[pkgsrc/trunk]: pkgsrc/www/apache24 Add patch for CVE-2016-8740.

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/53d8c64170de
branches:  trunk
changeset: 355745:53d8c64170de
user:      taca <taca%pkgsrc.org@localhost>
date:      Sun Dec 11 23:52:55 2016 +0000

description:
Add patch for CVE-2016-8740.

Bump PKGREVISION.

diffstat:

 www/apache24/Makefile                           |   4 +-
 www/apache24/distinfo                           |   3 +-
 www/apache24/patches/patch-CVE-2016-8740-2.4.23 |  36 +++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 3 deletions(-)

diffs (73 lines):

diff -r 3394ca91a6a3 -r 53d8c64170de www/apache24/Makefile
--- a/www/apache24/Makefile     Sun Dec 11 21:34:39 2016 +0000
+++ b/www/apache24/Makefile     Sun Dec 11 23:52:55 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.49 2016/10/07 18:26:12 adam Exp $
+# $NetBSD: Makefile,v 1.50 2016/12/11 23:52:55 taca Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
@@ -7,7 +7,7 @@
 
 DISTNAME=      httpd-2.4.23
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
diff -r 3394ca91a6a3 -r 53d8c64170de www/apache24/distinfo
--- a/www/apache24/distinfo     Sun Dec 11 21:34:39 2016 +0000
+++ b/www/apache24/distinfo     Sun Dec 11 23:52:55 2016 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.26 2016/07/29 11:11:24 wiz Exp $
+$NetBSD: distinfo,v 1.27 2016/12/11 23:52:55 taca Exp $
 
 SHA1 (httpd-2.4.23.tar.bz2) = 5101be34ac4a509b245adb70a56690a84fcc4e7f
 RMD160 (httpd-2.4.23.tar.bz2) = 01a485281ededaaf932c9478ad078879a63254bc
 SHA512 (httpd-2.4.23.tar.bz2) = c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1
 Size (httpd-2.4.23.tar.bz2) = 6351875 bytes
+SHA1 (patch-CVE-2016-8740-2.4.23) = 286afd11a07f4bb1acb0ca9b89086c79930ca562
 SHA1 (patch-aa) = 2d92b1340aaae40289421f164346348c6d7fe839
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d
diff -r 3394ca91a6a3 -r 53d8c64170de www/apache24/patches/patch-CVE-2016-8740-2.4.23
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache24/patches/patch-CVE-2016-8740-2.4.23   Sun Dec 11 23:52:55 2016 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-CVE-2016-8740-2.4.23,v 1.1 2016/12/11 23:52:55 taca Exp $
+
+Patch for CVE-2016-8740.
+
+--- modules/http2/h2_stream.c.orig     2016-06-09 10:38:10.000000000 +0000
++++ modules/http2/h2_stream.c
+@@ -322,18 +322,18 @@ apr_status_t h2_stream_add_header(h2_str
+                                            HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
+             }
+         }
+-    }
+-    
+-    if (h2_stream_is_scheduled(stream)) {
+-        return h2_request_add_trailer(stream->request, stream->pool,
+-                                      name, nlen, value, vlen);
+-    }
+-    else {
+-        if (!input_open(stream)) {
+-            return APR_ECONNRESET;
++        
++        if (h2_stream_is_scheduled(stream)) {
++            return h2_request_add_trailer(stream->request, stream->pool,
++                                          name, nlen, value, vlen);
++        }
++        else {
++            if (!input_open(stream)) {
++                return APR_ECONNRESET;
++            }
++            return h2_request_add_header(stream->request, stream->pool,
++                                         name, nlen, value, vlen);
+         }
+-        return h2_request_add_header(stream->request, stream->pool,
+-                                     name, nlen, value, vlen);
+     }
+ }
+