You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by mj...@apache.org on 2006/07/27 19:03:35 UTC

svn commit: r426138 - in /httpd/httpd/trunk: CHANGES modules/mappers/mod_rewrite.c

Author: mjc
Date: Thu Jul 27 10:03:34 2006
New Revision: 426138

URL: http://svn.apache.org/viewvc?rev=426138&view=rev
Log:
SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling.  For some RewriteRules this could lead to a pointer being
written out of bounds.  Reported by Mark Dowd of McAfee.

Ack: trawick, lars, jorton, wrowe, benl


Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/mappers/mod_rewrite.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=426138&r1=426137&r2=426138&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jul 27 10:03:34 2006
@@ -2,6 +2,12 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+
   *) mod_cache: While serving a cached entity ensure that filters that have
      been applied to this cached entity before saving it to the cache are not
      applied again. PR 40090. [Ruediger Pluem]

Modified: httpd/httpd/trunk/modules/mappers/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?rev=426138&r1=426137&r2=426138&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/mappers/mod_rewrite.c (original)
+++ httpd/httpd/trunk/modules/mappers/mod_rewrite.c Thu Jul 27 10:03:34 2006
@@ -670,7 +670,7 @@
             int c = 0;
 
             token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';