[pkgsrc/trunk]: pkgsrc/www/apache24 Add fix for CVE-2014-8109 taken for Apach...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bce83afa0c58
branches:  trunk
changeset: 645077:bce83afa0c58
user:      tron <tron%pkgsrc.org@localhost>
date:      Thu Jan 22 20:02:37 2015 +0000

description:
Add fix for CVE-2014-8109 taken for Apache SVN repository.

diffstat:

 www/apache24/Makefile                            |   4 +-
 www/apache24/distinfo                            |   3 +-
 www/apache24/patches/patch-modules_lua_mod_lua.c |  87 ++++++++++++++++++++++++
 3 files changed, 91 insertions(+), 3 deletions(-)

diffs (120 lines):

diff -r 32931aa32490 -r bce83afa0c58 www/apache24/Makefile
--- a/www/apache24/Makefile     Thu Jan 22 18:15:39 2015 +0000
+++ b/www/apache24/Makefile     Thu Jan 22 20:02:37 2015 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.32 2014/10/19 22:27:48 alnsn Exp $
+# $NetBSD: Makefile,v 1.33 2015/01/22 20:02:37 tron Exp $
 
 DISTNAME=      httpd-2.4.10
 PKGNAME=       ${DISTNAME:S/httpd/apache/}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_APACHE:=httpd/} \
                http://archive.apache.org/dist/httpd/ \
diff -r 32931aa32490 -r bce83afa0c58 www/apache24/distinfo
--- a/www/apache24/distinfo     Thu Jan 22 18:15:39 2015 +0000
+++ b/www/apache24/distinfo     Thu Jan 22 20:02:37 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2014/10/08 04:27:17 taca Exp $
+$NetBSD: distinfo,v 1.17 2015/01/22 20:02:37 tron Exp $
 
 SHA1 (httpd-2.4.10.tar.bz2) = 00f5c3f8274139bd6160eda2cf514fa9b74549e5
 RMD160 (httpd-2.4.10.tar.bz2) = 254f4b9b8cc4e151aa46973311077baa0a3daad3
@@ -15,4 +15,5 @@
 SHA1 (patch-aw) = 43cd64df886853ef7b75b91ed20183f329fcc9df
 SHA1 (patch-include_ap__config.h) = 1d056e2d4db80ec97aaf755b6dd6aff69ed2cd96
 SHA1 (patch-modules_cache_cache__util.c) = 35a41fee80fc990b0d56767db67f8e403e692e55
+SHA1 (patch-modules_lua_mod_lua.c) = d40f44ba530386d92f8830a45559223ee5518e00
 SHA1 (patch-server_core__filters.c) = 331672c9a65691229518f31dcdae64382b392287
diff -r 32931aa32490 -r bce83afa0c58 www/apache24/patches/patch-modules_lua_mod_lua.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache24/patches/patch-modules_lua_mod_lua.c  Thu Jan 22 20:02:37 2015 +0000
@@ -0,0 +1,87 @@
+$NetBSD: patch-modules_lua_mod_lua.c,v 1.1 2015/01/22 20:02:37 tron Exp $
+
+Fix for CVE-2014-8109 taken from here:
+
+https://svn.apache.org/viewvc?view=revision&revision=1642861
+
+--- modules/lua/mod_lua.c.orig 2014-06-22 19:16:21.000000000 +0100
++++ modules/lua/mod_lua.c      2015-01-22 19:43:32.000000000 +0000
+@@ -66,9 +66,13 @@
+     const char *file_name;
+     const char *function_name;
+     ap_lua_vm_spec *spec;
+-    apr_array_header_t *args;
+ } lua_authz_provider_spec;
+ 
++typedef struct {
++    lua_authz_provider_spec *spec;
++    apr_array_header_t *args;
++} lua_authz_provider_func;
++
+ apr_hash_t *lua_authz_providers;
+ 
+ typedef struct
+@@ -1692,6 +1696,7 @@
+ {
+     const char *provider_name;
+     lua_authz_provider_spec *spec;
++    lua_authz_provider_func *func = apr_pcalloc(cmd->pool, sizeof(lua_authz_provider_func));
+ 
+     apr_pool_userdata_get((void**)&provider_name, AUTHZ_PROVIDER_NAME_NOTE,
+                           cmd->temp_pool);
+@@ -1699,16 +1704,17 @@
+ 
+     spec = apr_hash_get(lua_authz_providers, provider_name, APR_HASH_KEY_STRING);
+     ap_assert(spec != NULL);
++    func->spec = spec;
+ 
+     if (require_line && *require_line) {
+         const char *arg;
+-        spec->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
++        func->args = apr_array_make(cmd->pool, 2, sizeof(const char *));
+         while ((arg = ap_getword_conf(cmd->pool, &require_line)) && *arg) {
+-            APR_ARRAY_PUSH(spec->args, const char *) = arg;
++            APR_ARRAY_PUSH(func->args, const char *) = arg;
+         }
+     }
+ 
+-    *parsed_require_line = spec;
++    *parsed_require_line = func;
+     return NULL;
+ }
+ 
+@@ -1722,7 +1728,8 @@
+                                                          &lua_module);
+     const ap_lua_dir_cfg *cfg = ap_get_module_config(r->per_dir_config,
+                                                      &lua_module);
+-    const lua_authz_provider_spec *prov_spec = parsed_require_line;
++    const lua_authz_provider_func *prov_func = parsed_require_line;
++    const lua_authz_provider_spec *prov_spec = prov_func->spec;
+     int result;
+     int nargs = 0;
+ 
+@@ -1744,19 +1751,19 @@
+         return AUTHZ_GENERAL_ERROR;
+     }
+     ap_lua_run_lua_request(L, r);
+-    if (prov_spec->args) {
++    if (prov_func->args) {
+         int i;
+-        if (!lua_checkstack(L, prov_spec->args->nelts)) {
++        if (!lua_checkstack(L, prov_func->args->nelts)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02315)
+                           "Error: authz provider %s: too many arguments", prov_spec->name);
+             ap_lua_release_state(L, spec, r);
+             return AUTHZ_GENERAL_ERROR;
+         }
+-        for (i = 0; i < prov_spec->args->nelts; i++) {
+-            const char *arg = APR_ARRAY_IDX(prov_spec->args, i, const char *);
++        for (i = 0; i < prov_func->args->nelts; i++) {
++            const char *arg = APR_ARRAY_IDX(prov_func->args, i, const char *);
+             lua_pushstring(L, arg);
+         }
+-        nargs = prov_spec->args->nelts;
++        nargs = prov_func->args->nelts;
+     }
+     if (lua_pcall(L, 1 + nargs, 1, 0)) {
+         const char *err = lua_tostring(L, -1);