[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS: cvs.openbsd.org: src

Module name:	src
Changes by:	henning_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org	2004/09/08 10:12:30

Modified files:
	usr.sbin/httpd/src/modules/standard: mod_rewrite.c 

Log message:
security fix:
Apache's mod_rewrite module can be made to write one zero byte in an
arbitrary memory position outside of a char array, causing DoS or
possibly buffer overflows.
The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c
copies data from a DBM file to the char array buf in a _secure_ manner,
but it zero-terminates the array afterwards in an _insecure_ manner. If
the key that is looked up has an n bytes long value, a zero byte will be
written in the memory position n bytes from the start of the char array
exploiting would require enabling dbm for mod_rewrite and getting it to use
a malicious dbm file.
reported by Ulf_(_dot_)_Harnhammar_(_dot_)_9485_(_at_)_student_(_dot_)_uu_(_dot_)_se
fix by me
ok otto, deraadt

Visit your host, monkey.org