[pkgsrc/trunk]: pkgsrc/www/apache24 apache24: fix "Optionsbleed" security bug

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ad0ea3a5df34
branches:  trunk
changeset: 368835:ad0ea3a5df34
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Mon Sep 18 13:24:05 2017 +0000

description:
apache24: fix "Optionsbleed" security bug

See https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Bump PKGREVISION.

diffstat:

 www/apache24/Makefile                    |   4 ++--
 www/apache24/distinfo                    |   3 ++-
 www/apache24/patches/patch-server_core.c |  20 ++++++++++++++++++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diffs (56 lines):

diff -r 915bd703fb89 -r ad0ea3a5df34 www/apache24/Makefile
--- a/www/apache24/Makefile     Mon Sep 18 13:11:09 2017 +0000
+++ b/www/apache24/Makefile     Mon Sep 18 13:24:05 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.60 2017/08/24 20:03:41 adam Exp $
+# $NetBSD: Makefile,v 1.61 2017/09/18 13:24:05 wiz Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=      httpd-2.4.27
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/}
 MASTER_SITES+= http://archive.apache.org/dist/httpd/
diff -r 915bd703fb89 -r ad0ea3a5df34 www/apache24/distinfo
--- a/www/apache24/distinfo     Mon Sep 18 13:11:09 2017 +0000
+++ b/www/apache24/distinfo     Mon Sep 18 13:24:05 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/07/12 07:01:34 adam Exp $
+$NetBSD: distinfo,v 1.31 2017/09/18 13:24:05 wiz Exp $
 
 SHA1 (httpd-2.4.27.tar.bz2) = 699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc
 RMD160 (httpd-2.4.27.tar.bz2) = 46f601f58de77eb11fa4c7ea35fa0858d2f4d289
@@ -15,3 +15,4 @@
 SHA1 (patch-am) = acdf7198ae8b4353cfc70c8015a0f09de036b777
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
+SHA1 (patch-server_core.c) = 9f32577f350553b40848bef6af5e9db1d40af3d8
diff -r 915bd703fb89 -r ad0ea3a5df34 www/apache24/patches/patch-server_core.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache24/patches/patch-server_core.c  Mon Sep 18 13:24:05 2017 +0000
@@ -0,0 +1,20 @@
+$NetBSD: patch-server_core.c,v 1.1 2017/09/18 13:24:05 wiz Exp $
+
+Fix security problem using upstream patch.
+://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
+
+--- server/core.c.orig 2016-12-05 14:34:29.000000000 +0000
++++ server/core.c
+@@ -2262,6 +2262,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }