You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2012/10/03 18:18:10 UTC
svn commit: r1393580 - in /httpd/httpd/branches/2.0.x: ./ CHANGES STATUS
server/util.c
Author: rjung
Date: Wed Oct 3 16:18:10 2012
New Revision: 1393580
URL: http://svn.apache.org/viewvc?rev=1393580&view=rev
Log:
Merge r1198940 from trunk resp. r1227280 from 2.2.x:
Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess
CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Submitted by: sf
Reviewed/backported by: rjung
Modified:
httpd/httpd/branches/2.0.x/ (props changed)
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/server/util.c
Propchange: httpd/httpd/branches/2.0.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/branches/2.2.x:r1227280
Merged /httpd/httpd/trunk:r1198940
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Oct 3 16:18:10 2012
@@ -23,6 +23,11 @@ Changes with Apache 2.0.65
PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
Eric Covener, <lowprio20 gmail.com>]
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file. [Stefan Fritsch, Greg Ames]
+
Changes with Apache 2.0.64
*) SECURITY: CVE-2010-1452 (cve.mitre.org)
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Oct 3 16:18:10 2012
@@ -129,13 +129,6 @@ RELEASE SHOWSTOPPERS:
More eyes welcome.
jim: not a showstopper, imo
- *) SECURITY: CVE-2011-3607 (cve.mitre.org)
- Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
- is enabled, could allow local users to gain privileges via a .htaccess
- file. [Stefan Fritsch, Greg Ames]
- From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280
- +1: gregames, wrowe, trawick
-
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
Resolve additional cases of URL rewriting with ProxyPassMatch or
RewriteRule, where particular request-URIs could result in undesired
Modified: httpd/httpd/branches/2.0.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/util.c?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/util.c (original)
+++ httpd/httpd/branches/2.0.x/server/util.c Wed Oct 3 16:18:10 2012
@@ -82,6 +82,8 @@
#define IS_SLASH(s) (s == '/')
#endif
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
/*
* Examine a field value (such as a media-/content-type) string and return
@@ -385,7 +387,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
@@ -410,6 +412,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}