You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/08/11 13:42:37 UTC
DO NOT REPLY [Bug 30585] New: -
Apache mod_ssl CRL format string bug
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30585>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30585
Apache mod_ssl CRL format string bug
Summary: Apache mod_ssl CRL format string bug
Product: Apache httpd-2.0
Version: 2.0.50
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: sitic@pts.se
(Initially reported as SITIC Vulnerability Advisory SA04-001, redefined as bug
after discussion with ASF httpd security team)
Apache's mod_ssl module suffers from a format string bug when logging
information about CRLs. If an administrator installs a malicious CRL file,
this bug can lead to the execution of arbitrary code.
The function ssl_callback_SSLVerify_CRL() in modules/ssl/ssl_engine_kernel.c
calls ap_log_error() with data from the CRL as the format string instead of
using the data as parameters, leading to a security breach.
This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT
Incident Centre.
The included patch "issue1.patch" is our attempt at correcting this issue:
--- modules/ssl/ssl_engine_kernel.c 2004-06-07 12:18:37.000000000 +0200
+++ modules/ssl/ssl_engine_kernel.c.ulf 2004-08-02 12:49:18.000000000 +0200
@@ -1372,7 +1372,7 @@
BIO_free(bio);
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, buff);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff);
}
/*
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org