diff --git a/devel/apr-util/Makefile b/devel/apr-util/Makefile index 055a0ce728e..233790e712c 100644 --- a/devel/apr-util/Makefile +++ b/devel/apr-util/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.24 2009/03/11 21:02:18 bernd Exp $ +# $OpenBSD: Makefile,v 1.25 2009/08/07 04:49:38 steven Exp $ COMMENT= companion library to APR V= 1.2.10 DISTNAME= apr-util-$V -FULLPKGNAME= apr-util${MT}-$Vp3${FLAVOR_EXT:S/-mt//} +FULLPKGNAME= apr-util${MT}-$Vp4${FLAVOR_EXT:S/-mt//} SHARED_LIBS += aprutil-1${MT} 2.11 # .2.11 CATEGORIES= devel diff --git a/devel/apr-util/patches/patch-misc_apr_rmm_c b/devel/apr-util/patches/patch-misc_apr_rmm_c new file mode 100644 index 00000000000..128e0cb865a --- /dev/null +++ b/devel/apr-util/patches/patch-misc_apr_rmm_c @@ -0,0 +1,85 @@ +$OpenBSD: patch-misc_apr_rmm_c,v 1.1 2009/08/07 04:49:38 steven Exp $ + +SECURITY: CVE-2009-2412 (cve.mitre.org) +Fix overflow in rmm, where size alignment was taking place. + +--- misc/apr_rmm.c.orig Fri Aug 5 11:43:16 2005 ++++ misc/apr_rmm.c Fri Aug 7 00:08:22 2009 +@@ -306,13 +306,17 @@ APU_DECLARE(apr_status_t) apr_rmm_detach(apr_rmm_t *rm + + APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *rmm, apr_size_t reqsize) + { ++ apr_size_t size; + apr_rmm_off_t this; + +- reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; ++ size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; ++ if (size < reqsize) { ++ return 0; ++ } + + APR_ANYLOCK_LOCK(&rmm->lock); + +- this = find_block_of_size(rmm, reqsize); ++ this = find_block_of_size(rmm, size); + + if (this) { + move_block(rmm, this, 0); +@@ -325,18 +329,22 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_malloc(apr_rmm_t *r + + APU_DECLARE(apr_rmm_off_t) apr_rmm_calloc(apr_rmm_t *rmm, apr_size_t reqsize) + { ++ apr_size_t size; + apr_rmm_off_t this; + +- reqsize = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; ++ size = APR_ALIGN_DEFAULT(reqsize) + RMM_BLOCK_SIZE; ++ if (size < reqsize) { ++ return 0; ++ } + + APR_ANYLOCK_LOCK(&rmm->lock); + +- this = find_block_of_size(rmm, reqsize); ++ this = find_block_of_size(rmm, size); + + if (this) { + move_block(rmm, this, 0); + this += RMM_BLOCK_SIZE; +- memset((char*)rmm->base + this, 0, reqsize - RMM_BLOCK_SIZE); ++ memset((char*)rmm->base + this, 0, size - RMM_BLOCK_SIZE); + } + + APR_ANYLOCK_UNLOCK(&rmm->lock); +@@ -349,16 +357,19 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t * + apr_rmm_off_t this; + apr_rmm_off_t old; + struct rmm_block_t *blk; +- apr_size_t oldsize; ++ apr_size_t size, oldsize; + + if (!entity) { + return apr_rmm_malloc(rmm, reqsize); + } + +- reqsize = APR_ALIGN_DEFAULT(reqsize); ++ size = APR_ALIGN_DEFAULT(reqsize); ++ if (size < reqsize) { ++ return 0; ++ } + old = apr_rmm_offset_get(rmm, entity); + +- if ((this = apr_rmm_malloc(rmm, reqsize)) == 0) { ++ if ((this = apr_rmm_malloc(rmm, size)) == 0) { + return 0; + } + +@@ -366,7 +377,7 @@ APU_DECLARE(apr_rmm_off_t) apr_rmm_realloc(apr_rmm_t * + oldsize = blk->size; + + memcpy(apr_rmm_addr_get(rmm, this), +- apr_rmm_addr_get(rmm, old), oldsize < reqsize ? oldsize : reqsize); ++ apr_rmm_addr_get(rmm, old), oldsize < size ? oldsize : size); + apr_rmm_free(rmm, old); + + return this;