[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS: cvs.openbsd.org: src

To: source-changes_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
Subject: CVS: cvs.openbsd.org: src
From: Brad Smith <brad_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
Date: Wed, 8 Sep 2004 18:17:01 -0600 (MDT)

CVSROOT:	/cvs
Module name:	src
Changes by:	brad_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org	2004/09/08 18:17:01

Modified files:
	usr.sbin/httpd/src/modules/standard: Tag: OPENBSD_3_5 
	                                     mod_rewrite.c 

Log message:
MFC:
Fix by henning@

security fix:
Apache's mod_rewrite module can be made to write one zero byte in an
arbitrary memory position outside of a char array, causing DoS or
possibly buffer overflows.
The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c
copies data from a DBM file to the char array buf in a _secure_ manner,
but it zero-terminates the array afterwards in an _insecure_ manner. If
the key that is looked up has an n bytes long value, a zero byte will be
written in the memory position n bytes from the start of the char array
buf.
exploiting would require enabling dbm for mod_rewrite and getting it to use
a malicious dbm file.
reported by Ulf_(_dot_)_Harnhammar_(_dot_)_9485_(_at_)_student_(_dot_)_uu_(_dot_)_se

Prev by Date: CVS: cvs.openbsd.org: src
Next by Date: CVS: cvs.openbsd.org: src
Previous by thread: CVS: cvs.openbsd.org: src
Next by thread: CVS: cvs.openbsd.org: src
Index(es):
- Date
- Thread

Visit your host, monkey.org