypted variant of the word "password" ;-)
+      */
+-    apr_snprintf(buf1, sizeof(buf1), "%s:password", clientdn);
+-    ssl_util_uuencode(buf2, buf1, FALSE);
+-
+-    apr_snprintf(buf1, sizeof(buf1), "Basic %s", buf2);
+-    apr_table_set(r->headers_in, "Authorization", buf1);
++    auth_line = apr_pstrcat(r->pool, "Basic ", 
++                          ap_pbase64encode(r->pool, 
++                                           apr_pstrcat(r->pool, clientdn, 
++                                                       ":password", NULL)),
++                            NULL);
++    apr_table_set(r->headers_in, "Authorization", auth_line);
+ 
+     ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
+-                 "Faking HTTP Basic Auth header: \"Authorization: %s\"", buf1);
++               "Faking HTTP Basic Auth header: \"Authorization: %s\"",
++               auth_line);
+ 
+     return DECLINED;
+ }