You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/07/27 19:07:22 UTC
svn commit: r426144 - in /httpd/httpd/branches/2.0.x: CHANGES
modules/mappers/mod_rewrite.c
Author: mjc
Date: Thu Jul 27 10:07:21 2006
New Revision: 426144
URL: http://svn.apache.org/viewvc?rev=426144&view=rev
Log:
SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee.
Reviewed by: trawick, lars, jorton, wrowe, benl
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/modules/mappers/mod_rewrite.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=426144&r1=426143&r2=426144&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Thu Jul 27 10:07:21 2006
@@ -1,6 +1,12 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.59
+ *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+ mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+ handling. For some RewriteRules this could lead to a pointer being
+ written out of bounds. Reported by Mark Dowd of McAfee.
+ [Mark Cox]
+
Changes with Apache 2.0.58
*) Legal: Restored original years in copyright notices.
Modified: httpd/httpd/branches/2.0.x/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/modules/mappers/mod_rewrite.c?rev=426144&r1=426143&r2=426144&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/branches/2.0.x/modules/mappers/mod_rewrite.c Thu Jul 27 10:07:21 2006
@@ -2906,7 +2906,7 @@
int c = 0;
token[0] = cp = apr_pstrdup(p, cp);
- while (*cp && c < 5) {
+ while (*cp && c < 4) {
if (*cp == '?') {
token[++c] = cp + 1;
*cp = '\0';