You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/09/30 17:42:26 UTC

svn commit: r1392042 - in /httpd/httpd/branches/2.0.x: ./ CHANGES STATUS server/util.c

Author: jim
Date: Sun Sep 30 15:42:25 2012
New Revision: 1392042

URL: http://svn.apache.org/viewvc?rev=1392042&view=rev
Log:
Merge r1198940 from trunk:

Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.0.x/   (props changed)
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/server/util.c

Propchange: httpd/httpd/branches/2.0.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1198940,1227280

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1392042&r1=1392041&r2=1392042&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Sun Sep 30 15:42:25 2012
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.65
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
   *) SECURITY: CVE-2011-3368 (cve.mitre.org)
      Reject requests where the request-URI does not match the HTTP
      specification, preventing unexpected expansion of target URLs in

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1392042&r1=1392041&r2=1392042&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Sun Sep 30 15:42:25 2012
@@ -128,13 +128,6 @@ RELEASE SHOWSTOPPERS:
             I checked proxy_http and could not find a code path to fix.
             More eyes welcome.
 
-  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
-     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
-     is enabled, could allow local users to gain privileges via a .htaccess
-     file. [Stefan Fritsch, Greg Ames]
-     From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280
-       +1: gregames, wrowe, trawick
-
   *) SECURITY: CVE-2011-4317 (cve.mitre.org)
      Resolve additional cases of URL rewriting with ProxyPassMatch or
      RewriteRule, where particular request-URIs could result in undesired

Modified: httpd/httpd/branches/2.0.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/util.c?rev=1392042&r1=1392041&r2=1392042&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/util.c (original)
+++ httpd/httpd/branches/2.0.x/server/util.c Sun Sep 30 15:42:25 2012
@@ -410,6 +410,8 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+                return APR_ENOMEM;
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }