From cccaadd8701013a52c74bbf186c30e9cc3f51931 Mon Sep 17 00:00:00 2001
From: Enno Boland <gottox@voidlinux.eu>
Date: Thu, 21 Sep 2017 08:59:07 +0200
Subject: [PATCH] apache: update to 2.4.27.

- fix #7726. (optionsbleed)
- fix libressl build
---
 ...pache-2.2-optionsbleed-CVE-2017-9798.patch |  21 ++
 srcpkgs/apache/patches/fix-libressl.patch     | 235 ++++++++++++++++++
 srcpkgs/apache/template                       |   6 +-
 3 files changed, 259 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch
 create mode 100644 srcpkgs/apache/patches/fix-libressl.patch

diff --git a/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch b/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch
new file mode 100644
index 00000000000..30e5c0520c3
--- /dev/null
+++ b/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch
@@ -0,0 +1,21 @@
+CVE-2017-9798
+
+Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655
+
+diff --git a/server/core.c b/server/core.c
+index f61699e..d24542e 100644
+--- ./server/core.c
++++ ./server/core.c
+@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
+             /* method has not been registered yet, but resorce restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+ 
diff --git a/srcpkgs/apache/patches/fix-libressl.patch b/srcpkgs/apache/patches/fix-libressl.patch
new file mode 100644
index 00000000000..cafdf52b2f9
--- /dev/null
+++ b/srcpkgs/apache/patches/fix-libressl.patch
@@ -0,0 +1,235 @@
+--- ./modules/ssl/mod_ssl.c.orig
++++ ./modules/ssl/mod_ssl.c
+@@ -337,12 +337,12 @@
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+     ENGINE_cleanup();
+ #endif
+-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
++#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP)
+     SSL_COMP_free_compression_methods();
+ #endif
+ 
+     /* Usually needed per thread, but this parent process is single-threaded */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+     ERR_remove_thread_state(NULL);
+ #else
+@@ -383,14 +383,14 @@
+     /* Some OpenSSL internals are allocated per-thread, make sure they
+      * are associated to the/our same thread-id until cleaned up.
+      */
+-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
++#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     ssl_util_thread_id_setup(pconf);
+ #endif
+ 
+     /* We must register the library in full, to ensure our configuration
+      * code can successfully test the SSL environment.
+      */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     CRYPTO_malloc_init();
+ #else
+     OPENSSL_malloc_init();
+--- ./modules/ssl/ssl_engine_init.c.orig
++++ ./modules/ssl/ssl_engine_init.c
+@@ -47,7 +47,7 @@
+ #define KEYTYPES "RSA or DSA"
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* OpenSSL Pre-1.1.0 compatibility */
+ /* Taken from OpenSSL 1.1.0 snapshot 20160410 */
+ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+@@ -257,7 +257,7 @@
+ #endif
+     }
+ 
+-#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L
++#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) )
+     ssl_util_thread_setup(p);
+ #endif
+ 
+@@ -380,7 +380,7 @@
+     modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */
+ 
+     init_dh_params();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     init_bio_methods();
+ #endif
+ 
+@@ -1301,7 +1301,7 @@
+      * or configure NIST P-256 (required to enable ECDHE for earlier versions)
+      * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList
+      */
+-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+     else {
+ #if defined(SSL_CTX_set_ecdh_auto)
+         SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1);
+@@ -2011,7 +2011,7 @@
+ 
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+     free_bio_methods();
+ #endif
+     free_dh_params();
+--- ./modules/ssl/ssl_engine_io.c.orig
++++ ./modules/ssl/ssl_engine_io.c
+@@ -164,7 +164,7 @@
+ {
+     BIO_set_shutdown(bio, 1);
+     BIO_set_init(bio, 1);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     /* No setter method for OpenSSL 1.1.0 available,
+      * but I can't find any functional use of the
+      * "num" field there either.
+@@ -549,7 +549,7 @@
+     return -1;
+ }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+         
+ static BIO_METHOD bio_filter_out_method = {
+     BIO_TYPE_MEM,
+@@ -2024,7 +2024,7 @@
+ 
+     filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     filter_ctx->pbioRead = BIO_new(&bio_filter_in_method);
+ #else
+     filter_ctx->pbioRead = BIO_new(bio_filter_in_method);
+@@ -2059,7 +2059,7 @@
+     filter_ctx->pOutputFilter   = ap_add_output_filter(ssl_io_filter,
+                                                        filter_ctx, r, c);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
+ #else
+     filter_ctx->pbioWrite       = BIO_new(bio_filter_out_method);
+--- ./modules/ssl/ssl_engine_kernel.c.orig
++++ ./modules/ssl/ssl_engine_kernel.c
+@@ -1733,7 +1733,7 @@
+  * so we need to increment here to prevent them from
+  * being freed.
+  */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define modssl_set_cert_info(info, cert, pkey) \
+     *cert = info->x509; \
+     CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \
+--- ./modules/ssl/ssl_engine_vars.c.orig
++++ ./modules/ssl/ssl_engine_vars.c
+@@ -529,7 +529,7 @@
+         resdup = FALSE;
+     }
+     else if (strcEQ(var, "A_SIG")) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
+ #else
+         const ASN1_OBJECT *paobj;
+--- ./modules/ssl/ssl_private.h.orig
++++ ./modules/ssl/ssl_private.h
+@@ -123,6 +123,16 @@
+ #define MODSSL_SSL_METHOD_CONST
+ #endif
+ 
++#if defined(LIBRESSL_VERSION_NUMBER)
++/* Missing from LibreSSL */
++#define SSL_CTRL_SET_MIN_PROTO_VERSION          123
++#define SSL_CTRL_SET_MAX_PROTO_VERSION          124
++#define SSL_CTX_set_min_proto_version(ctx, version) \
++        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
++#define SSL_CTX_set_max_proto_version(ctx, version) \
++        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
++#endif
++
+ #if defined(OPENSSL_FIPS)
+ #define HAVE_FIPS
+ #endif
+@@ -136,7 +146,7 @@
+ #endif
+ 
+ /* session id constness */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define IDCONST
+ #else
+ #define IDCONST const
+@@ -199,7 +209,7 @@
+ 
+ #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define BN_get_rfc2409_prime_768   get_rfc2409_prime_768
+ #define BN_get_rfc2409_prime_1024  get_rfc2409_prime_1024
+ #define BN_get_rfc3526_prime_1536  get_rfc3526_prime_1536
+@@ -219,7 +229,7 @@
+ void free_bio_methods(void);
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L
++#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_STORE_CTX_get0_store(x) (x->ctx)
+ #endif
+ 
+@@ -934,7 +944,7 @@
+                                  const char * const *);
+ BOOL         ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
+ #if APR_HAS_THREADS
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ void         ssl_util_thread_setup(apr_pool_t *);
+ #endif
+ void         ssl_util_thread_id_setup(apr_pool_t *);
+--- ./modules/ssl/ssl_util.c.orig
++++ ./modules/ssl/ssl_util.c
+@@ -247,7 +247,7 @@
+ }
+ 
+ #if APR_HAS_THREADS
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /*
+  * To ensure thread-safetyness in OpenSSL - work in progress
+  */
+--- ./modules/ssl/ssl_util_ssl.h.orig
++++ ./modules/ssl/ssl_util_ssl.h
+@@ -41,7 +41,7 @@
+ #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER
+ #define MODSSL_LIBRARY_NAME    "OpenSSL"
+ #define MODSSL_LIBRARY_TEXT    OPENSSL_VERSION_TEXT
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION)
+ #else
+ #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION)
+--- ./support/ab.c.orig
++++ ./support/ab.c
+@@ -197,6 +197,14 @@
+ #if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
+ #define HAVE_TLSEXT
+ #endif
++#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2060000f
++# define SSL_CTRL_SET_MIN_PROTO_VERSION	123
++# define SSL_CTRL_SET_MAX_PROTO_VERSION 124
++#define SSL_CTX_set_min_proto_version(ctx, version) \
++   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
++#define SSL_CTX_set_max_proto_version(ctx, version) \
++   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
++#endif
+ #endif
+ 
+ #include <math.h>
diff --git a/srcpkgs/apache/template b/srcpkgs/apache/template
index bc3518a09f9..70198b20254 100644
--- a/srcpkgs/apache/template
+++ b/srcpkgs/apache/template
@@ -1,7 +1,7 @@
 # Template file for 'apache'
 pkgname=apache
-version=2.4.25
-revision=4
+version=2.4.27
+revision=1
 wrksrc=httpd-${version}
 build_style=gnu-configure
 configure_args="--prefix= --sbindir=/usr/bin --enable-pie --enable-modules=all
@@ -36,7 +36,7 @@ maintainer="Juan RP <xtraeme@voidlinux.eu>"
 homepage="http://httpd.apache.org/"
 license="Apache-2.0"
 distfiles="http://www.apache.org/dist/httpd/httpd-${version}.tar.bz2"
-checksum=f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2
+checksum=71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a
 
 system_accounts="_$pkgname"
 _apache_homedir="/srv/www/$pkgname"