Upstream bump to fix potencial DoS bug in headers parser, bug #472400, CVE-2013-3843

Package-Manager: portage-2.1.11.62/cvs/Linux x86_64
Manifest-Sign-Key: 0xF52D4BBA

4 files changed, 26 insertions, 154 deletions

diff --git a/www-servers/monkeyd/ChangeLog b/www-servers/monkeyd/ChangeLog
index d54e800432ba..0e5dc49c56c7 100644
--- a/www-servers/monkeyd/ChangeLog
+++ b/www-servers/monkeyd/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-servers/monkeyd
 # Copyright 1999- Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.57 2013/06/05 20:53:14 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/ChangeLog,v 1.58 2013/06/06 21:06:02 blueness Exp $
+
+*monkeyd-1.2.1 (06 Jun 2013)
+
+  06 Jun 2013; Anthony G. Basile <blueness@gentoo.org> +monkeyd-1.2.1.ebuild,
+  -files/monkeyd-fix-DoS-headers-parser.patch, -monkeyd-1.2.0-r1.ebuild:
+  Upstream bump to fix potencial DoS bug in headers parser, bug #472400,
+  CVE-2013-3843
 
 *monkeyd-1.2.0-r1 (05 Jun 2013)
 
diff --git a/www-servers/monkeyd/Manifest b/www-servers/monkeyd/Manifest
index f19d6390b1cc..94a7a6ad4f6d 100644
--- a/www-servers/monkeyd/Manifest
+++ b/www-servers/monkeyd/Manifest
@@ -1,29 +1,28 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256
 
-AUX monkeyd-fix-DoS-headers-parser.patch 4450 SHA256 7df6eeb6afb262fd7e2fc05eb8e1932d0d5cea06a7d59b2020fc5e3c288e760e SHA512 5406625757576a660ee0da915bb270bf83649364d84a530ef88a070ed183d44465b3300f180f7ac0509102d0e81ece0b5935d957a8a84e1f412043fc5deb0ba5 WHIRLPOOL 0a0d0d80dc4b839baf06d57a4ea23a2061246aad2677f934f65ed492c810af6654376c5db4a79b922dc9158abd991cbade4fb52d4d4fc8c21ea6536015b25597
 AUX monkeyd.confd 288 SHA256 ba8e0113f3d90f4c5681fb9c76ab523b56ffa409f8b388db9f83e54bd1700eee SHA512 0ed5e3e7f86564d157d833f980e715ebbc0017530f967b21581a1df8c0990a15ff8af538f664c03da3b10affa02773ad78e4dcd03a3d3f670d7661ecaf0ca00f WHIRLPOOL 1f736bab1f63324c0020d2d236bb84bf253978d76db8087ff0d71849bece6ae7531dfa6ab250e2f136301ef265f35061d059eb45536fc1b8220c9fbd78b83ef2
 AUX monkeyd.initd 716 SHA256 3e1c3d1fcf12bde4847f86c06eaf82c1230af8c56040d56f25d22a6fbbae285d SHA512 9f5ac51a06c0255d5d2b09c19228c849c5314f8f9d4ef2dbc837028620462897dd81b504cbf53bd36bd4896e72fcc17b2b0043e038de7bd3d39aa1be26dc8126 WHIRLPOOL e3d4788d4b78a7e1b8482581547350e1dc989ca561484283533d696eea3419f89643fe45610c6e793a3e2c26a1ef7e6ef24cba9fba99f8e06a4cfcbe25cc57c6
 DIST monkey-1.1.1.tar.gz 404633 SHA256 5b6cf4b4a5cc2e6c7e2ac08515f542636884d7f85684f87005c6020e3567c7f4 SHA512 37a7806995d70a432d1f42e01f31a25012c7f39077613a4a0a772946ba512b52438d4ea3b798e09cc514833256775030a67ede5f66ac7ca93323642fba003008 WHIRLPOOL e490e34fe12a8f7f7fb63cb980fff6b642cbd341c56451ed4067fdb90445cacb6101b692e752f0771626846970651e1d07d1cb281e355be2fefa2581e96fe242
-DIST monkey-1.2.0.tar.gz 425807 SHA256 b15b7f5df57a57ffea42380454e2de9896297f3326756f77b39ca8386d9fb22f SHA512 6358e817e75cf8160f95ec8185eb7db21793b1dde916c8a5e38b85f788e284a00175fa82cf764451db6a4b656b50c25908baf6f52d73037e4f597eb84c05c356 WHIRLPOOL bf717c8c873935031955bf7f5d940f01d132347fc9b5e4f5b3d4f93bdcf2bce65b19644d5e5b12d6b1409f4734b6a28c90576e603086d7a52817fd7f0ea11840
+DIST monkey-1.2.1.tar.gz 427126 SHA256 b1fcb257cb70e12013eddc5a7bb78a942555d400adf5902e67a8070148b11de6 SHA512 59ea99042cda4a3ad68c4184ec9c8cbd05c7d604bcbeb2cb90e21d27112395b1f1877e3592390a4aac6eb42a766e7847eac2606291827b8bf943e809b0d25be1 WHIRLPOOL 33d910c7ec63c676d6a18b24db5f1f001179a4b6a28150bbfac341f7331235dff4e25d60e4ed86f5e180ad012d81ae965c3646593a3bae3090ba8f146422ae08
 EBUILD monkeyd-1.1.1.ebuild 2044 SHA256 8929978ca500523871a1707816a12de6f47950d3b90efde6a29fe960ef1d6c80 SHA512 d8b549bd1df2543928a132226969ae6352ae245ce9afd98199a5c4497fd335fb0832687c7c3a789b43e7da6c6bb02a9daa7c8e14c81a6b6b57d9af545d74dfc1 WHIRLPOOL b399c1df3a3bdf5c4eb2093d154e9c3195c4233afccad725cf736492cd3c684a600c9eff53764cf486c7a964940e60a73c0a7fe5f2a47a267aa876bbc4f7d593
-EBUILD monkeyd-1.2.0-r1.ebuild 4426 SHA256 51d297c1e61b69e7009e600c66cda3760b2f2d3bdabd630f3d4f0abc1928224e SHA512 4ad92152b0e0adc62b0090e647696982818d2ff0bfc5181bc0552010342eb72bec45d66cdc10800d4c63ba192660f279b6da6dcf54734c1aac076cdf527f1d89 WHIRLPOOL 9c248515052d09242bd0d494df90f4928450e8152e1e789cd4ac31907a0f40736891045825e5bf4580fbd200e1c3af7f0fb9681a0100755cca63c733103134de
-MISC ChangeLog 9596 SHA256 16334ca118f3a830a9077769a4618ac993862f740184bdc61ce296ce078770d0 SHA512 4342a079149a3113accaf20035bae4a3d3398cf029f4ae5ff38d0d0b0646cf8b4e2ba2519e96a657e96467a2ce96850852e341d891502ec97c15c2bc44a2f58c WHIRLPOOL 0deae4e5721e304ee44ced1abb73c6a771fbd2c467b3f41797bc1a296bab0b3df8314f8cf26ab7d5f9ae477f42169e2ef42c8b439d7557bc04c5d5b820d48a2a
+EBUILD monkeyd-1.2.1.ebuild 4306 SHA256 9175eb31863b7c97d58bed3f7eece762ad33270e67819094af5032c92ed13824 SHA512 5866ed717866b36771d8fd2a5e6bc3f87526c98493bec191f3bc6cca474622ce5c4815c6ebcc2c65e5268a881346d84fda6c001e50f58fcd2babfc26425fcdf7 WHIRLPOOL 7e964632a4def037ed40197506957adc0c2a676aab795a59b1b948a8745c0c12e692b1867c2de1cdbdec3bcd36a3bda7ca099260e811abb1dd354c5f0e5ec011
+MISC ChangeLog 9867 SHA256 ceb5066f59a2c4ec6b7e29c94cc8b25d34140c0012488202fdde7dfd7129da1c SHA512 21a45c532eecd49ce7ba91c01ae53a303e4e744e254e317e252ac81d56873a7a6607150b8e8ec070e9fc1f8b81d5e8ebc78d61a3cb2b7d7d1ba423969ef8f791 WHIRLPOOL 7328c6386baff3c68a9d9921ce8c5eee7792567034d4ef978f914e88991b0b73d7a9e044839ae3b46ea35946f3a5a4919b98c619c7c381e8b62ffd5680e197ef
 MISC metadata.xml 385 SHA256 88901f1e630c8bb995da2ece6f50de69a82b845f63e51742c6f90b26f31c5321 SHA512 863daa33d3ce733a5b84927dba2f0bb28f24802b27f0b2ef225b4c5e8251977f8500ea015f0f21febda32cc7933c95daf9add6fe9563cce979ecf8096babb242 WHIRLPOOL b61c7a2b8e851a98662ebbc76cfb826a0980c6c9654f119d152f226add3cce42b8ed2e2d354e6c994b9e10badd3521b611d133bdc0983a00c75e920717959269
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQIcBAEBCAAGBQJRr6VkAAoJEJOE+m71LUu69rAP/1D51GnPu/3m30vNCX1xZj0j
-whFCEFR5xfCwBrDjmBg0+mvUEpjXuHtBT3ntlix124qMAm0l7dLqgE5vOUUQRj/2
-VlrR2HBV4zII9M2kN1i7I+qFdorChHHKDBywOqNyG1hWsVrCkHER1uA8v/3QNK58
-aFK7oHJRK/DiUteHsaD4ni8VNwjTUfRG9IYIb+cqaPO9MWb/aKRBGqPAkg9xywdD
-F1uzu3yCZrPk/pSGEeCJYCLa2DMEAKw4gPj5M/ndf/A7ELemDhRDvzoU0yfumgHI
-oEHT86l0PY3VrDNMAo3hiX3PIR6bEmyfPV69VqMv200F4k6hGdZKAHig7HwWffk7
-PtPeZCMlptnHy7XTMjmO1y1Tq+iTQ8nD4OgLRrkPB6qjC/5PuySYfG9RcR2Ipe5S
-HAexw5r9L4vq+NLWkJoX9BmHBkiRTLZjKFDBJTQd8w0FxAZJBPXe/MGyHEVImjq+
-Y9aCgZWpp5kObW8IX1sKpO5LDD1e5nFwl9moADFvh2GgXMpdnH+VkQfICj6q+ICB
-/Gr4ru2IEqg59V29rwvFE68Nf8RJKQGk5cn1sE+JWZnoUaiOJwTcCWVYODWJfUsi
-JDZzThpYcIRTMlbUzHqFZGUZUENP5uzQI06HydFQdptqqwvRGp9A3HNfafAXYg14
-gfpu5rRApLpljc938YPX
-=Pynk
+iQIcBAEBCAAGBQJRsPnsAAoJEJOE+m71LUu6nuYP/jzS9aiRkUjeAW/EfFhqBCPh
+Jj0pOEXxXwUgGnS5971wg0okujqe5boUud9vjUxnjUqIlf4r/LDlfoXovPJekEKj
+kzZwJrbqTlVf2fQXZFx5KJJIjB7oNQXHtTwt5WtsTRDsRD+vcO5M3uS+9WeIWqsb
+TCx+CMWjFgH9pI/DtB7VIPhcXO4oqiFNASlLFlroL6vDfN1+NeuqLsfwWH/Oha0h
+IKCyUWwFOcDOiVHDdPrVivx6vgJa35Vv9eiZfZ0fFMnO8u+IBYIt1euQZRKISBix
+eojcdIUIinSCy21gxsjM7vntbVTVutleikYurGw8gRTPqn7zcBwvkpV/LZz4QB57
+tPCxQSmwkj50hHEzSrejUAjzlTXF6FQUuCIacuEAiTe8GGYXlxWvnVHzwAoDecnG
+q0lXeXYdIsdE27n3adFPl3SfUPosyA2WsAHHqmHo4EPUItK77F58HuXKpHZeCvd6
+Um9B87bGE226EaLomHS9y+eNz0keGhJDKdVlEPZ8NymNMD8mL9cPrp/YkOXKE4sJ
+zvv7CxPO7rAdMiISNmMhfQ8GfLCvxjychcYaQ7jwUXVA77VT83sOtj2BT2RJ3EMT
+8s4MLhotkpDYEEAmZuQzRDlZrjwguB0Lf14ovDfKzwp7xAXRBcEbEugfrOmZlY56
++VQQSwL3ylqNor/P8V7R
+=Paym
 -----END PGP SIGNATURE-----
diff --git a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch b/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
deleted file mode 100644
index db0e111dab00..000000000000
--- a/www-servers/monkeyd/files/monkeyd-fix-DoS-headers-parser.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 95d646e5de252bfaa8b68c39d0f48e5d82965d41 Mon Sep 17 00:00:00 2001
-From: Eduardo Silva <edsiper@gmail.com>
-Date: Wed, 5 Jun 2013 12:18:39 -0600
-Subject: [PATCH] Fix #182: DoS bug on headers parser
-
-This patch fix the root cause for a problem described in Ticket #182,
-actually if a header is malformed like a Header Key without a value, the
-ToC parser used to continue processing the next header line.
-
-The solution applied is to improve the ToC generator where it adds extra
-validations for at least one colon and forcing each header line to contain
-a value or empty space, otherwise the server will trigger a Bad Request
-response to the client and close the connection.
-
-Signed-off-by: Eduardo Silva <edsiper@gmail.com>
----
- src/mk_method.c  |   11 ++++++++++-
- src/mk_request.c |   36 +++++++++++++++++++++++++++++-------
- 2 files changed, 39 insertions(+), 8 deletions(-)
-
-diff --git a/src/mk_method.c b/src/mk_method.c
-index 4a0698a..b35e893 100644
---- a/src/mk_method.c
-+++ b/src/mk_method.c
-@@ -45,16 +45,25 @@
- 
- long int mk_method_validate_content_length(const char *body, int body_len)
- {
-+    int crlf;
-     struct headers_toc toc;
-     long int len;
-     mk_pointer tmp;
- 
-+    crlf = mk_string_search(body, MK_CRLF, MK_STR_INSENSITIVE);
-+    if (crlf < 0) {
-+        return -1;
-+    }
-+
-     /*
-      * obs: Table of Content (toc) is created when the full
-      * request has arrived, this function cannot be used from
-      * mk_http_pending_request().
-      */
--    mk_request_header_toc_parse(&toc, body, body_len);
-+    if (mk_request_header_toc_parse(&toc, body + crlf + mk_crlf.len,
-+                                    body_len - mk_crlf.len - crlf) < 0) {
-+        return -1;
-+    }
-     tmp = mk_request_header_get(&toc,
-                                 mk_rh_content_length.data,
-                                 mk_rh_content_length.len);
-diff --git a/src/mk_request.c b/src/mk_request.c
-index 5c1f07e..083aba8 100644
---- a/src/mk_request.c
-+++ b/src/mk_request.c
-@@ -121,13 +121,32 @@ static void mk_request_free(struct session_request *sr)
- 
- int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int len)
- {
--    int i;
-+    int i = 0;
-+    int header_len;
-+    int colon;
-+    char *q;
-     char *p = (char *) data;
--    char *l = 0;
-+    char *l = p;
- 
-     toc->length = 0;
-+
-+    if (*p == '\r') goto out;
-     for (i = 0; l < (data + len) && p && i < MK_HEADERS_TOC_LEN; i++) {
--        l = strstr(p, MK_CRLF);
-+        if (*p == '\r') goto out;
-+
-+        colon = -1;
-+        for (q = p; *q != '\r'; ++q) {
-+            if (*q == ':') {
-+                colon = (q - p);
-+            }
-+        }
-+
-+        l          = (q);
-+        header_len = (l - p) - mk_crlf.len;
-+        if ((colon == -1) || (header_len == colon) || (*++q != '\n')) {
-+            return -1;
-+        }
-+
-         if (l) {
-             toc->rows[i].init = p;
-             toc->rows[i].end = l;
-@@ -140,6 +159,7 @@ int mk_request_header_toc_parse(struct headers_toc *toc, const char *data, int l
-         }
-     }
- 
-+ out:
-     return toc->length;
- }
- 
-@@ -237,13 +257,15 @@ static int mk_request_header_process(struct session_request *sr)
- 
-     /* Creating Table of Content (index) for HTTP headers */
-     sr->headers_len = sr->body.len - (prot_end + mk_crlf.len);
--    mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len);
-+    if (mk_request_header_toc_parse(&sr->headers_toc, headers, sr->headers_len) < 0) {
-+        MK_TRACE("Invalid headers");
-+        return -1;
-+    }
- 
-     /* Host */
-     host = mk_request_header_get(&sr->headers_toc,
-                                  mk_rh_host.data,
-                                  mk_rh_host.len);
--
-     if (host.data) {
-         if ((pos_sep = mk_string_char_search_r(host.data, ':', host.len)) >= 0) {
-             /* TCP port should not be higher than 65535 */
-@@ -321,8 +343,8 @@ static int mk_request_header_process(struct session_request *sr)
-             sr->keep_alive = MK_TRUE;
-             sr->close_now = MK_FALSE;
-         }
--        else if(mk_string_search_n(sr->connection.data, "Close",
--                                   MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
-+        else if (mk_string_search_n(sr->connection.data, "Close",
-+                                    MK_STR_INSENSITIVE, sr->connection.len) >= 0) {
-             sr->keep_alive = MK_FALSE;
-             sr->close_now = MK_TRUE;
-         }
--- 
-1.7.4.1
-
diff --git a/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild b/www-servers/monkeyd/monkeyd-1.2.1.ebuild
index 0b38a35e6051..4f89ecb0c958 100644
--- a/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild
+++ b/www-servers/monkeyd/monkeyd-1.2.1.ebuild
@@ -1,10 +1,10 @@
 # Copyright 1999- Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.0-r1.ebuild,v 1.1 2013/06/05 20:53:14 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/monkeyd/monkeyd-1.2.1.ebuild,v 1.1 2013/06/06 21:06:02 blueness Exp $
 
 EAPI="5"
 
-inherit toolchain-funcs depend.php multilib eutils
+inherit toolchain-funcs depend.php multilib
 
 MY_P="${PN/d}-${PV}"
 DESCRIPTION="A small, fast, and scalable web server"
@@ -42,9 +42,6 @@ pkg_setup() {
 }
 
 src_prepare() {
-	# Fixes security issue, bug #472400, CVE-2013-3843
-	epatch "${FILESDIR}"/${PN}-fix-DoS-headers-parser.patch
-
 	# Don't install the banana script, we use ${FILESDIR}/monkeyd.initd instead
 	sed -i '/Creating bin\/banana/d' configure || die "No configure file"
 	sed -i '/create_banana_script bindir/d' configure || die "No configure file"