head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.2
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2013Q1:1.3.0.12
	pkgsrc-2013Q1-base:1.3
	pkgsrc-2012Q4:1.3.0.10
	pkgsrc-2012Q4-base:1.3
	pkgsrc-2012Q3:1.3.0.8
	pkgsrc-2012Q3-base:1.3
	pkgsrc-2012Q2:1.3.0.6
	pkgsrc-2012Q2-base:1.3
	pkgsrc-2012Q1:1.3.0.4
	pkgsrc-2012Q1-base:1.3
	pkgsrc-2011Q4:1.3.0.2
	pkgsrc-2011Q4-base:1.3
	pkgsrc-2011Q2:1.2.0.4
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.2
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2009Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.4
date	2013.05.14.14.43.40;	author taca;	state dead;
branches;
next	1.3;
commitid	YF1LlgvMhRihLBPw;

1.3
date	2011.11.28.15.26.26;	author drochner;	state Exp;
branches;
next	1.2;

1.2
date	2009.09.18.02.01.35;	author taca;	state dead;
branches;
next	1.1;

1.1
date	2009.09.13.01.00.16;	author taca;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2009.09.13.01.00.16;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2009.09.13.14.37.57;	author tron;	state Exp;
branches;
next	;


desc
@@


1.4
log
@Remove squid27 package.  It is squid-2.7.STABLE9 which isn't supported
any more.
@
text
@$NetBSD: patch-am,v 1.3 2011/11/28 15:26:26 drochner Exp $

protect against CVE-2011-4122

--- helpers/basic_auth/PAM/pam_auth.c.orig	2005-05-17 16:56:25.000000000 +0000
+++ helpers/basic_auth/PAM/pam_auth.c
@@@@ -188,6 +188,11 @@@@ start:
 	exit(1);
     }
 
+    if (strchr(service, '/')) {
+	    fprintf(stderr, "Illegal service '%s'\n", service);
+	    exit(1);
+    }
+
     while (fgets(buf, BUFSIZE, stdin)) {
 	user = buf;
 	password = strchr(buf, '\n');
@


1.3
log
@Don't allow '/' characters to be passed to pam_start() by the
PAM helper program. OpenPAM didn't check this, so it could be
tricked into reading arbitrary config files, allowing privilege
escalation.
Standard squid installations don't install the PAM helper SUID, but
depending on local needs, an administrator might choose to do so.
approved by pkg maintainer
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@


1.2
log
@Update squid27 package to 2.7.7 (2.7.STABLE7).

pkgsrc changes: add LICENSE.


Changes to squid-2.7.STABLE7 (17 September 2009)
	- Bug #2661 - Solaris /dev/poll support broken with EINVAL
	- Clarify external_acl_type %{Header} documentation slightly
	- Bug #2482: Remove mem_obj->old_entry in async code to avoid deep ctx
	  errors
	- GCC-4.x cleanups
	- Bug #2605: Don't call setsid() on helper childs when running in
	  daemon mode
	- Windows port: Fix PSAPI.DLL usage, is always available on Windows NT
	  and later
	- Windows port: Added support for Windows 7, Windows Server 2008 R2
	  and later
	- Bug #2602: increase MAX_URL to 8192
	- The debug mode option '-d' was not documented in LDAP helpers usage
	  message
	- Windows port: Added a note about installation on Windows Vista and
	  later
	- Bug #2642: Remove duplicate peerMonitorInit() on reconfigure
	- Bug #2515: Final chunk parsing errors on FreeBSD6+
	- Bug #2647: Reprioritise override-* and stale-while-revalidate
	- Windows port: Fix improper access permissions to registry and DNS
	  parsing from registry
	- Windows port: Fix getservbyname() usage abuse.
	- Bug #2672: cacheMemMaxSize 32-bit overflow during snmpwalk
	- Bug #2691: store_url memory leak
	- Accept PUT/POST requests without an entity-body
	- Plug request_t + HttpStateData memory leak on PUT/POST requests with
	  early response
	- Bug #2710: squid_kerb_auth non-terminated string
	- Bug #2369: squid traffic counter 32-bit overflow
	- Bug #2080: wbinfo_group.pl - false positive under certain conditions
	- Bug #2739: DNS resolver option ndots can't be parsed from
	  resolv.conf
	- Windows port: fix mswin_negotiate_auth.exe crash when executing a
	  LocalCall authentication with verbose deBug #enabled
	- Add 0.0.0.0 as an to_localhost address
	- Windows port: Update mswin_check_ad_group to version 2.0
	- Windows port: There is no "-P" command line option into
	  mswin_check_ad_group helper.
	- Correct Valgrind mempool protection
	- Bug #2451: Correct length handling on 304 responses
	- Bug #2541: Hang in 100% CPU loop while extacting header details
	  using a delimiter other than comma (external_acl_type,
	  access_log_format, external_refresh_check)
	- Bug #2768 - squid_ldap_group -K argument parsing error
@
text
@d1 1
a1 1
$NetBSD: patch-am,v 1.1 2009/09/13 01:00:16 taca Exp $
d3 1
a3 1
* A patch for CVE-2009-2855 DoS fix from squid's repositry: PatchSet 12541.
d5 14
a18 33
--- src/HttpHeaderTools.c.orig	2008-04-02 10:00:11.000000000 +0900
+++ src/HttpHeaderTools.c
@@@@ -239,6 +239,10 @@@@ int
 strListGetItem(const String * str, char del, const char **item, int *ilen, const char **pos)
 {
     size_t len;
+    /* ',' is always enabled as field delimiter as this is required for
+     * processing merged header values properly, even if Cookie normally
+     * uses ';' as delimiter.
+     */
     static char delim[3][8] =
     {
 	"\"?,",
@@@@ -261,16 +265,15 @@@@ strListGetItem(const String * str, char 
     /* find next delimiter */
     do {
 	*pos += strcspn(*pos, delim[quoted]);
-	if (**pos == del)
-	    break;
 	if (**pos == '"') {
 	    quoted = !quoted;
 	    *pos += 1;
-	}
-	if (quoted && **pos == '\\') {
+	} else if (quoted && **pos == '\\') {
 	    *pos += 1;
 	    if (**pos)
 		*pos += 1;
+	} else {
+		break;		/* Delimiter found, marking the end of this value */
 	}
     } while (**pos);
     len = *pos - *item;		/* *pos points to del or '\0' */
@


1.1
log
@Add CVE-2009-2855 DoS fix from squid's repositry.

Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-am was added on branch pkgsrc-2009Q2 on 2009-09-13 14:37:57 +0000
@
text
@d1 37
@


1.1.2.2
log
@Pullup ticket #2888 - requested taca
squid27: security patch

Revisions pulled up:
- www/squid27/Makefile				1.8
- www/squid27/distinfo				1.5
- www/squid27/patches/patch-am			1.1
---
Module Name:	pkgsrc
Committed By:	taca
Date:		Sun Sep 13 01:00:17 UTC 2009

Modified Files:
	pkgsrc/www/squid27: Makefile distinfo
Added Files:
	pkgsrc/www/squid27/patches: patch-am

Log Message:
Add CVE-2009-2855 DoS fix from squid's repositry.

Bump PKGREVISION.
@
text
@a0 37
$NetBSD: patch-am,v 1.1 2009/09/13 01:00:16 taca Exp $

* A patch for CVE-2009-2855 DoS fix from squid's repositry: PatchSet 12541.

--- src/HttpHeaderTools.c.orig	2008-04-02 10:00:11.000000000 +0900
+++ src/HttpHeaderTools.c
@@@@ -239,6 +239,10 @@@@ int
 strListGetItem(const String * str, char del, const char **item, int *ilen, const char **pos)
 {
     size_t len;
+    /* ',' is always enabled as field delimiter as this is required for
+     * processing merged header values properly, even if Cookie normally
+     * uses ';' as delimiter.
+     */
     static char delim[3][8] =
     {
 	"\"?,",
@@@@ -261,16 +265,15 @@@@ strListGetItem(const String * str, char 
     /* find next delimiter */
     do {
 	*pos += strcspn(*pos, delim[quoted]);
-	if (**pos == del)
-	    break;
 	if (**pos == '"') {
 	    quoted = !quoted;
 	    *pos += 1;
-	}
-	if (quoted && **pos == '\\') {
+	} else if (quoted && **pos == '\\') {
 	    *pos += 1;
 	    if (**pos)
 		*pos += 1;
+	} else {
+		break;		/* Delimiter found, marking the end of this value */
 	}
     } while (**pos);
     len = *pos - *item;		/* *pos points to del or '\0' */
@