You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/09/21 10:51:16 UTC
svn commit: r290658 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
srclib/pcre/pcre.c
Author: jorton
Date: Wed Sep 21 01:51:11 2005
New Revision: 290658
URL: http://svn.apache.org/viewcvs?rev=290658&view=rev
Log:
Merge r233493 from trunk:
* srclib/pcre/pcre.c (read_repeat_counts): Check for integer overflow.
Obtained from: pcre 6.2 upstream
Reviewed by: jorton, nd, wrowe
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/srclib/pcre/pcre.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=290658&r1=290657&r2=290658&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Sep 21 01:51:11 2005
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.55
+ *) SECURITY: CAN-2005-2491 (cve.mitre.org):
+ Fix integer overflows in PCRE in quantifier parsing which could
+ be triggered by a local user through use of a carefully-crafted
+ regex in an .htaccess file. [Philip Hazel]
+
*) SECURITY: CAN-2005-2088 (cve.mitre.org)
proxy: Correctly handle the Transfer-Encoding and Content-Length
headers. Discard the request Content-Length whenever T-E: chunked
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=290658&r1=290657&r2=290658&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Sep 21 01:51:11 2005
@@ -171,12 +171,6 @@
+1: pquerna, nd, wrowe
Votes from before the integration branch: +1: jerenkrantz
- *) Fix CAN-2005-2491, integer overflow in pcre.
- http://svn.apache.org/viewcvs?rev=233493&view=rev
- rediff for 2.0: http://people.apache.org/~jorton/CAN-2005-2491.patch
- test case: perl-framework/t/security/CAN-2005-2491.t
- +1: jorton, nd, wrowe
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ please place SVN revisions from trunk here, so it is easy to
identify exactly what the proposed changes are! Add all new
Modified: httpd/httpd/branches/2.0.x/srclib/pcre/pcre.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/srclib/pcre/pcre.c?rev=290658&r1=290657&r2=290658&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/srclib/pcre/pcre.c (original)
+++ httpd/httpd/branches/2.0.x/srclib/pcre/pcre.c Wed Sep 21 01:51:11 2005
@@ -714,7 +714,18 @@
int min = 0;
int max = -1;
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
if (*p == '}') max = min; else
{
@@ -722,6 +733,11 @@
{
max = 0;
while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (max < min)
{
*errorptr = ERR4;
@@ -730,16 +746,11 @@
}
}
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
+*minp = min;
+*maxp = max;
return p;
}