Index: trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch (revision 2154) +++ (revision ) @@ -1,32 +1,0 @@ ---- httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:42:04 1227279 -+++ httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:45:22 1227280 -@@ -82,6 +82,8 @@ - #define IS_SLASH(s) (s == '/') - #endif - -+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */ -+#define UTIL_SIZE_MAX (~((apr_size_t)0)) - - /* - * Examine a field value (such as a media-/content-type) string and return -@@ -366,7 +368,7 @@ - char *dest, *dst; - char c; - size_t no; -- int len; -+ apr_size_t len; - - if (!source) - return NULL; -@@ -391,6 +393,11 @@ - len++; - } - else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { -+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { -+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, -+ "integer overflow or out of memory condition." ); -+ return NULL; -+ } - len += pmatch[no].rm_eo - pmatch[no].rm_so; - } - Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch (revision 2154) +++ (revision ) @@ -1,29 +1,0 @@ ---- httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:19 1231057 -+++ httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:46 1231058 -@@ -42,6 +42,8 @@ - AP_DECLARE_DATA int ap_extended_status = 0; - AP_DECLARE_DATA int ap_mod_status_reqtail = 0; - -+static ap_scoreboard_e scoreboard_type; -+ - #if APR_HAS_SHARED_MEMORY - - #include "apr_shm.h" -@@ -250,7 +252,7 @@ - if (ap_scoreboard_image == NULL) { - return APR_SUCCESS; - } -- if (ap_scoreboard_image->global->sb_type == SB_SHARED) { -+ if (scoreboard_type == SB_SHARED) { - ap_cleanup_shared_mem(NULL); - } - else { -@@ -312,7 +314,7 @@ - ap_init_scoreboard(sb_mem); - } - -- ap_scoreboard_image->global->sb_type = sb_type; -+ ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type; - ap_scoreboard_image->global->running_generation = 0; - ap_scoreboard_image->global->restart_time = apr_time_now(); - Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch =================================================================== --- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch (revision 2154) +++ (revision ) @@ -1,84 +1,0 @@ ---- httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 19:59:57 1235453 -+++ httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 20:02:19 1235454 -@@ -670,6 +670,16 @@ - return 1; - } - -+/* get the length of the field name for logging, but no more than 80 bytes */ -+#define LOG_NAME_MAX_LEN 80 -+static int field_name_len(const char *field) -+{ -+ const char *end = ap_strchr_c(field, ':'); -+ if (end == NULL || end - field > LOG_NAME_MAX_LEN) -+ return LOG_NAME_MAX_LEN; -+ return end - field; -+} -+ - AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) - { - char *last_field = NULL; -@@ -709,12 +719,15 @@ - /* insure ap_escape_html will terminate correctly */ - field[len - 1] = '\0'; - apr_table_setn(r->notes, "error-notes", -- apr_pstrcat(r->pool, -+ apr_psprintf(r->pool, - "Size of a request header field " - "exceeds server limit.
\n" -- "
\n",
--                                           ap_escape_html(r->pool, field),
--                                           "
\n", NULL)); -+ "
\n%.*s\n
/n", -+ field_name_len(field), -+ ap_escape_html(r->pool, field))); -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, -+ "Request header exceeds LimitRequestFieldSize: " -+ "%.*s", field_name_len(field), field); - } - return; - } -@@ -735,13 +748,17 @@ - * overflow (last_field) as the field with the problem - */ - apr_table_setn(r->notes, "error-notes", -- apr_pstrcat(r->pool, -+ apr_psprintf(r->pool, - "Size of a request header field " - "after folding " - "exceeds server limit.
\n" -- "
\n",
--                                               ap_escape_html(r->pool, last_field),
--                                               "
\n", NULL)); -+ "
\n%.*s\n
\n", -+ field_name_len(last_field), -+ ap_escape_html(r->pool, last_field))); -+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, -+ "Request header exceeds LimitRequestFieldSize " -+ "after folding: %.*s", -+ field_name_len(last_field), last_field); - return; - } - -@@ -773,13 +790,18 @@ - if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ - r->status = HTTP_BAD_REQUEST; /* abort bad request */ - apr_table_setn(r->notes, "error-notes", -- apr_pstrcat(r->pool, -+ apr_psprintf(r->pool, - "Request header field is " - "missing ':' separator.
\n" -- "
\n",
-+                                               "
\n%.*s
\n",
-+                                               (int)LOG_NAME_MAX_LEN,
-                                                ap_escape_html(r->pool,
--                                                              last_field),
--                                               "
\n", NULL)); -+ last_field))); -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, -+ "Request header field is missing ':' " -+ "separator: %.*s", (int)LOG_NAME_MAX_LEN, -+ last_field); -+ - return; - } -