--- apr-1.2.12.orig/debian/libapr1.install +++ apr-1.2.12/debian/libapr1.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libapr-1.so.* usr/lib/ --- apr-1.2.12.orig/debian/ino_t_test.c +++ apr-1.2.12/debian/ino_t_test.c @@ -0,0 +1,22 @@ +#include +#include +#include "apr_file_info.h" + +/* this was the old definition of apr_ino_t until 1.2.11-1 */ +#if defined(__alpha__) || defined(__FreeBSD_kernel__) +typedef unsigned int old_apr_ino_t; +#else +typedef unsigned long int old_apr_ino_t; +#endif + +int main (void) +{ + size_t s0 = sizeof(apr_ino_t), s1 = sizeof(old_apr_ino_t); + if (s0 == s1) + return 0; + fprintf(stderr, "***\n" + "*** 'apr_ino_t' size is %zu, expected %zu\n" + "*** Please report this to the Debian Apache maintainers\n" + "***\n", s0, s1); + return 1; +} --- apr-1.2.12.orig/debian/rules +++ apr-1.2.12/debian/rules @@ -0,0 +1,125 @@ +#!/usr/bin/make -f + +# Turn on VERBOSE output +#export DH_VERBOSE=1 + +#enable dpatch +include /usr/share/dpatch/dpatch.make + +# These are used for cross-compiling and for saving the configure script +# # from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +BUILDDIR := build-$(DEB_HOST_GNU_TYPE) + +CFLAGS := $(CFLAGS) -pipe -Wall -g + +# hardening options +H_CFLAGS := -Wformat-security -D_FORTIFY_SOURCE=2 +H_LDFLAGS := -Wl,-z,relro +# do not enable -fstack-protector on arm and armel, see #477772, #469517 +ifeq (,$(findstring arm,$(DEB_HOST_GNU_TYPE))) + H_CFLAGS += -fstack-protector +endif + +CONFFLAGS += ac_cv_prog_AWK=mawk apr_cv_sctp=no + +# apr_cv_mutex_robust_shared causes hangs in procmutex test on arm* and alpha +ifneq (,$(findstring arm,$(DEB_BUILD_ARCH))) + CONFFLAGS += apr_cv_mutex_robust_shared=no +endif +ifneq (,$(findstring alpha,$(DEB_BUILD_ARCH))) + CONFFLAGS += apr_cv_mutex_robust_shared=no +endif + +# Enable debug builds +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +CFLAGS += -O0 +else +CFLAGS += -O2 +endif + +# avoid having to recreate configure at build time by setting +# -D_REENTRANT manually on kfreebsd +ifneq (,$(findstring bsd,$(DEB_HOST_GNU_TYPE))) + CPPFLAGS += -D_REENTRANT +endif + +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +ifeq (,$(findstring notest,$(DEB_BUILD_OPTIONS))) + TEST_TARGET = test +else + TEST_TARGET = +endif + +SHELL=/bin/bash + +$(BUILDDIR)/config.status: configure + dh_testdir + mkdir -p $(BUILDDIR)/docs + cd $(BUILDDIR) && CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(CONFFLAGS) ../configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --enable-layout=Debian --includedir=\$${prefix}/usr/include/apr-1.0 --with-installbuilddir=\$${prefix}/usr/share/apr-1.0/build --enable-nonportable-atomics --with-devrandom=/dev/urandom + # Determine whether upstream's configure gives the same definition of apr_ino_t as we had until 1.2.11-1 + rm -f debian/ino_t_test + gcc -I$(CURDIR)/include -I$(BUILDDIR)/include `$(BUILDDIR)/apr-1-config --cppflags` -o debian/ino_t_test debian/ino_t_test.c + debian/ino_t_test + rm -f debian/ino_t_test + +build: patch-stamp build-stamp + +build-stamp: $(BUILDDIR)/config.status + dh_testdir + + $(MAKE) -C $(BUILDDIR) CFLAGS="$(H_CFLAGS)" LDFLAGS="$(H_LDFLAGS)" + $(MAKE) -C $(BUILDDIR) dox + + touch $@ + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-stamp test-stamp debian/ino_t_test + rm -rf $(BUILDDIR) + + dh_clean + +test: test-stamp + +test-stamp: build + dh_testdir + $(MAKE) -C $(BUILDDIR) check CFLAGS="$(H_CFLAGS)" LDFLAGS="$(H_LDFLAGS)" + touch $@ + +install: build $(TEST_TARGET) + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs -a + + $(MAKE) -C $(BUILDDIR) install DESTDIR=$(CURDIR)/debian/tmp + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs CHANGES + dh_installdocs + dh_install -a + dh_installman -plibapr1-dev debian/apr-1-config.1 + dh_link + dh_strip --dbg-package=libapr1-dbg + dh_compress + dh_fixperms + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- apr-1.2.12.orig/debian/apr-1-config.1 +++ apr-1.2.12/debian/apr-1-config.1 @@ -0,0 +1,92 @@ +.TH APR-1-CONFIG "1" "March 2006" "apr-1-config 1.2.2" "User Commands" +.SH NAME +apr-1-config \- Return metainformation about apr library +.SH SYNOPSIS +.B apr-1-config +[\fIOPTION\fR] +.SH DESCRIPTION +The +.I apr-1-config +program is used to retrieve information about the +.I apr +library in the system. It is typically used to compile +and link against the library. +.PP +When linking with libtool, an application should do something like: +.IP +APR_LIBS="`apr\-1\-config \fB\-\-link\-libtool\fR \fB\-\-libs\fR`" +.PP +or when linking directly: +.IP +APR_LIBS="`apr\-1\-config \fB\-\-link\-ld\fR \fB\-\-libs\fR`" +.PP +An application should use the results of \fB\-\-cflags\fR, \fB\-\-cppflags\fR, \fB\-\-includes\fR, +and \fB\-\-ldflags\fR in their build process. +.SH OPTIONS +Known values for OPTION are: +.TP +\fB\-\-prefix\fR[=\fIDIR\fR] +change prefix to DIR +.TP +\fB\-\-bindir\fR +print location where binaries are installed +.TP +\fB\-\-includedir\fR +print location where headers are installed +.TP +\fB\-\-cc\fR +print C compiler name +.TP +\fB\-\-cpp\fR +print C preprocessor name and any required options +.TP +\fB\-\-cflags\fR +print C compiler flags +.TP +\fB\-\-cppflags\fR +print C preprocessor flags +.TP +\fB\-\-includes\fR +print include information +.TP +\fB\-\-ldflags\fR +print linker flags +.TP +\fB\-\-libs\fR +print additional libraries to link against +.TP +\fB\-\-srcdir\fR +print APR source directory +.HP +\fB\-\-installbuilddir\fR print APR build helper directory +.TP +\fB\-\-link\-ld\fR +print link switch(es) for linking to APR +.TP +\fB\-\-link\-libtool\fR +print the libtool inputs for linking to APR +.TP +\fB\-\-shlib\-path\-var\fR +print the name of the shared library path env var +.TP +\fB\-\-apr\-la\-file\fR +print the path to the .la file, if available +.TP +\fB\-\-apr\-so\-ext\fR +print the extensions of shared objects on this platform +.TP +\fB\-\-apr\-lib\-target\fR +print the libtool target information +.TP +\fB\-\-apr\-libtool\fR +print the path to APR's libtool +.TP +\fB\-\-version\fR +print the APR's version as a dotted triple +.TP +\fB\-\-help\fR +print the help +.SH AUTHOR +This manual page was written by Vincent Danjean + for the Debian project (but may be used +by others). --- apr-1.2.12.orig/debian/compat +++ apr-1.2.12/debian/compat @@ -0,0 +1 @@ +5 --- apr-1.2.12.orig/debian/copyright +++ apr-1.2.12/debian/copyright @@ -0,0 +1,141 @@ +This package was debianized by Thom May on +Wed, 17 Nov 2004 11:27:14 -0800 + +It was downloaded from http://httpd.apache.org/download.cgi + +Upstream Authors: The Apache Software Foundation - http://apr.apache.org/ + +Copyright: + +Licensed to the Apache Software Foundation (ASF) under one or more contributor +license agreements. The ASF licenses this work to You under the Apache License, +Version 2.0 (the "License"); you may not use this work except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +On a Debian system, the license can be found at +/usr/share/common-licenses/Apache-2.0 . + + +APACHE PORTABLE RUNTIME SUBCOMPONENTS: + +The Apache Portable Runtime includes a number of subcomponents with +separate copyright notices and license terms. Your use of the source +code for the these subcomponents is subject to the terms and +conditions of the following licenses. + +From strings/apr_fnmatch.c, include/apr_fnmatch.h, misc/unix/getopt.c, +file_io/unix/mktemp.c, strings/apr_strings.c: + +/* + * Copyright (c) 1987, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +From network_io/unix/inet_ntop.c, network_io/unix/inet_pton.c: + +/* Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + +From dso/aix/dso.c: + + * Based on libdl (dlfcn.c/dlfcn.h) which is + * Copyright (c) 1992,1993,1995,1996,1997,1988 + * Jens-Uwe Mager, Helios Software GmbH, Hannover, Germany. + * + * Not derived from licensed software. + * + * Permission is granted to freely use, copy, modify, and redistribute + * this software, provided that the author is not construed to be liable + * for any results of using the software, alterations are clearly marked + * as such, and this notice is not modified. + +From strings/apr_strnatcmp.c, include/apr_strings.h: + + strnatcmp.c -- Perform 'natural order' comparisons of strings in C. + Copyright (C) 2000 by Martin Pool + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + +From test/CuTest.c, test/CuTest.h: + + * Copyright (c) 2002-2006 Asim Jalis + * + * This library is released under the zlib/libpng license as described at + * + * http://www.opensource.org/licenses/zlib-license.html + * + * Here is the statement of the license: + * + * This software is provided 'as-is', without any express or implied warranty. + * In no event will the authors be held liable for any damages arising from + * the use of this software. + * + * Permission is granted to anyone to use this software for any purpose, + * including commercial applications, and to alter it and redistribute it + * freely, subject to the following restrictions: + * + * 1. The origin of this software must not be misrepresented; you must not + * claim that you wrote the original software. If you use this software in a + * product, an acknowledgment in the product documentation would be + * appreciated but is not required. + * + * 2. Altered source versions must be plainly marked as such, and must not be + * misrepresented as being the original software. + * + * 3. This notice may not be removed or altered from any source distribution. --- apr-1.2.12.orig/debian/changelog +++ apr-1.2.12/debian/changelog @@ -0,0 +1,248 @@ +apr (1.2.12-5+lenny5) oldstable; urgency=low + + * Disable robust pthread mutexes on alpha, arm, and armel. This fixes build + problems on buildds running newer Linux kernels. + + -- Stefan Fritsch Mon, 16 Jan 2012 15:45:55 +0100 + +apr (1.2.12-5+lenny4) oldstable-security; urgency=low + + * Fix regression introduced by fix for CVE-2011-0419: + apr_fnmatch may consume 100% CPU. CVE-2011-1928 + Closes: #627182 + + -- Stefan Fritsch Thu, 19 May 2011 07:51:18 +0200 + +apr (1.2.12-5+lenny3) oldstable-security; urgency=high + + * Fix DoS in apr_fnmatch (CVE-2011-0419) which can be exploited via + Apache HTTPD's mod_autoindex. + + -- Stefan Fritsch Fri, 14 May 2011 09:46:15 +0200 + +apr (1.2.12-5+lenny2) stable; urgency=low + + * Set FD_CLOEXEC flag on file descriptors. Not doing so caused Apache httpd + modules which do not use the apr API for executing other processes to leak + file descriptors to the called processes. In some setups, this could cause + security issues and/or problems with Apache failing to restart. This issue + affected mod_php (but not mod_cgi). Closes: #366124 + + -- Stefan Fritsch Tue, 01 Jun 2010 23:11:19 +0200 + +apr (1.2.12-5+lenny1) stable-security; urgency=high + + * Fix CVE-2009-2412: overflow in pool allocations, where size alignment + was taking place. + + -- Peter Samuelson Thu, 06 Aug 2009 09:22:28 -0500 + +apr (1.2.12-5) unstable; urgency=low + + * Actually switch to /dev/urandom instead of only adding a non-functional + patch. Closes: #501497 + + -- Stefan Fritsch Wed, 08 Oct 2008 00:06:56 +0200 + +apr (1.2.12-4) unstable; urgency=medium + + * Use /dev/urandom instead of /dev/random (like 1.3.* does). + * Update watch file to recognize 1.3.*. + + -- Stefan Fritsch Wed, 18 Jun 2008 23:12:35 +0200 + +apr (1.2.12-3) unstable; urgency=low + + * Enable hardening options in a way that does not include them in + apr-config, which was a bad idea. + * Point to /usr/share/common-licenses instead of including the license in the + copyright file. + + -- Stefan Fritsch Wed, 11 Jun 2008 19:19:52 +0200 + +apr (1.2.12-2) unstable; urgency=high + + * Urgency high for RC bug fix. + * Do not use -fstack-protector on arm and armel, since it is completely + broken (see #469517). Closes: #477772 + * Remove unneded libtool build dependency. + + -- Stefan Fritsch Wed, 30 Apr 2008 20:46:17 +0200 + +apr (1.2.12-1) unstable; urgency=low + + * New upstream version. + - Remove 020_lfs_ino_t.dpatch now done by upstream configure. Adjust + ino_t_test.c to check that this is the same definition of apr_ino_t as + we had before. + * Enable hardening options: -fstack-protector -Wformat-security + -D_FORTIFY_SOURCE=2 -Wl,-z,relro + * Disable SCTP for now, in order to get a consistent build result in unclean + build environments. + * Remove Thom May, Fabio M. Di Nitto, Daniel Stone, and Adam Conrad from the + uploaders field (thanks for your work). + * Fix some lintian warnings: + - Bump Standards-Version to 3.7.3 (no changes). + - Remove obsolete XS- from VCS tags. + - Remove empty /usr/share/doc/libapr1.0 directory. + - Provide patch description. + * Point VCS tags in debian control to trunk, to make them useful with + debcheckout. + + -- Stefan Fritsch Tue, 01 Apr 2008 22:17:47 +0200 + +apr (1.2.11-1) unstable; urgency=low + + * New upstream version (Closes: #441969) + * Enable epoll (Closes: #441635). This means we don't support Linux 2.4 + kernels anymore. Therefore we can also enable tcp_nodelay_with_cork. + * Fix generation of docs (Closes: #413684, #442794) + * Don't ship LaTeX source files in .deb + * Build with -D_REENTRANT on kfreebsd (Closes: #301417) + * Fix FTBFS on hurd because of missing PATH_MAX (Closes: #349418) + * Do not build everything twice by using the correct path to config.status + in debian/rules + * Add myself to Uploaders + * Add svn repository information to debian/control + + -- Stefan Fritsch Thu, 20 Sep 2007 20:56:37 +0200 + +apr (1.2.9-1) unstable; urgency=low + + * Acknowledge NMUs - thanks, Andi. + + [ Peter Samuelson ] + * New upstream version. Minor bugfixes, no new features. + - Update 015_sendfile_lfs.dpatch + - Remove obsolete 099_config_guess_sub_update.dpatch + * 020_lfs_ino_t.dpatch: update to support kfreebsd-amd64. + Thanks to Petr Salinger. (Closes: #405564) + * Standards-Version: 3.7.2 (from 3.6.2.2) - no changes. + * Rename Source-Version substvar to binary:Version, for great justice. + * libapr1-dev Suggests: python, in case someone wants to use the + application build infrastructure in /usr/share/apr-1.0/build. + * debian/rules: small cleanups. + * Add watch file. + * Add myself to Uploaders. + + -- Peter Samuelson Fri, 22 Jun 2007 14:03:20 -0500 + +apr (1.2.7-8.2) unstable; urgency=high + + * Non-maintainer upload. + * Apply better working 015_sendfile_lfs.dpatch this time. + Again Closes: #396631 + + -- Andreas Barth Wed, 20 Dec 2006 08:19:19 +0000 + +apr (1.2.7-8.1) unstable; urgency=high + + * Non-maintainer upload. + * Fix 0-lenght files. Take 015_sendfile_lfs.dpatch from svn for this. + Closes: #396631 + + -- Andreas Barth Sat, 9 Dec 2006 20:39:59 +0000 + +apr (1.2.7-8) unstable; urgency=low + + [ Peter Samuelson ] + * Small kludge^Wtweak to apr_file_info.h to make the ABI stable across + LFS/non-LFS preprocessor flags. (See: #397402) + + -- Tollef Fog Heen Wed, 15 Nov 2006 00:17:02 +0100 + +apr (1.2.7-7) unstable; urgency=low + + * Update rules to ensure we don't turn on features that aren't available on + 2.4 kernels for !amd64 kernels. Closes: #392049 + + -- Tollef Fog Heen Tue, 7 Nov 2006 01:21:27 +0100 + +apr (1.2.7-6) unstable; urgency=low + + * Update 011_fix_apr-config to give out the libtool used to build apr + with. Fixes Apache 2.2 FTBFS when we remove all the evil libtool + hacks there too. + * Make -dbg package Priority: extra as per overrides. + + -- Tollef Fog Heen Wed, 27 Sep 2006 22:16:51 +0200 + +apr (1.2.7-5) unstable; urgency=low + + * Add doxygen to build-deps. + * Add sendfile hurd patch. Closes: #349416 + + -- Tollef Fog Heen Wed, 27 Sep 2006 19:32:10 +0200 + +apr (1.2.7-4) unstable; urgency=low + + * No longer force apr_lock_method. Closes: #384117 + * Use srcdir != builddir. + * Add docs to -dev package. Closes: #388146 + + -- Tollef Fog Heen Wed, 27 Sep 2006 17:26:56 +0200 + +apr (1.2.7-3) unstable; urgency=low + + * Fix override disparity + * Backport of patch to work around kernel problems with sendfile on 64bit + platforms + * Update config.{guess,sub} to make libtool happier. This fixes the + problem reported in #369881. Closes: #369881. + * Remove some of the libtool hacks since they're no longer needed with + the newer config.{guess,sub} + + -- Tollef Fog Heen Mon, 1 May 2006 17:06:37 +0200 + +apr (1.2.7-2) unstable; urgency=low + + * Ship get-version.sh too, needed by apr-util. + + -- Tollef Fog Heen Fri, 28 Apr 2006 22:57:43 +0200 + +apr (1.2.7-1) unstable; urgency=low + + * New upstream release. + * Add apr-1-config man page. Closes: #357174, thanks to Vincent Danjean + for the conversion job. + + -- Tollef Fog Heen Fri, 28 Apr 2006 19:45:08 +0000 + +apr (1.2.2-3) unstable; urgency=low + + * Rename source package to match upstream. + * Rename binary packages to libapr1 etc. + * Add conflicts for old packages. + * libapr1-dev Depends: uuid-dev. + * Add uuid-dev to Build-Dep: + * Enable non-portable atomics. + * Update Standards-Version: no changes. + * Add apr-config compatibility symlink. + + -- Tollef Fog Heen Thu, 26 Jan 2006 12:42:30 +0100 + +apr1.0 (1.2.2-2) unstable; urgency=low + + * Up to debhelper v5 + * Add call to dh_installdocs; not sure why I was not doing this already. + + -- Thom May Tue, 3 Jan 2006 13:01:56 +0000 + +apr1.0 (1.2.2-1) unstable; urgency=low + + * New upstream release + + -- Thom May Thu, 29 Dec 2005 17:05:42 +0000 + +apr1.0 (1.1.1-1) unstable; urgency=low + + * New upstream release + + -- Thom May Sun, 8 May 2005 17:12:09 +0100 + +apr1.0 (1.1.0-1) unstable; urgency=low + + * New Upstream Release + * First Package Release + + -- Thom May Wed, 17 Nov 2004 11:51:32 -0800 --- apr-1.2.12.orig/debian/libapr1.dirs +++ apr-1.2.12/debian/libapr1.dirs @@ -0,0 +1 @@ +usr/lib --- apr-1.2.12.orig/debian/libapr1-dev.links +++ apr-1.2.12/debian/libapr1-dev.links @@ -0,0 +1,2 @@ +usr/bin/apr-1-config usr/bin/apr-config +usr/share/man/man1/apr-1-config.1 usr/share/man/man1/apr-config.1 --- apr-1.2.12.orig/debian/control +++ apr-1.2.12/debian/control @@ -0,0 +1,43 @@ +Source: apr +Section: libs +Priority: optional +Maintainer: Debian Apache Maintainers +Uploaders: Tollef Fog Heen , Peter Samuelson , Stefan Fritsch +Build-Depends: debhelper (>> 5.0.0), autoconf, autotools-dev, dpatch, mawk, uuid-dev, doxygen +Standards-Version: 3.7.3 +Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apr +Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apr + +Package: libapr1 +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libapr1.0 +Description: The Apache Portable Runtime Library + APR is Apache's Portable Runtime Library, designed to be a support library + that provides a predictable and consistent interface to underlying + platform-specific implementations. + +Package: libapr1-dev +Architecture: any +Section: libdevel +Depends: libapr1 (= ${binary:Version}), uuid-dev +Suggests: python +Conflicts: libapr1.0-dev, libapr0-dev +Description: The Apache Portable Runtime Library - Development Headers + APR is Apache's Portable Runtime Library, designed to be a support library + that provides a predictable and consistent interface to underlying + platform-specific implementations. + . + This package contains development headers for APR. + +Package: libapr1-dbg +Architecture: any +Section: libdevel +Priority: extra +Depends: libapr1 (= ${binary:Version}) +Description: The Apache Portable Runtime Library - Development Headers + APR is Apache's Portable Runtime Library, designed to be a support library + that provides a predictable and consistent interface to underlying + platform-specific implementations. + . + This package contains the debugging symbols for APR. --- apr-1.2.12.orig/debian/libapr1-dev.dirs +++ apr-1.2.12/debian/libapr1-dev.dirs @@ -0,0 +1,4 @@ +usr/include/apr-1.0 +usr/lib +usr/lib/pkgconfig +usr/bin --- apr-1.2.12.orig/debian/watch +++ apr-1.2.12/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://www.eu.apache.org/dist/apr/apr-(1\..*)\.tar\.gz --- apr-1.2.12.orig/debian/libapr1-dev.install +++ apr-1.2.12/debian/libapr1-dev.install @@ -0,0 +1,7 @@ +debian/tmp/usr/include/apr-1.0 +debian/tmp/usr/lib/libapr*a +debian/tmp/usr/lib/libapr-1.so +debian/tmp/usr/lib/pkgconfig +debian/tmp/usr/bin +debian/tmp/usr/share/apr-1.0/ +build-*/docs/dox/html usr/share/doc/libapr1-dev --- apr-1.2.12.orig/debian/patches/022_hurd_path_max.dpatch +++ apr-1.2.12/debian/patches/022_hurd_path_max.dpatch @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 022_hurd_path_max.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: #349418 + +@DPATCH@ +diff -urNad apr-1.2.11~/include/apr.h.in apr-1.2.11/include/apr.h.in +--- apr-1.2.11~/include/apr.h.in 2007-07-25 05:12:02.000000000 +0200 ++++ apr-1.2.11/include/apr.h.in 2007-09-12 22:08:30.464437530 +0200 +@@ -389,7 +389,8 @@ + #elif defined(_POSIX_PATH_MAX) + #define APR_PATH_MAX _POSIX_PATH_MAX + #else +-#error no decision has been made on APR_PATH_MAX for your platform ++#warning no decision has been made on APR_PATH_MAX for your platform ++#define APR_PATH_MAX 4096 + #endif + + /** @} */ --- apr-1.2.12.orig/debian/patches/028_fnmatch_CVE-2011-0419.dpatch +++ apr-1.2.12/debian/patches/028_fnmatch_CVE-2011-0419.dpatch @@ -0,0 +1,762 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: merge apr_fnmatch from apr 1.4.4 to fix DoS CVE-2011-0419 +@DPATCH@ + apr_array_header_t **result, +--- a/test/testfnmatch.c 2007-11-18 01:35:57.000000000 +0100 ++++ a/test/testfnmatch.c 2011-05-03 06:39:57.000000000 +0200 +@@ -25,6 +25,114 @@ + + #define NUM_FILES (5) + ++#define APR_FNM_BITS 15 ++#define APR_FNM_FAILBIT 256 ++ ++#define FAILS_IF(X) 0, X ++#define SUCCEEDS_IF(X) X, 256 ++#define SUCCEEDS 0, 256 ++#define FAILS 256, 0 ++ ++static struct pattern_s { ++ const char *pattern; ++ const char *string; ++ int require_flags; ++ int fail_flags; ++} patterns[] = { ++ ++/* Pattern, String to Test, Flags to Match */ ++ {"", "test", FAILS}, ++ {"", "*", FAILS}, ++ {"test", "*", FAILS}, ++ {"test", "test", SUCCEEDS}, ++ ++ /* Remember C '\\' is a single backslash in pattern */ ++ {"te\\st", "test", FAILS_IF(APR_FNM_NOESCAPE)}, ++ {"te\\\\st", "te\\st", FAILS_IF(APR_FNM_NOESCAPE)}, ++ {"te\\*t", "te*t", FAILS_IF(APR_FNM_NOESCAPE)}, ++ {"te\\*t", "test", FAILS}, ++ {"te\\?t", "te?t", FAILS_IF(APR_FNM_NOESCAPE)}, ++ {"te\\?t", "test", FAILS}, ++ ++ {"tesT", "test", SUCCEEDS_IF(APR_FNM_CASE_BLIND)}, ++ {"test", "Test", SUCCEEDS_IF(APR_FNM_CASE_BLIND)}, ++ {"tEst", "teSt", SUCCEEDS_IF(APR_FNM_CASE_BLIND)}, ++ ++ {"?est", "test", SUCCEEDS}, ++ {"te?t", "test", SUCCEEDS}, ++ {"tes?", "test", SUCCEEDS}, ++ {"test?", "test", FAILS}, ++ ++ {"*", "", SUCCEEDS}, ++ {"*", "test", SUCCEEDS}, ++ {"*test", "test", SUCCEEDS}, ++ {"*est", "test", SUCCEEDS}, ++ {"*st", "test", SUCCEEDS}, ++ {"t*t", "test", SUCCEEDS}, ++ {"te*t", "test", SUCCEEDS}, ++ {"te*st", "test", SUCCEEDS}, ++ {"te*", "test", SUCCEEDS}, ++ {"tes*", "test", SUCCEEDS}, ++ {"test*", "test", SUCCEEDS}, ++ ++ {"test/this", "test/", FAILS}, ++ {"test/", "test/this", FAILS}, ++ {"test*/this", "test/this", SUCCEEDS}, ++ {"test/*this", "test/this", SUCCEEDS}, ++ ++ {".*", ".this", SUCCEEDS}, ++ {"*", ".this", FAILS_IF(APR_FNM_PERIOD)}, ++ {"?this", ".this", FAILS_IF(APR_FNM_PERIOD)}, ++ {"[.]this", ".this", FAILS_IF(APR_FNM_PERIOD)}, ++ ++ {"test/this", "test/this", SUCCEEDS}, ++ {"test?this", "test/this", FAILS_IF(APR_FNM_PATHNAME)}, ++ {"test*this", "test/this", FAILS_IF(APR_FNM_PATHNAME)}, ++ {"test[/]this", "test/this", FAILS_IF(APR_FNM_PATHNAME)}, ++ ++ {"test/.*", "test/.this", SUCCEEDS}, ++ {"test/*", "test/.this", FAILS_IF(APR_FNM_PERIOD | APR_FNM_PATHNAME)}, ++ {"test/?this", "test/.this", FAILS_IF(APR_FNM_PERIOD | APR_FNM_PATHNAME)}, ++ {"test/[.]this", "test/.this", FAILS_IF(APR_FNM_PERIOD | APR_FNM_PATHNAME)}, ++ ++ {NULL, NULL, 0} ++}; ++ ++ ++ ++static void test_fnmatch(abts_case *tc, void *data) ++{ ++ struct pattern_s *test = patterns; ++ char buf[80]; ++ int i = APR_FNM_BITS + 1; ++ int res; ++ ++ for (test = patterns; test->pattern; ++test) ++ { ++ for (i = 0; i <= APR_FNM_BITS; ++i) ++ { ++ res = apr_fnmatch(test->pattern, test->string, i); ++ if (((i & test->require_flags) != test->require_flags) ++ || ((i & test->fail_flags) == test->fail_flags)) { ++ if (res != APR_FNM_NOMATCH) ++ break; ++ } ++ else { ++ if (res != 0) ++ break; ++ } ++ } ++ if (i <= APR_FNM_BITS) ++ break; ++ } ++ ++ if (i <= APR_FNM_BITS) { ++ sprintf(buf, "apr_fnmatch(\"%s\", \"%s\", %d) returns %d\n", ++ test->pattern, test->string, i, res); ++ abts_fail(tc, buf, __LINE__); ++ } ++} ++ + static void test_glob(abts_case *tc, void *data) + { + int i; +@@ -68,6 +176,7 @@ + { + suite = ADD_SUITE(suite) + ++ abts_run_test(suite, test_fnmatch, NULL); + abts_run_test(suite, test_glob, NULL); + abts_run_test(suite, test_glob_currdir, NULL); + +--- a/strings/apr_fnmatch.c 2004-11-24 23:51:51.000000000 +0100 ++++ a/strings/apr_fnmatch.c 2011-05-03 06:51:24.000000000 +0200 +@@ -1,50 +1,58 @@ +-/* +- * Copyright (c) 1989, 1993, 1994 +- * The Regents of the University of California. All rights reserved. +- * +- * This code is derived from software contributed to Berkeley by +- * Guido van Rossum. +- * +- * Redistribution and use in source and binary forms, with or without +- * modification, are permitted provided that the following conditions +- * are met: +- * 1. Redistributions of source code must retain the above copyright +- * notice, this list of conditions and the following disclaimer. +- * 2. Redistributions in binary form must reproduce the above copyright +- * notice, this list of conditions and the following disclaimer in the +- * documentation and/or other materials provided with the distribution. +- * 3. All advertising materials mentioning features or use of this software +- * must display the following acknowledgement: +- * This product includes software developed by the University of +- * California, Berkeley and its contributors. +- * 4. Neither the name of the University nor the names of its contributors +- * may be used to endorse or promote products derived from this software +- * without specific prior written permission. +- * +- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ + +-#if defined(LIBC_SCCS) && !defined(lint) +-static char sccsid[] = "@(#)fnmatch.c 8.2 (Berkeley) 4/16/94"; +-#endif /* LIBC_SCCS and not lint */ +- +-/* +- * Function fnmatch() as specified in POSIX 1003.2-1992, section B.6. +- * Compares a filename or pathname to a pattern. ++/* Derived from The Open Group Base Specifications Issue 7, IEEE Std 1003.1-2008 ++ * as described in; ++ * http://pubs.opengroup.org/onlinepubs/9699919799/functions/fnmatch.html ++ * ++ * Filename pattern matches defined in section 2.13, "Pattern Matching Notation" ++ * from chapter 2. "Shell Command Language" ++ * http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_13 ++ * where; 1. A bracket expression starting with an unquoted '^' ++ * character CONTINUES to specify a non-matching list; 2. an explicit '.' ++ * in a bracket expression matching list, e.g. "[.abc]" does NOT match a leading ++ * in a filename; 3. a '[' which does not introduce ++ * a valid bracket expression is treated as an ordinary character; 4. a differing ++ * number of consecutive slashes within pattern and string will NOT match; ++ * 5. a trailing '\' in FNM_ESCAPE mode is treated as an ordinary '\' character. ++ * ++ * Bracket expansion defined in section 9.3.5, "RE Bracket Expression", ++ * from chapter 9, "Regular Expressions" ++ * http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_03_05 ++ * with no support for collating symbols, equivalence class expressions or ++ * character class expressions. A partial range expression with a leading ++ * hyphen following a valid range expression will match only the ordinary ++ * and the ending character (e.g. "[a-m-z]" will match characters ++ * 'a' through 'm', a '-', or a 'z'). ++ * ++ * NOTE: Only POSIX/C single byte locales are correctly supported at this time. ++ * Notably, non-POSIX locales with FNM_CASEFOLD produce undefined results, ++ * particularly in ranges of mixed case (e.g. "[A-z]") or spanning alpha and ++ * nonalpha characters within a range. ++ * ++ * XXX comments below indicate porting required for multi-byte character sets ++ * and non-POSIX locale collation orders; requires mbr* APIs to track shift ++ * state of pattern and string (rewinding pattern and string repeatedly). ++ * ++ * Certain parts of the code assume 0x00-0x3F are unique with any MBCS (e.g. ++ * UTF-8, SHIFT-JIS, etc). Any implementation allowing '\' as an alternate ++ * path delimiter must be aware that 0x5C is NOT unique within SHIFT-JIS. + */ +-#ifndef WIN32 +-#include "apr_private.h" +-#endif ++ + #include "apr_file_info.h" + #include "apr_fnmatch.h" + #include "apr_tables.h" +@@ -55,196 +63,355 @@ + # include + #endif + +-#define EOS '\0' +- +-static const char *rangematch(const char *, int, int); + +-APR_DECLARE(apr_status_t) apr_fnmatch(const char *pattern, const char *string, int flags) ++/* Most MBCS/collation/case issues handled here. Wildcard '*' is not handled. ++ * EOS '\0' and the FNM_PATHNAME '/' delimiters are not advanced over, ++ * however the "\/" sequence is advanced to '/'. ++ * ++ * Both pattern and string are **char to support pointer increment of arbitrary ++ * multibyte characters for the given locale, in a later iteration of this code ++ */ ++static APR_INLINE int fnmatch_ch(const char **pattern, const char **string, int flags) + { +- const char *stringstart; +- char c, test; +- +- for (stringstart = string;;) { +- switch (c = *pattern++) { +- case EOS: +- return (*string == EOS ? APR_SUCCESS : APR_FNM_NOMATCH); +- case '?': +- if (*string == EOS) { +- return (APR_FNM_NOMATCH); +- } +- if (*string == '/' && (flags & APR_FNM_PATHNAME)) { +- return (APR_FNM_NOMATCH); +- } +- if (*string == '.' && (flags & APR_FNM_PERIOD) && +- (string == stringstart || +- ((flags & APR_FNM_PATHNAME) && *(string - 1) == '/'))) { +- return (APR_FNM_NOMATCH); +- } +- ++string; +- break; +- case '*': +- c = *pattern; +- /* Collapse multiple stars. */ +- while (c == '*') { +- c = *++pattern; +- } +- +- if (*string == '.' && (flags & APR_FNM_PERIOD) && +- (string == stringstart || +- ((flags & APR_FNM_PATHNAME) && *(string - 1) == '/'))) { +- return (APR_FNM_NOMATCH); +- } +- +- /* Optimize for pattern with * at end or before /. */ +- if (c == EOS) { +- if (flags & APR_FNM_PATHNAME) { +- return (strchr(string, '/') == NULL ? APR_SUCCESS : APR_FNM_NOMATCH); +- } +- else { +- return (APR_SUCCESS); +- } +- } +- else if (c == '/' && flags & APR_FNM_PATHNAME) { +- if ((string = strchr(string, '/')) == NULL) { +- return (APR_FNM_NOMATCH); +- } +- break; +- } +- +- /* General case, use recursion. */ +- while ((test = *string) != EOS) { +- if (!apr_fnmatch(pattern, string, flags & ~APR_FNM_PERIOD)) { +- return (APR_SUCCESS); +- } +- if (test == '/' && flags & APR_FNM_PATHNAME) { +- break; +- } +- ++string; +- } +- return (APR_FNM_NOMATCH); +- case '[': +- if (*string == EOS) { +- return (APR_FNM_NOMATCH); +- } +- if (*string == '/' && flags & APR_FNM_PATHNAME) { +- return (APR_FNM_NOMATCH); +- } +- if (*string == '.' && (flags & APR_FNM_PERIOD) && +- (string == stringstart || +- ((flags & APR_FNM_PATHNAME) && *(string - 1) == '/'))) { +- return (APR_FNM_NOMATCH); +- } +- if ((pattern = rangematch(pattern, *string, flags)) == NULL) { +- return (APR_FNM_NOMATCH); +- } +- ++string; +- break; +- case '\\': +- if (!(flags & APR_FNM_NOESCAPE)) { +- if ((c = *pattern++) == EOS) { +- c = '\\'; +- --pattern; +- } +- } +- /* FALLTHROUGH */ +- default: +- if (flags & APR_FNM_CASE_BLIND) { +- if (apr_tolower(c) != apr_tolower(*string)) { +- return (APR_FNM_NOMATCH); +- } +- } +- else if (c != *string) { +- return (APR_FNM_NOMATCH); +- } +- string++; +- break; +- } +- /* NOTREACHED */ ++ const char * const mismatch = *pattern; ++ const int nocase = !!(flags & APR_FNM_CASE_BLIND); ++ const int escape = !(flags & APR_FNM_NOESCAPE); ++ const int slash = !!(flags & APR_FNM_PATHNAME); ++ int result = APR_FNM_NOMATCH; ++ const char *startch; ++ int negate; ++ ++ if (**pattern == '[') ++ { ++ ++*pattern; ++ ++ /* Handle negation, either leading ! or ^ operators (never both) */ ++ negate = ((**pattern == '!') || (**pattern == '^')); ++ if (negate) ++ ++*pattern; ++ ++ while (**pattern) ++ { ++ /* ']' is an ordinary character at the start of the range pattern */ ++ if ((**pattern == ']') && (*pattern > mismatch)) { ++ ++*pattern; ++ /* XXX: Fix for MBCS character width */ ++ ++*string; ++ return (result ^ negate); ++ } ++ ++ if (escape && (**pattern == '\\')) { ++ ++*pattern; ++ ++ /* Patterns must be terminated with ']', not EOS */ ++ if (!**pattern) ++ break; ++ } ++ ++ /* Patterns must be terminated with ']' not '/' */ ++ if (slash && (**pattern == '/')) ++ break; ++ ++ /* Look at only well-formed range patterns; ']' is allowed only if escaped, ++ * while '/' is not allowed at all in FNM_PATHNAME mode. ++ */ ++ /* XXX: Fix for locale/MBCS character width */ ++ if (((*pattern)[1] == '-') && (*pattern)[2] ++ && ((escape && ((*pattern)[2] != '\\')) ++ ? (((*pattern)[2] != ']') && (!slash || ((*pattern)[2] != '/'))) ++ : (((*pattern)[3]) && (!slash || ((*pattern)[3] != '/'))))) { ++ startch = *pattern; ++ *pattern += (escape && ((*pattern)[2] == '\\')) ? 3 : 2; ++ ++ /* XXX: handle locale/MBCS comparison, advance by MBCS char width */ ++ if ((**string >= *startch) && (**string <= **pattern)) ++ result = 0; ++ else if (nocase && (isupper(**string) || isupper(*startch) ++ || isupper(**pattern)) ++ && (tolower(**string) >= tolower(*startch)) ++ && (tolower(**string) <= tolower(**pattern))) ++ result = 0; ++ ++ ++*pattern; ++ continue; ++ } ++ ++ /* XXX: handle locale/MBCS comparison, advance by MBCS char width */ ++ if ((**string == **pattern)) ++ result = 0; ++ else if (nocase && (isupper(**string) || isupper(**pattern)) ++ && (tolower(**string) == tolower(**pattern))) ++ result = 0; ++ ++ ++*pattern; ++ } ++ ++ /* NOT a properly balanced [expr] pattern; Rewind to test '[' literal */ ++ *pattern = mismatch; ++ result = APR_FNM_NOMATCH; + } ++ else if (**pattern == '?') { ++ /* Optimize '?' match before unescaping **pattern */ ++ if (!**string || (slash && (**string == '/'))) ++ return APR_FNM_NOMATCH; ++ result = 0; ++ goto fnmatch_ch_success; ++ } ++ else if (escape && (**pattern == '\\') && (*pattern)[1]) { ++ ++*pattern; ++ } ++ ++ /* XXX: handle locale/MBCS comparison, advance by the MBCS char width */ ++ if (**string == **pattern) ++ result = 0; ++ else if (nocase && (isupper(**string) || isupper(**pattern)) ++ && (tolower(**string) == tolower(**pattern))) ++ result = 0; ++ ++ /* Refuse to advance over trailing slash or nulls ++ */ ++ if (!**string || !**pattern || (slash && ((**string == '/') || (**pattern == '/')))) ++ return result; ++ ++fnmatch_ch_success: ++ ++*pattern; ++ ++*string; ++ return result; + } + +-static const char *rangematch(const char *pattern, int test, int flags) +-{ +- int negate, ok; +- char c, c2; + +- /* +- * A bracket expression starting with an unquoted circumflex +- * character produces unspecified results (IEEE 1003.2-1992, +- * 3.13.2). This implementation treats it like '!', for +- * consistency with the regular expression syntax. +- * J.T. Conklin (conklin@ngai.kaleida.com) ++APR_DECLARE(int) apr_fnmatch(const char *pattern, const char *string, int flags) ++{ ++ static const char dummystring[2] = {' ', 0}; ++ const int escape = !(flags & APR_FNM_NOESCAPE); ++ const int slash = !!(flags & APR_FNM_PATHNAME); ++ const char *strendseg; ++ const char *dummyptr; ++ const char *matchptr; ++ int wild; ++ /* For '*' wild processing only; surpress 'used before initialization' ++ * warnings with dummy initialization values; + */ +- if ((negate = (*pattern == '!' || *pattern == '^'))) { +- ++pattern; ++ const char *strstartseg = NULL; ++ const char *mismatch = NULL; ++ int matchlen = 0; ++ ++ while (*pattern) ++ { ++ /* Match balanced slashes, starting a new segment pattern ++ */ ++ if (slash && escape && (*pattern == '\\') && (pattern[1] == '/')) ++ ++pattern; ++ if (slash && (*pattern == '/') && (*string == '/')) { ++ ++pattern; ++ ++string; ++ } ++ ++ /* At the beginning of each segment, validate leading period behavior. ++ */ ++ if ((flags & APR_FNM_PERIOD) && (*string == '.')) ++ { ++ if (*pattern == '.') ++ ++pattern; ++ else if (escape && (*pattern == '\\') && (pattern[1] == '.')) ++ pattern += 2; ++ else ++ return APR_FNM_NOMATCH; ++ ++string; ++ } ++ ++ /* Determine the end of string segment ++ * ++ * Presumes '/' character is unique, not composite in any MBCS encoding ++ */ ++ if (slash) { ++ strendseg = strchr(string, '/'); ++ if (!strendseg) ++ strendseg = strchr(string, '\0'); ++ } ++ else { ++ strendseg = strchr(string, '\0'); ++ } ++ ++ /* Allow pattern '*' to be consumed even with no remaining string to match ++ */ ++ while (*pattern && !(slash && ((*pattern == '/') ++ || (escape && (*pattern == '\\') ++ && (pattern[1] == '/')))) ++ && ((string < strendseg) ++ || ((*pattern == '*') && (string == strendseg)))) ++ { ++ /* Reduce groups of '*' and '?' to n '?' matches ++ * followed by one '*' test for simplicity ++ */ ++ for (wild = 0; ((*pattern == '*') || (*pattern == '?')); ++pattern) ++ { ++ if (*pattern == '*') { ++ wild = 1; ++ } ++ else if (string < strendseg) { /* && (*pattern == '?') */ ++ /* XXX: Advance 1 char for MBCS locale */ ++ ++string; ++ } ++ else { /* (string >= strendseg) && (*pattern == '?') */ ++ return APR_FNM_NOMATCH; ++ } ++ } ++ ++ if (wild) ++ { ++ strstartseg = string; ++ mismatch = pattern; ++ ++ /* Count fixed (non '*') char matches remaining in pattern ++ * excluding '/' (or "\/") and '*' ++ */ ++ for (matchptr = pattern, matchlen = 0; 1; ++matchlen) ++ { ++ if ((*matchptr == '\0') ++ || (slash && ((*matchptr == '/') ++ || (escape && (*matchptr == '\\') ++ && (matchptr[1] == '/'))))) ++ { ++ /* Compare precisely this many trailing string chars, ++ * the resulting match needs no wildcard loop ++ */ ++ /* XXX: Adjust for MBCS */ ++ if (string + matchlen > strendseg) ++ return APR_FNM_NOMATCH; ++ ++ string = strendseg - matchlen; ++ wild = 0; ++ break; ++ } ++ ++ if (*matchptr == '*') ++ { ++ /* Ensure at least this many trailing string chars remain ++ * for the first comparison ++ */ ++ /* XXX: Adjust for MBCS */ ++ if (string + matchlen > strendseg) ++ return APR_FNM_NOMATCH; ++ ++ /* Begin first wild comparison at the current position */ ++ break; ++ } ++ ++ /* Skip forward in pattern by a single character match ++ * Use a dummy fnmatch_ch() test to count one "[range]" escape ++ */ ++ /* XXX: Adjust for MBCS */ ++ if (escape && (*matchptr == '\\') && matchptr[1]) { ++ matchptr += 2; ++ } ++ else if (*matchptr == '[') { ++ dummyptr = dummystring; ++ fnmatch_ch(&matchptr, &dummyptr, flags); ++ } ++ else { ++ ++matchptr; ++ } ++ } ++ } ++ ++ /* Incrementally match string against the pattern ++ */ ++ while (*pattern && (string < strendseg)) ++ { ++ /* Success; begin a new wild pattern search ++ */ ++ if (*pattern == '*') ++ break; ++ ++ if (slash && ((*string == '/') || (*pattern == '/') ++ || (escape && (*pattern == '\\') ++ && (pattern[1] == '/')))) ++ break; ++ ++ /* Compare ch's (the pattern is advanced over "\/" to the '/', ++ * but slashes will mismatch, and are not consumed) ++ */ ++ if (!fnmatch_ch(&pattern, &string, flags)) ++ continue; ++ ++ /* Failed to match, loop against next char offset of string segment ++ * until not enough string chars remain to match the fixed pattern ++ */ ++ if (wild) { ++ /* XXX: Advance 1 char for MBCS locale */ ++ string = ++strstartseg; ++ if (string + matchlen > strendseg) ++ return APR_FNM_NOMATCH; ++ ++ pattern = mismatch; ++ continue; ++ } ++ else ++ return APR_FNM_NOMATCH; ++ } ++ } ++ ++ if (*string && (!slash || (*string != '/'))) ++ return APR_FNM_NOMATCH; ++ ++ if (*pattern && (!slash || ((*pattern != '/') ++ && (!escape || (*pattern != '\\') ++ || (pattern[1] != '/'))))) ++ return APR_FNM_NOMATCH; + } + +- for (ok = 0; (c = *pattern++) != ']';) { +- if (c == '\\' && !(flags & APR_FNM_NOESCAPE)) { +- c = *pattern++; +- } +- if (c == EOS) { +- return (NULL); +- } +- if (*pattern == '-' && (c2 = *(pattern + 1)) != EOS && c2 != ']') { +- pattern += 2; +- if (c2 == '\\' && !(flags & APR_FNM_NOESCAPE)) { +- c2 = *pattern++; +- } +- if (c2 == EOS) { +- return (NULL); +- } +- if ((c <= test && test <= c2) +- || ((flags & APR_FNM_CASE_BLIND) +- && ((apr_tolower(c) <= apr_tolower(test)) +- && (apr_tolower(test) <= apr_tolower(c2))))) { +- ok = 1; +- } +- } +- else if ((c == test) +- || ((flags & APR_FNM_CASE_BLIND) +- && (apr_tolower(c) == apr_tolower(test)))) { +- ok = 1; +- } +- } +- return (ok == negate ? NULL : pattern); ++ /* pattern is at EOS; if string is also, declare success ++ */ ++ if (!*string) ++ return 0; ++ ++ /* pattern didn't match to the end of string */ ++ return APR_FNM_NOMATCH; + } + + +-/* This function is an Apache addition */ +-/* return non-zero if pattern has any glob chars in it */ ++/* This function is an Apache addition ++ * return non-zero if pattern has any glob chars in it ++ * @bug Function does not distinguish for FNM_PATHNAME mode, which renders ++ * a false positive for test[/]this (which is not a range, but ++ * seperate test[ and ]this segments and no glob.) ++ * @bug Function does not distinguish for non-FNM_ESCAPE mode. ++ * @bug Function does not parse []] correctly ++ * Solution may be to use fnmatch_ch() to walk the patterns? ++ */ + APR_DECLARE(int) apr_fnmatch_test(const char *pattern) + { + int nesting; + + nesting = 0; + while (*pattern) { +- switch (*pattern) { +- case '?': +- case '*': +- return 1; +- +- case '\\': +- if (*pattern++ == '\0') { +- return 0; +- } +- break; +- +- case '[': /* '[' is only a glob if it has a matching ']' */ +- ++nesting; +- break; +- +- case ']': +- if (nesting) { +- return 1; +- } +- break; +- } +- ++pattern; +- } ++ switch (*pattern) { ++ case '?': ++ case '*': ++ return 1; ++ ++ case '\\': ++ if (*++pattern == '\0') { ++ return 0; ++ } ++ break; ++ ++ case '[': /* '[' is only a glob if it has a matching ']' */ ++ ++nesting; ++ break; ++ ++ case ']': ++ if (nesting) { ++ return 1; ++ } ++ break; ++ } ++ ++pattern; } + return 0; + } + ++ + /* Find all files matching the specified pattern */ + APR_DECLARE(apr_status_t) apr_match_glob(const char *pattern, + apr_array_header_t **result, --- apr-1.2.12.orig/debian/patches/029_fnmatch_CVE-2011-1928.dpatch +++ apr-1.2.12/debian/patches/029_fnmatch_CVE-2011-1928.dpatch @@ -0,0 +1,53 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix regression DoS introduced by fix for CVE-2011-0419 +## DP: Patch by "William A. Rowe Jr." +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze-branch~/strings/apr_fnmatch.c squeeze-branch/strings/apr_fnmatch.c +--- squeeze-branch~/strings/apr_fnmatch.c 2011-05-19 07:53:41.553556013 +0200 ++++ squeeze-branch/strings/apr_fnmatch.c 2011-05-19 07:53:41.609556010 +0200 +@@ -196,7 +196,10 @@ + const char *mismatch = NULL; + int matchlen = 0; + +- while (*pattern) ++ if (*pattern == '*') ++ goto firstsegment; ++ ++ while (*pattern && *string) + { + /* Match balanced slashes, starting a new segment pattern + */ +@@ -207,6 +210,7 @@ + ++string; + } + ++firstsegment: + /* At the beginning of each segment, validate leading period behavior. + */ + if ((flags & APR_FNM_PERIOD) && (*string == '.')) +@@ -361,9 +365,9 @@ + return APR_FNM_NOMATCH; + } + +- /* pattern is at EOS; if string is also, declare success ++ /* Where both pattern and string are at EOS, declare success + */ +- if (!*string) ++ if (!*string && !*pattern) + return 0; + + /* pattern didn't match to the end of string */ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze-branch~/test/testfnmatch.c squeeze-branch/test/testfnmatch.c +--- squeeze-branch~/test/testfnmatch.c 2011-05-19 07:53:41.553556013 +0200 ++++ squeeze-branch/test/testfnmatch.c 2011-05-19 07:53:55.929556004 +0200 +@@ -95,6 +95,8 @@ + {"test/?this", "test/.this", FAILS_IF(APR_FNM_PERIOD | APR_FNM_PATHNAME)}, + {"test/[.]this", "test/.this", FAILS_IF(APR_FNM_PERIOD | APR_FNM_PATHNAME)}, + ++ {"/*/WEB-INF/", "/wontmatch", FAILS}, ++ + {NULL, NULL, 0} + }; + --- apr-1.2.12.orig/debian/patches/011_fix_apr-config.dpatch +++ apr-1.2.12/debian/patches/011_fix_apr-config.dpatch @@ -0,0 +1,32 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 011_fix_apr-config.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +Index: apr-config.in +--- a/apr-config.in ++++ b/apr-config.in +@@ -38,7 +38,7 @@ + LIBS="@EXTRA_LIBS@" + EXTRA_INCLUDES="@EXTRA_INCLUDES@" + SHLIBPATH_VAR="@shlibpath_var@" +-APR_SOURCE_DIR="@apr_srcdir@" ++APR_SOURCE_DIR="$(cd @installbuilddir@/.. ; pwd)" + APR_BUILD_DIR="@apr_builddir@" + APR_SO_EXT="@so_ext@" + APR_LIB_TARGET="@export_lib_target@" +@@ -222,11 +222,7 @@ + exit 0 + ;; + --apr-libtool) +- if test "$location" = "installed"; then +- echo "${installbuilddir}/libtool" +- else +- echo "$APR_BUILD_DIR/libtool" +- fi ++ echo "$installbuilddir/libtool" + exit 0 + ;; + --help) --- apr-1.2.12.orig/debian/patches/015_sendfile_lfs.dpatch +++ apr-1.2.12/debian/patches/015_sendfile_lfs.dpatch @@ -0,0 +1,140 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 015_sendfile_lfs.dpatch by +## +## DP: Detect sendfile64() at runtime (not present on 2.4 kernels.) + +@DPATCH@ +Index: network_io/unix/sendrecv.c +--- a/network_io/unix/sendrecv.c ++++ b/network_io/unix/sendrecv.c +@@ -243,39 +243,77 @@ + + #if defined(__linux__) && defined(HAVE_WRITEV) + +-apr_status_t apr_socket_sendfile(apr_socket_t *sock, apr_file_t *file, +- apr_hdtr_t *hdtr, apr_off_t *offset, +- apr_size_t *len, apr_int32_t flags) ++/* Helper function for apr_socket_sendfile. ++ * Takes care of sendfile vs. sendfile64 (must be detected at runtime), ++ * EINTR restarting, and other details. NOTE: does not necessarily ++ * update 'off', as callers don't need this. ++ */ ++static ++ssize_t do_sendfile(int out, int in, apr_off_t *off, apr_size_t len) + { +- int rv, nbytes = 0, total_hdrbytes, i; +- apr_status_t arv; ++#if !APR_HAS_LARGE_FILES ++ ssize_t ret; ++ do ++ ret = sendfile(out, in, off, len); ++ while (ret == -1 && errno == EINTR); ++ return ret; ++#else + +-#if APR_HAS_LARGE_FILES && defined(HAVE_SENDFILE64) +- apr_off_t off = *offset; +-#define sendfile sendfile64 ++#ifdef HAVE_SENDFILE64 ++ static int sendfile64_enosys; /* sendfile64() syscall not found */ ++#endif ++ off_t offtmp; ++ ssize_t ret; + +-#elif APR_HAS_LARGE_FILES && SIZEOF_OFF_T == 4 +- /* 64-bit apr_off_t but no sendfile64(): fail if trying to send +- * past the 2Gb limit. */ +- off_t off; +- +- if ((apr_int64_t)*offset + *len > INT_MAX) { +- return EINVAL; ++ /* Multiple reports have shown sendfile failing with EINVAL if ++ * passed a >=2Gb count value on some 64-bit kernels. It won't ++ * noticably hurt performance to limit each call to <2Gb at a time, ++ * so avoid that issue here. (Round down to a common page size.) */ ++ if (sizeof(off_t) == 8 && len > INT_MAX) ++ len = INT_MAX - 8191; ++ ++ /* The simple and common case: we don't cross the LFS barrier */ ++ if (sizeof(off_t) == 8 || (apr_int64_t)*off + len <= INT_MAX) { ++ offtmp = *off; ++ do ++ ret = sendfile(out, in, &offtmp, len); ++ while (ret == -1 && errno == EINTR); ++ return ret; + } +- +- off = *offset; + +-#else +- off_t off = *offset; ++ /* From here down we know it's a 32-bit runtime */ ++#ifdef HAVE_SENDFILE64 ++ if (!sendfile64_enosys) { ++ do ++ ret = sendfile64(out, in, off, len); ++ while (ret == -1 && errno == EINTR); + +- /* Multiple reports have shown sendfile failing with EINVAL if +- * passed a >=2Gb count value on some 64-bit kernels. It won't +- * noticably hurt performance to limit each call to <2Gb at a +- * time, so avoid that issue here: */ +- if (sizeof(off_t) == 8 && *len > INT_MAX) { +- *len = INT_MAX; ++ if (ret != -1 || errno != ENOSYS) ++ return ret; ++ ++ sendfile64_enosys = 1; + } + #endif ++ if (*off > INT_MAX) { ++ errno = EINVAL; ++ return -1; ++ } ++ offtmp = *off; ++ do ++ ret = sendfile(out, in, &offtmp, len); ++ while (ret == -1 && errno == EINTR); ++ return ret; ++#endif /* APR_HAS_LARGE_FILES */ ++} ++ ++ ++apr_status_t apr_socket_sendfile(apr_socket_t *sock, apr_file_t *file, ++ apr_hdtr_t *hdtr, apr_off_t *offset, ++ apr_size_t *len, apr_int32_t flags) ++{ ++ int rv, nbytes = 0, total_hdrbytes, i; ++ apr_status_t arv; ++ apr_off_t off = *offset; + + if (!hdtr) { + hdtr = &no_hdtr; +@@ -321,12 +359,10 @@ + goto do_select; + } + +- do { +- rv = sendfile(sock->socketdes, /* socket */ ++ rv = do_sendfile(sock->socketdes, /* socket */ + file->filedes, /* open file descriptor of the file to be sent */ + &off, /* where in the file to start */ + *len); /* number of bytes to send */ +- } while (rv == -1 && errno == EINTR); + + while ((rv == -1) && (errno == EAGAIN || errno == EWOULDBLOCK) + && (sock->timeout > 0)) { +@@ -337,12 +373,10 @@ + return arv; + } + else { +- do { +- rv = sendfile(sock->socketdes, /* socket */ ++ rv = do_sendfile(sock->socketdes, /* socket */ + file->filedes, /* open file descriptor of the file to be sent */ + &off, /* where in the file to start */ + *len); /* number of bytes to send */ +- } while (rv == -1 && errno == EINTR); + } + } + --- apr-1.2.12.orig/debian/patches/016_sendfile_hurd.dpatch +++ apr-1.2.12/debian/patches/016_sendfile_hurd.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 016_sendfile_hurd.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +Index: network_io/unix/sendrecv.c +--- a/network_io/unix/sendrecv.c ++++ b/network_io/unix/sendrecv.c +@@ -238,7 +238,7 @@ + /* Define a structure to pass in when we have a NULL header value */ + static apr_hdtr_t no_hdtr; + +-#if defined(__linux__) && defined(HAVE_WRITEV) ++#if (defined(__linux__) || defined(__GNU__)) && defined(HAVE_WRITEV) + + /* Helper function for apr_socket_sendfile. + * Takes care of sendfile vs. sendfile64 (must be detected at runtime), --- apr-1.2.12.orig/debian/patches/00list +++ apr-1.2.12/debian/patches/00list @@ -0,0 +1,11 @@ +001_cve-2009-2412 +011_fix_apr-config +013_ship_find_apr.m4 +014_fix-apr.pc +015_sendfile_lfs +016_sendfile_hurd +022_hurd_path_max.dpatch +023_fix_doxygen.dpatch +024_cloexec.dpatch +028_fnmatch_CVE-2011-0419.dpatch +029_fnmatch_CVE-2011-1928.dpatch --- apr-1.2.12.orig/debian/patches/023_fix_doxygen.dpatch +++ apr-1.2.12/debian/patches/023_fix_doxygen.dpatch @@ -0,0 +1,99 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 023_fix_doxygen.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix generation of docs for out-of-tree builds and newer doxygen versions + +@DPATCH@ +diff -urNad apr-1.2.11~/docs/doxygen.conf apr-1.2.11/docs/doxygen.conf +--- apr-1.2.11~/docs/doxygen.conf 2007-09-13 00:19:20.000000000 +0200 ++++ apr-1.2.11/docs/doxygen.conf 2007-09-13 00:19:23.411951505 +0200 +@@ -1,6 +1,6 @@ + PROJECT_NAME="Apache Portable Runtime" + +-INPUT=. ++INPUT=../include include + QUIET=YES + RECURSIVE=YES + FILE_PATTERNS=*.h +diff -urNad apr-1.2.11~/include/apr.h.in apr-1.2.11/include/apr.h.in +--- apr-1.2.11~/include/apr.h.in 2007-09-13 00:19:23.411951505 +0200 ++++ apr-1.2.11/include/apr.h.in 2007-09-13 00:20:15.914943480 +0200 +@@ -287,9 +287,11 @@ + /** + * Thread callbacks from APR functions must be declared with APR_THREAD_FUNC, + * so that they follow the platform's calling convention. +- * @example + */ +-/** void* APR_THREAD_FUNC my_thread_entry_fn(apr_thread_t *thd, void *data); ++/** ++ * @code ++ * void* APR_THREAD_FUNC my_thread_entry_fn(apr_thread_t *thd, void *data); ++ * @endcode + */ + #define APR_THREAD_FUNC + +@@ -299,7 +301,6 @@ + * variable arguments must use APR_DECLARE_NONSTD(). + * + * @remark Both the declaration and implementations must use the same macro. +- * @example + */ + /** APR_DECLARE(rettype) apr_func(args) + * @see APR_DECLARE_NONSTD @see APR_DECLARE_DATA +@@ -320,9 +321,12 @@ + * APR_DECLARE_NONSTD(), as they must follow the C language calling convention. + * @see APR_DECLARE @see APR_DECLARE_DATA + * @remark Both the declaration and implementations must use the same macro. +- * @example ++ * + */ +-/** APR_DECLARE_NONSTD(rettype) apr_func(args, ...); ++/** ++ * @code ++ * APR_DECLARE_NONSTD(rettype) apr_func(args, ...); ++ * @endcode + */ + #define APR_DECLARE_NONSTD(type) type + +@@ -332,10 +336,12 @@ + * @see APR_DECLARE @see APR_DECLARE_NONSTD + * @remark Note that the declaration and implementations use different forms, + * but both must include the macro. +- * @example + */ +-/** extern APR_DECLARE_DATA type apr_variable;\n ++/** ++ * @code ++ * extern APR_DECLARE_DATA type apr_variable;\n + * APR_DECLARE_DATA type apr_variable = value; ++ * @endcode + */ + #define APR_DECLARE_DATA + +diff -urNad apr-1.2.11~/include/apr_hash.h apr-1.2.11/include/apr_hash.h +--- apr-1.2.11~/include/apr_hash.h 2007-09-13 00:19:20.000000000 +0200 ++++ apr-1.2.11/include/apr_hash.h 2007-09-13 00:20:30.415769835 +0200 +@@ -126,12 +126,9 @@ + * an iteration (although the results may be unpredictable unless all you do + * is delete the current entry) and multiple iterations can be in + * progress at the same time. +- +- * @example + */ + /** +- * 
+- * 
++ * @code
+  * int sum_values(apr_pool_t *p, apr_hash_t *ht)
+  * {
+  *     apr_hash_index_t *hi;
+@@ -143,7 +140,7 @@
+  *     }
+  *     return sum;
+  * }
+- *
++ * @endcode + */ + APR_DECLARE(apr_hash_index_t *) apr_hash_first(apr_pool_t *p, apr_hash_t *ht); + --- apr-1.2.12.orig/debian/patches/013_ship_find_apr.m4.dpatch +++ apr-1.2.12/debian/patches/013_ship_find_apr.m4.dpatch @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 013_ship_find_apr.m4.dpatch by Tollef Fog Heen +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Install a set of random build files too + +@DPATCH@ +diff -urNad apr1.0-1.2.2~/Makefile.in apr1.0-1.2.2/Makefile.in +--- apr1.0-1.2.2~/Makefile.in 2005-02-04 12:55:44.000000000 +0100 ++++ apr1.0-1.2.2/Makefile.in 2006-01-26 20:19:44.000000000 +0100 +@@ -85,6 +85,15 @@ + done + $(INSTALL_DATA) build/apr_rules.out $(DESTDIR)$(installbuilddir)/apr_rules.mk + $(INSTALL) -m 755 apr-config.out $(DESTDIR)$(bindir)/$(APR_CONFIG) ++ ++ if [ ! -d $(DESTDIR)$(installbuilddir) ]; then \ ++ $(top_srcdir)/build/mkdir.sh $(DESTDIR)$(installbuilddir); \ ++ fi ++ for file in find_apr.m4 apr_common.m4 install.sh gen-build.py get-version.sh ; do \ ++ $(LIBTOOL) --mode=install cp $(top_srcdir)/build/$$file \ ++ $(DESTDIR)$(installbuilddir)/$$file ; \ ++ done ++ + @if [ $(INSTALL_SUBDIRS) != "none" ]; then \ + for i in $(INSTALL_SUBDIRS); do \ + ( cd $$i ; $(MAKE) DESTDIR=$(DESTDIR) install ); \ --- apr-1.2.12.orig/debian/patches/014_fix-apr.pc.dpatch +++ apr-1.2.12/debian/patches/014_fix-apr.pc.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 014_fix-apr.pc.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad apr1.0-1.2.2~/apr.pc.in apr1.0-1.2.2/apr.pc.in +--- apr1.0-1.2.2~/apr.pc.in 2006-01-27 17:28:12.000000000 +0100 ++++ apr1.0-1.2.2/apr.pc.in 2006-01-27 17:31:18.000000000 +0100 +@@ -7,5 +7,6 @@ + Name: APR + Description: The Apache Portable Runtime library + Version: @APR_DOTTED_VERSION@ +-Libs: -L${libdir} -l@APR_LIBNAME@ @EXTRA_LIBS@ +-Cflags: @EXTRA_CPPFLAGS@ @EXTRA_CFLAGS@ -I${includedir} ++Libs: -L${libdir} -l@APR_LIBNAME@ ++Libs.private: @EXTRA_LIBS@ ++Cflags: @EXTRA_CPPFLAGS@ -I${includedir} --- apr-1.2.12.orig/debian/patches/024_cloexec.dpatch +++ apr-1.2.12/debian/patches/024_cloexec.dpatch @@ -0,0 +1,284 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 024_cloexec.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Use FD_CLOEXEC for fds, but don't use the new APIs yet. PR 46425 / #366124 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/netware/mktemp.c lenny/file_io/netware/mktemp.c +--- lenny~/file_io/netware/mktemp.c 2007-06-01 19:58:33.000000000 +0200 ++++ lenny/file_io/netware/mktemp.c 2010-05-25 22:33:40.689808938 +0200 +@@ -19,6 +19,7 @@ + #include "apr_strings.h" /* prototype of apr_mkstemp() */ + #include "apr_arch_file_io.h" /* prototype of apr_mkstemp() */ + #include "apr_portable.h" /* for apr_os_file_put() */ ++#include "apr_arch_inherit.h" + + #include /* for mkstemp() - Single Unix */ + +@@ -43,6 +44,15 @@ + + + if (!(flags & APR_FILE_NOCLEANUP)) { ++ int flags; ++ ++ if ((flags = fcntl((*fp)->filedes, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*fp)->filedes, F_SETFD, flags) == -1) ++ return errno; ++ + apr_pool_cleanup_register((*fp)->pool, (void *)(*fp), + apr_unix_file_cleanup, + apr_unix_child_file_cleanup); +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/filedup.c lenny/file_io/unix/filedup.c +--- lenny~/file_io/unix/filedup.c 2007-05-21 08:49:32.000000000 +0200 ++++ lenny/file_io/unix/filedup.c 2010-05-25 22:33:40.689808938 +0200 +@@ -25,13 +25,27 @@ + int which_dup) + { + int rv; +- ++ + if (which_dup == 2) { + if ((*new_file) == NULL) { + /* We can't dup2 unless we have a valid new_file */ + return APR_EINVAL; + } + rv = dup2(old_file->filedes, (*new_file)->filedes); ++ if (!((*new_file)->flags & (APR_FILE_NOCLEANUP|APR_INHERIT))) { ++ int flags; ++ ++ if (rv == -1) ++ return errno; ++ ++ if ((flags = fcntl((*new_file)->filedes, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*new_file)->filedes, F_SETFD, flags) == -1) ++ return errno; ++ ++ } + } else { + rv = dup(old_file->filedes); + } +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/mktemp.c lenny/file_io/unix/mktemp.c +--- lenny~/file_io/unix/mktemp.c 2007-06-01 19:58:33.000000000 +0200 ++++ lenny/file_io/unix/mktemp.c 2010-05-25 22:33:40.689808938 +0200 +@@ -51,6 +51,7 @@ + #include "apr_strings.h" /* prototype of apr_mkstemp() */ + #include "apr_arch_file_io.h" /* prototype of apr_mkstemp() */ + #include "apr_portable.h" /* for apr_os_file_put() */ ++#include "apr_arch_inherit.h" + + #ifndef HAVE_MKSTEMP + +@@ -203,6 +204,15 @@ + (*fp)->fname = apr_pstrdup(p, template); + + if (!(flags & APR_FILE_NOCLEANUP)) { ++ int flags; ++ ++ if ((flags = fcntl(fd, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl(fd, F_SETFD, flags) == -1) ++ return errno; ++ + apr_pool_cleanup_register((*fp)->pool, (void *)(*fp), + apr_unix_file_cleanup, + apr_unix_child_file_cleanup); +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/file_io/unix/open.c lenny/file_io/unix/open.c +--- lenny~/file_io/unix/open.c 2007-05-21 08:49:32.000000000 +0200 ++++ lenny/file_io/unix/open.c 2010-05-25 22:33:40.689808938 +0200 +@@ -153,6 +153,16 @@ + if (fd < 0) { + return errno; + } ++ if (!(flag & APR_FILE_NOCLEANUP)) { ++ int flags; ++ ++ if ((flags = fcntl(fd, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl(fd, F_SETFD, flags) == -1) ++ return errno; ++ } + + (*new) = (apr_file_t *)apr_pcalloc(pool, sizeof(apr_file_t)); + (*new)->pool = pool; +@@ -312,6 +322,15 @@ + return APR_EINVAL; + } + if (thefile->flags & APR_INHERIT) { ++ int flags; ++ ++ if ((flags = fcntl(thefile->filedes, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl(thefile->filedes, F_SETFD, flags) == -1) ++ return errno; ++ + thefile->flags &= ~APR_INHERIT; + apr_pool_child_cleanup_set(thefile->pool, + (void *)thefile, +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/include/arch/unix/apr_arch_inherit.h lenny/include/arch/unix/apr_arch_inherit.h +--- lenny~/include/arch/unix/apr_arch_inherit.h 2006-08-03 13:05:27.000000000 +0200 ++++ lenny/include/arch/unix/apr_arch_inherit.h 2010-05-25 22:33:40.689808938 +0200 +@@ -27,6 +27,12 @@ + if (the##name->flag & APR_FILE_NOCLEANUP) \ + return APR_EINVAL; \ + if (!(the##name->flag & APR_INHERIT)) { \ ++ int flags = fcntl(the##name->name##des, F_GETFD); \ ++ if (flags == -1) \ ++ return errno; \ ++ flags &= ~(FD_CLOEXEC); \ ++ if (fcntl(the##name->name##des, F_SETFD, flags) == -1) \ ++ return errno; \ + the##name->flag |= APR_INHERIT; \ + apr_pool_child_cleanup_set(the##name->pool, \ + (void *)the##name, \ +@@ -41,6 +47,12 @@ + if (the##name->flag & APR_FILE_NOCLEANUP) \ + return APR_EINVAL; \ + if (the##name->flag & APR_INHERIT) { \ ++ int flags; \ ++ if ((flags = fcntl(the##name->name##des, F_GETFD)) == -1) \ ++ return errno; \ ++ flags |= FD_CLOEXEC; \ ++ if (fcntl(the##name->name##des, F_SETFD, flags) == -1) \ ++ return errno; \ + the##name->flag &= ~APR_INHERIT; \ + apr_pool_child_cleanup_set(the##name->pool, \ + (void *)the##name, \ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/network_io/unix/sockets.c lenny/network_io/unix/sockets.c +--- lenny~/network_io/unix/sockets.c 2006-11-11 11:07:48.000000000 +0100 ++++ lenny/network_io/unix/sockets.c 2010-05-25 22:33:40.689808938 +0200 +@@ -130,6 +130,17 @@ + } + set_socket_vars(*new, family, type, protocol); + ++ { ++ int flags; ++ ++ if ((flags = fcntl((*new)->socketdes, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*new)->socketdes, F_SETFD, flags) == -1) ++ return errno; ++ } ++ + (*new)->timeout = -1; + (*new)->inherit = 0; + apr_pool_cleanup_register((*new)->pool, (void *)(*new), socket_cleanup, +@@ -247,6 +258,17 @@ + (*new)->local_interface_unknown = 1; + } + ++ { ++ int flags; ++ ++ if ((flags = fcntl((*new)->socketdes, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*new)->socketdes, F_SETFD, flags) == -1) ++ return errno; ++ } ++ + (*new)->inherit = 0; + apr_pool_cleanup_register((*new)->pool, (void *)(*new), socket_cleanup, + socket_cleanup); +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/epoll.c lenny/poll/unix/epoll.c +--- lenny~/poll/unix/epoll.c 2006-08-03 13:05:27.000000000 +0200 ++++ lenny/poll/unix/epoll.c 2010-05-25 22:33:40.689808938 +0200 +@@ -15,6 +15,7 @@ + */ + + #include "apr_arch_poll_private.h" ++#include "apr_arch_inherit.h" + + #ifdef POLLSET_USES_EPOLL + +@@ -99,6 +100,17 @@ + return errno; + } + ++ { ++ int flags; ++ ++ if ((flags = fcntl(fd, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl(fd, F_SETFD, flags) == -1) ++ return errno; ++ } ++ + *pollset = apr_palloc(p, sizeof(**pollset)); + #if APR_HAS_THREADS + if (flags & APR_POLLSET_THREADSAFE && +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/kqueue.c lenny/poll/unix/kqueue.c +--- lenny~/poll/unix/kqueue.c 2007-04-13 22:54:13.000000000 +0200 ++++ lenny/poll/unix/kqueue.c 2010-05-25 22:33:40.689808938 +0200 +@@ -15,6 +15,7 @@ + */ + + #include "apr_arch_poll_private.h" ++#include "apr_arch_inherit.h" + + #ifdef POLLSET_USES_KQUEUE + +@@ -101,6 +102,17 @@ + return APR_ENOMEM; + } + ++ { ++ int flags; ++ ++ if ((flags = fcntl((*pollset)->kqueue_fd, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*pollset)->kqueue_fd, F_SETFD, flags) == -1) ++ return errno; ++ } ++ + apr_pool_cleanup_register(p, (void *) (*pollset), backend_cleanup, + apr_pool_cleanup_null); + +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' lenny~/poll/unix/port.c lenny/poll/unix/port.c +--- lenny~/poll/unix/port.c 2007-04-13 22:54:13.000000000 +0200 ++++ lenny/poll/unix/port.c 2010-05-25 22:36:39.625539106 +0200 +@@ -15,6 +15,7 @@ + */ + + #include "apr_arch_poll_private.h" ++#include "apr_arch_inherit.h" + + #ifdef POLLSET_USES_PORT + +@@ -123,6 +124,17 @@ + return APR_ENOMEM; + } + ++ { ++ int flags; ++ ++ if ((flags = fcntl((*pollset)->port_fd, F_GETFD)) == -1) ++ return errno; ++ ++ flags |= FD_CLOEXEC; ++ if (fcntl((*pollset)->port_fd, F_SETFD, flags) == -1) ++ return errno; ++ } ++ + apr_pool_cleanup_register(p, (void *) (*pollset), backend_cleanup, + apr_pool_cleanup_null); + --- apr-1.2.12.orig/debian/patches/001_cve-2009-2412.dpatch +++ apr-1.2.12/debian/patches/001_cve-2009-2412.dpatch @@ -0,0 +1,71 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 001_cve-2009-2412.dpatch by William Rowe +## +## DP: SECURITY: CVE-2009-2412 (cve.mitre.org) +## DP: Fix overflow in pools, where size alignment was taking place. +## DP: +## DP: Reported by: Matt Lewis +## DP: +## DP: * memory/unix/apr_pools.c +## DP: (allocator_alloc, apr_palloc): Check for overflow after aligning size. +## DP: (apr_pcalloc): Drop aligning of size; clearing what the caller asked for should suffice. +## DP: +## DP: SEE ALSO: apr-util-1.x-CVE-2009-2412.patch + +@DPATCH@ +--- a/memory/unix/apr_pools.c ++++ b/memory/unix/apr_pools.c +@@ -191,16 +191,19 @@ + } + + static APR_INLINE +-apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t size) ++apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size) + { + apr_memnode_t *node, **ref; + apr_uint32_t max_index; +- apr_size_t i, index; ++ apr_size_t size, i, index; + + /* Round up the block size to the next boundary, but always + * allocate at least a certain size (MIN_ALLOC). + */ +- size = APR_ALIGN(size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE); ++ size = APR_ALIGN(in_size + APR_MEMNODE_T_SIZE, BOUNDARY_SIZE); ++ if (size < in_size) { ++ return NULL; ++ } + if (size < MIN_ALLOC) + size = MIN_ALLOC; + +@@ -628,13 +631,19 @@ + * Memory allocation + */ + +-APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t size) ++APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size) + { + apr_memnode_t *active, *node; + void *mem; +- apr_size_t free_index; ++ apr_size_t size, free_index; + +- size = APR_ALIGN_DEFAULT(size); ++ size = APR_ALIGN_DEFAULT(in_size); ++ if (size < in_size) { ++ if (pool->abort_fn) ++ pool->abort_fn(APR_ENOMEM); ++ ++ return NULL; ++ } + active = pool->active; + + /* If the active node has enough bytes left, use it. */ +@@ -699,7 +708,6 @@ + { + void *mem; + +- size = APR_ALIGN_DEFAULT(size); + if ((mem = apr_palloc(pool, size)) != NULL) { + memset(mem, 0, size); + }