You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2009/10/18 21:35:42 UTC
svn commit: r826506 - /httpd/httpd/trunk/support/htdigest.c
Author: sf
Date: Sun Oct 18 19:35:42 2009
New Revision: 826506
URL: http://svn.apache.org/viewvc?rev=826506&view=rev
Log:
htdigest: Fix possible overflow in command line processing. htdigest is not
supposed to be suid save, therefore not treated as a security issue.
CVE-2005-1344
Submitted by: Adam Conrad
Reviewed by: Stefan Fritsch
Modified:
httpd/httpd/trunk/support/htdigest.c
Modified: httpd/httpd/trunk/support/htdigest.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htdigest.c?rev=826506&r1=826505&r2=826506&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htdigest.c (original)
+++ httpd/httpd/trunk/support/htdigest.c Sun Oct 18 19:35:42 2009
@@ -222,9 +222,11 @@
apr_strerror(rv, errmsg, sizeof errmsg));
exit(1);
}
+ apr_cpystrn(user, argv[4], sizeof(user));
+ apr_cpystrn(realm, argv[3], sizeof(realm));
apr_file_printf(errfile, "Adding password for %s in realm %s.\n",
- argv[4], argv[3]);
- add_password(argv[4], argv[3], f);
+ user, realm);
+ add_password(user, realm, f);
apr_file_close(f);
exit(0);
}
Re: svn commit: r826506 - /httpd/httpd/trunk/support/htdigest.c
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Sunday 18 October 2009, Ruediger Pluem wrote:
> Don't we still have an overflow? If argv[3] and argv[4] are of size
> MAX_STRING_LEN (which is sizeof(user) and sizeof(realm) we still
> have a
>
> sprintf(string, "%s:%s:%s", user, realm, pw);
>
> in line 147 with string, user, realm and pw all of size
> MAX_STRING_LEN. I guess string should be char[3 * MAX_STRING_LEN]
> instead of char[MAX_STRING_LEN].
>
Good catch. Fixed in r826520.
Re: svn commit: r826506 - /httpd/httpd/trunk/support/htdigest.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 10/18/2009 09:35 PM, sf@apache.org wrote:
> Author: sf
> Date: Sun Oct 18 19:35:42 2009
> New Revision: 826506
>
> URL: http://svn.apache.org/viewvc?rev=826506&view=rev
> Log:
> htdigest: Fix possible overflow in command line processing. htdigest is not
> supposed to be suid save, therefore not treated as a security issue.
>
> CVE-2005-1344
> Submitted by: Adam Conrad
> Reviewed by: Stefan Fritsch
>
> Modified:
> httpd/httpd/trunk/support/htdigest.c
>
> Modified: httpd/httpd/trunk/support/htdigest.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htdigest.c?rev=826506&r1=826505&r2=826506&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/support/htdigest.c (original)
> +++ httpd/httpd/trunk/support/htdigest.c Sun Oct 18 19:35:42 2009
> @@ -222,9 +222,11 @@
> apr_strerror(rv, errmsg, sizeof errmsg));
> exit(1);
> }
> + apr_cpystrn(user, argv[4], sizeof(user));
> + apr_cpystrn(realm, argv[3], sizeof(realm));
Don't we still have an overflow? If argv[3] and argv[4] are of size MAX_STRING_LEN (which
is sizeof(user) and sizeof(realm) we still have a
sprintf(string, "%s:%s:%s", user, realm, pw);
in line 147 with string, user, realm and pw all of size MAX_STRING_LEN.
I guess string should be char[3 * MAX_STRING_LEN] instead of char[MAX_STRING_LEN].
Regards
RĂ¼diger