revision bump with fix for CVE-2010-0295, straight to stable on amd64

(Portage version: 2.1.7.16/cvs/Linux x86_64, RepoMan options: --force)

3 files changed, 431 insertions, 1 deletions

diff --git a/www-servers/lighttpd/ChangeLog b/www-servers/lighttpd/ChangeLog
index ce0346362ceb..41b6359af4bd 100644
--- a/www-servers/lighttpd/ChangeLog
+++ b/www-servers/lighttpd/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for www-servers/lighttpd
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/ChangeLog,v 1.217 2010/02/01 19:53:41 maekke Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/ChangeLog,v 1.218 2010/02/01 23:47:54 hoffie Exp $
+
+*lighttpd-1.4.25-r1 (01 Feb 2010)
+
+  01 Feb 2010; Christian Hoffmann <hoffie@gentoo.org>
+  +lighttpd-1.4.25-r1.ebuild, +files/1.4.25-fix-CVE-2010-0295.patch:
+  revision bump with fix for CVE-2010-0295, straight to stable on amd64
 
   01 Feb 2010; Markus Meier <maekke@gentoo.org> lighttpd-1.4.23.ebuild:
   arm stable, bug #286134
diff --git a/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch b/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch
new file mode 100644
index 000000000000..fcac31887872
--- /dev/null
+++ b/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch
@@ -0,0 +1,211 @@
+Index: branches/lighttpd-1.4.x/src/base.h
+===================================================================
+--- branches/lighttpd-1.4.x/src/base.h	(revision 2709)
++++ branches/lighttpd-1.4.x/src/base.h	(revision 2710)
+@@ -431,7 +431,6 @@
+ 
+ #ifdef USE_OPENSSL
+ 	SSL *ssl;
+-	buffer *ssl_error_want_reuse_buffer;
+ # ifndef OPENSSL_NO_TLSEXT
+ 	buffer *tlsext_server_name;
+ # endif
+Index: branches/lighttpd-1.4.x/src/connections.c
+===================================================================
+--- branches/lighttpd-1.4.x/src/connections.c	(revision 2709)
++++ branches/lighttpd-1.4.x/src/connections.c	(revision 2710)
+@@ -192,40 +192,42 @@
+ 
+ static int connection_handle_read_ssl(server *srv, connection *con) {
+ #ifdef USE_OPENSSL
+-	int r, ssl_err, len, count = 0;
++	int r, ssl_err, len, count = 0, read_offset, toread;
+ 	buffer *b = NULL;
+ 
+ 	if (!con->conf.is_ssl) return -1;
+ 
+-	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+-
+ 	ERR_clear_error();
+ 	do {
+-		if (!con->ssl_error_want_reuse_buffer) {
+-			b = buffer_init();
+-			buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */
++		if (NULL != con->read_queue->last) {
++			b = con->read_queue->last->mem;
++		}
+ 
++		if (NULL == b || b->size - b->used < 1024) {
++			b = chunkqueue_get_append_buffer(con->read_queue);
++			len = SSL_pending(con->ssl);
++			if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */
++			buffer_prepare_copy(b, len + 1);
++
+ 			/* overwrite everything with 0 */
+ 			memset(b->ptr, 0, b->size);
+-		} else {
+-			b = con->ssl_error_want_reuse_buffer;
+ 		}
+ 
+-		len = SSL_read(con->ssl, b->ptr, b->size - 1);
+-		con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */
++		read_offset = (b->used > 0) ? b->used - 1 : 0;
++		toread = b->size - 1 - read_offset;
+ 
++		len = SSL_read(con->ssl, b->ptr + read_offset, toread);
++
+ 		if (len > 0) {
+-			b->used = len;
++			if (b->used > 0) b->used--;
++			b->used += len;
+ 			b->ptr[b->used++] = '\0';
+ 
+-		       	/* we move the buffer to the chunk-queue, no need to free it */
++			con->bytes_read += len;
+ 
+-			chunkqueue_append_buffer_weak(con->read_queue, b);
+ 			count += len;
+-			con->bytes_read += len;
+-			b = NULL;
+ 		}
+-	} while (len > 0 && count < MAX_READ_LIMIT);
++	} while (len == toread && count < MAX_READ_LIMIT);
+ 
+ 
+ 	if (len < 0) {
+@@ -234,11 +236,11 @@
+ 		case SSL_ERROR_WANT_READ:
+ 		case SSL_ERROR_WANT_WRITE:
+ 			con->is_readable = 0;
+-			con->ssl_error_want_reuse_buffer = b;
+ 
+-			b = NULL;
++			/* the manual says we have to call SSL_read with the same arguments next time.
++			 * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway.
++			 */
+ 
+-			/* we have to steal the buffer from the queue-queue */
+ 			return 0;
+ 		case SSL_ERROR_SYSCALL:
+ 			/**
+@@ -297,16 +299,11 @@
+ 
+ 		connection_set_state(srv, con, CON_STATE_ERROR);
+ 
+-		buffer_free(b);
+-
+ 		return -1;
+ 	} else if (len == 0) {
+ 		con->is_readable = 0;
+ 		/* the other end close the connection -> KEEP-ALIVE */
+ 
+-		/* pipelining */
+-		buffer_free(b);
+-
+ 		return -2;
+ 	}
+ 
+@@ -321,26 +318,41 @@
+ static int connection_handle_read(server *srv, connection *con) {
+ 	int len;
+ 	buffer *b;
+-	int toread;
++	int toread, read_offset;
+ 
+ 	if (con->conf.is_ssl) {
+ 		return connection_handle_read_ssl(srv, con);
+ 	}
+ 
++	b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL;
++
++	/* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells
++	 *  us more than 4kb is available
++	 * if FIONREAD doesn't signal a big chunk we fill the previous buffer
++	 *  if it has >= 1kb free
++	 */
+ #if defined(__WIN32)
+-	b = chunkqueue_get_append_buffer(con->read_queue);
+-	buffer_prepare_copy(b, 4 * 1024);
+-	len = recv(con->fd, b->ptr, b->size - 1, 0);
+-#else
+-	if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) {
++	if (NULL == b || b->size - b->used < 1024) {
+ 		b = chunkqueue_get_append_buffer(con->read_queue);
+ 		buffer_prepare_copy(b, 4 * 1024);
++	}
++
++	read_offset = (b->used == 0) ? 0 : b->used - 1;
++	len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0);
++#else
++	if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) {
++		if (NULL == b || b->size - b->used < 1024) {
++			b = chunkqueue_get_append_buffer(con->read_queue);
++			buffer_prepare_copy(b, 4 * 1024);
++		}
+ 	} else {
+ 		if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
+ 		b = chunkqueue_get_append_buffer(con->read_queue);
+ 		buffer_prepare_copy(b, toread + 1);
+ 	}
+-	len = read(con->fd, b->ptr, b->size - 1);
++
++	read_offset = (b->used == 0) ? 0 : b->used - 1;
++	len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset);
+ #endif
+ 
+ 	if (len < 0) {
+@@ -374,7 +386,8 @@
+ 		con->is_readable = 0;
+ 	}
+ 
+-	b->used = len;
++	if (b->used > 0) b->used--;
++	b->used += len;
+ 	b->ptr[b->used++] = '\0';
+ 
+ 	con->bytes_read += len;
+@@ -850,13 +863,6 @@
+ 	/* The cond_cache gets reset in response.c */
+ 	/* config_cond_cache_reset(srv, con); */
+ 
+-#ifdef USE_OPENSSL
+-	if (con->ssl_error_want_reuse_buffer) {
+-		buffer_free(con->ssl_error_want_reuse_buffer);
+-		con->ssl_error_want_reuse_buffer = NULL;
+-	}
+-#endif
+-
+ 	con->header_len = 0;
+ 	con->in_error_handler = 0;
+ 
+@@ -1128,8 +1134,15 @@
+ 			} else {
+ 				buffer *b;
+ 
+-				b = chunkqueue_get_append_buffer(dst_cq);
+-				buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead);
++				if (dst_cq->last &&
++				    dst_cq->last->type == MEM_CHUNK) {
++					b = dst_cq->last->mem;
++				} else {
++					b = chunkqueue_get_append_buffer(dst_cq);
++					/* prepare buffer size for remaining POST data; is < 64kb */
++					buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1);
++				}
++				buffer_append_string_len(b, c->mem->ptr + c->offset, toRead);
+ 			}
+ 
+ 			c->offset += toRead;
+Index: branches/lighttpd-1.4.x/src/chunk.c
+===================================================================
+--- branches/lighttpd-1.4.x/src/chunk.c	(revision 2709)
++++ branches/lighttpd-1.4.x/src/chunk.c	(revision 2710)
+@@ -197,8 +197,6 @@
+ int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) {
+ 	chunk *c;
+ 
+-	if (mem->used == 0) return 0;
+-
+ 	c = chunkqueue_get_unused_chunk(cq);
+ 	c->type = MEM_CHUNK;
+ 	c->offset = 0;
diff --git a/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild b/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild
new file mode 100644
index 000000000000..bcae5606b475
--- /dev/null
+++ b/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild
@@ -0,0 +1,213 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild,v 1.1 2010/02/01 23:47:54 hoffie Exp $
+
+EAPI="2"
+
+inherit eutils autotools depend.php
+
+DESCRIPTION="Lightweight high-performance web server"
+HOMEPAGE="http://www.lighttpd.net/"
+SRC_URI="http://download.lighttpd.net/lighttpd/releases-1.4.x/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bzip2 doc fam fastcgi gdbm ipv6 ldap lua minimal memcache mysql pcre php rrdtool ssl test webdav xattr"
+
+RDEPEND="
+	>=sys-libs/zlib-1.1
+	bzip2?    ( app-arch/bzip2 )
+	fam?      ( virtual/fam )
+	gdbm?     ( sys-libs/gdbm )
+	ldap?     ( >=net-nds/openldap-2.1.26 )
+	lua?      ( >=dev-lang/lua-5.1 )
+	memcache? ( dev-libs/libmemcache )
+	mysql?    ( >=virtual/mysql-4.0 )
+	pcre?     ( >=dev-libs/libpcre-3.1 )
+	php?      ( virtual/httpd-php )
+	rrdtool?  ( net-analyzer/rrdtool )
+	ssl?    ( >=dev-libs/openssl-0.9.7 )
+	webdav? (
+		dev-libs/libxml2
+		>=dev-db/sqlite-3
+		sys-fs/e2fsprogs
+	)
+	xattr? ( kernel_linux? ( sys-apps/attr ) )"
+
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig
+	doc?  ( dev-python/docutils )
+	test? (
+		virtual/perl-Test-Harness
+		dev-libs/fcgi
+	)"
+
+# update certain parts of lighttpd.conf based on conditionals
+update_config() {
+	local config="/etc/lighttpd/lighttpd.conf"
+
+	# enable php/mod_fastcgi settings
+	use php && \
+		dosed 's|#.*\(include.*fastcgi.*$\)|\1|' ${config}
+
+	# enable stat() caching
+	use fam && \
+		dosed 's|#\(.*stat-cache.*$\)|\1|' ${config}
+}
+
+# remove non-essential stuff (for USE=minimal)
+remove_non_essential() {
+	local libdir="${D}/usr/$(get_libdir)/${PN}"
+
+	# text docs
+	use doc || rm -fr "${D}"/usr/share/doc/${PF}/txt
+
+	# non-essential modules
+	rm -f \
+		${libdir}/mod_{compress,evhost,expire,proxy,scgi,secdownload,simple_vhost,status,setenv,trigger*,usertrack}.*
+
+	# allow users to keep some based on USE flags
+	use pcre    || rm -f ${libdir}/mod_{ssi,re{direct,write}}.*
+	use webdav  || rm -f ${libdir}/mod_webdav.*
+	use mysql   || rm -f ${libdir}/mod_mysql_vhost.*
+	use lua     || rm -f ${libdir}/mod_{cml,magnet}.*
+	use rrdtool || rm -f ${libdir}/mod_rrdtool.*
+
+	if ! use fastcgi ; then
+		rm -f ${libdir}/mod_fastcgi.*
+	fi
+}
+
+pkg_setup() {
+	if ! use pcre ; then
+		ewarn "It is highly recommended that you build ${PN}"
+		ewarn "with perl regular expressions support via USE=pcre."
+		ewarn "Otherwise you lose support for some core options such"
+		ewarn "as conditionals and modules such as mod_re{write,direct}"
+		ewarn "and mod_ssi."
+		ebeep 5
+	fi
+
+	use php && require_php_with_use cgi
+
+	enewgroup lighttpd
+	enewuser lighttpd -1 -1 /var/www/localhost/htdocs lighttpd
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/1.4.25-fix-unknown-AM_SILENT_RULES.patch
+	epatch "${FILESDIR}"/1.4.25-fix-CVE-2010-0295.patch
+	# dev-python/docutils installs rst2html.py not rst2html
+	sed -i -e 's|\(rst2html\)|\1.py|g' doc/Makefile.am || \
+		die "sed doc/Makefile.am failed"
+
+	eautoreconf
+}
+
+src_configure() {
+	econf --libdir=/usr/$(get_libdir)/${PN} \
+		--enable-lfs \
+		$(use_enable ipv6) \
+		$(use_with bzip2) \
+		$(use_with fam) \
+		$(use_with gdbm) \
+		$(use_with lua) \
+		$(use_with ldap) \
+		$(use_with memcache) \
+		$(use_with mysql) \
+		$(use_with pcre) \
+		$(use_with ssl openssl) \
+		$(use_with webdav webdav-props) \
+		$(use_with webdav webdav-locks) \
+		$(use_with xattr attr)
+}
+
+src_compile() {
+	emake || die "emake failed"
+
+	if use doc ; then
+		einfo "Building HTML documentation"
+		cd doc
+		emake html || die "failed to build HTML documentation"
+	fi
+}
+
+src_test() {
+	if [[ ${EUID} -eq 0 ]]; then
+		default_src_test
+	else
+		ewarn "test skipped, please re-run as root if you wish to test ${PN}"
+	fi
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die "make install failed"
+
+	# init script stuff
+	newinitd "${FILESDIR}"/lighttpd.initd lighttpd || die
+	newconfd "${FILESDIR}"/lighttpd.confd lighttpd || die
+	use fam && has_version app-admin/fam && \
+		sed -i 's/after famd/need famd/g' "${D}"/etc/init.d/lighttpd
+
+	# configs
+	insinto /etc/lighttpd
+	doins "${FILESDIR}"/conf/lighttpd.conf
+	doins "${FILESDIR}"/conf/mime-types.conf
+	doins "${FILESDIR}"/conf/mod_cgi.conf
+	doins "${FILESDIR}"/conf/mod_fastcgi.conf
+	# Secure directory for fastcgi sockets
+	keepdir /var/run/lighttpd/
+	fperms 0750 /var/run/lighttpd/
+	fowners lighttpd:lighttpd /var/run/lighttpd/
+
+	# update lighttpd.conf directives based on conditionals
+	update_config
+
+	# docs
+	dodoc AUTHORS README NEWS doc/*.sh
+	newdoc doc/lighttpd.conf lighttpd.conf.distrib
+
+	use doc && dohtml -r doc/*
+
+	docinto txt
+	dodoc doc/*.txt
+
+	# logrotate
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/lighttpd.logrotate lighttpd || die
+
+	keepdir /var/l{ib,og}/lighttpd /var/www/localhost/htdocs
+	fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd
+	fperms 0750 /var/l{ib,og}/lighttpd
+
+	#spawn-fcgi may optionally be installed via www-servers/spawn-fcgi
+	rm -f "${D}"/usr/bin/spawn-fcgi "${D}"/usr/share/man/man1/spawn-fcgi.*
+
+	use minimal && remove_non_essential
+}
+
+pkg_postinst () {
+	echo
+	if [[ -f ${ROOT}etc/conf.d/spawn-fcgi.conf ]] ; then
+		einfo "spawn-fcgi is now provided by www-servers/spawn-fcgi."
+		einfo "spawn-fcgi's init script configuration is now located"
+		einfo "at /etc/conf.d/spawn-fcgi."
+		echo
+	fi
+
+	if [[ -f ${ROOT}etc/lighttpd.conf ]] ; then
+		ewarn "Gentoo has a customized configuration,"
+		ewarn "which is now located in /etc/lighttpd.  Please migrate your"
+		ewarn "existing configuration."
+		ebeep 5
+	fi
+
+	if use fastcgi; then
+		ewarn "As of lighttpd-1.4.22, spawn-fcgi is provided by the separate"
+		ewarn "www-servers/spawn-fcgi package. Please install it manually, if"
+		ewarn "you use spawn-fcgi."
+		ewarn "It features a new, more featurefull init script - please migrate"
+		ewarn "your configuration!"
+	fi
+}