[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS: cvs.openbsd.org: src



CVSROOT:	/cvs
Module name:	src
Changes by:	brad_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org	2004/09/08 18:17:01

Modified files:
	usr.sbin/httpd/src/modules/standard: Tag: OPENBSD_3_5 
	                                     mod_rewrite.c 

Log message:
MFC:
Fix by henning@

security fix:
Apache's mod_rewrite module can be made to write one zero byte in an
arbitrary memory position outside of a char array, causing DoS or
possibly buffer overflows.
The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c
copies data from a DBM file to the char array buf in a _secure_ manner,
but it zero-terminates the array afterwards in an _insecure_ manner. If
the key that is looked up has an n bytes long value, a zero byte will be
written in the memory position n bytes from the start of the char array
buf.
exploiting would require enabling dbm for mod_rewrite and getting it to use
a malicious dbm file.
reported by Ulf_(_dot_)_Harnhammar_(_dot_)_9485_(_at_)_student_(_dot_)_uu_(_dot_)_se



Visit your host, monkey.org