Return-Path: Delivered-To: apmail-apr-commits-archive@www.apache.org Received: (qmail 99413 invoked from network); 1 Oct 2010 11:43:49 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 1 Oct 2010 11:43:49 -0000 Received: (qmail 36208 invoked by uid 500); 1 Oct 2010 11:43:49 -0000 Delivered-To: apmail-apr-commits-archive@apr.apache.org Received: (qmail 36097 invoked by uid 500); 1 Oct 2010 11:43:47 -0000 Mailing-List: contact commits-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: dev@apr.apache.org List-Id: Delivered-To: mailing list commits@apr.apache.org Received: (qmail 36089 invoked by uid 99); 1 Oct 2010 11:43:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Oct 2010 11:43:47 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Oct 2010 11:43:46 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id D791123888E8; Fri, 1 Oct 2010 11:43:26 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1003494 - in /apr/apr-util/branches/1.3.x: CHANGES buckets/apr_brigade.c Date: Fri, 01 Oct 2010 11:43:26 -0000 To: commits@apr.apache.org From: trawick@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20101001114326.D791123888E8@eris.apache.org> Author: trawick Date: Fri Oct 1 11:43:26 2010 New Revision: 1003494 URL: http://svn.apache.org/viewvc?rev=1003494&view=rev Log: Merge r1003491 from trunk: SECURITY: CVE-2010-1623 (cve.mitre.org) Fix a denial of service attack against apr_brigade_split_line(). Submitted by: sf Reviewed by: trawick, jorton Modified: apr/apr-util/branches/1.3.x/CHANGES apr/apr-util/branches/1.3.x/buckets/apr_brigade.c Modified: apr/apr-util/branches/1.3.x/CHANGES URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/CHANGES?rev=1003494&r1=1003493&r2=1003494&view=diff ============================================================================== --- apr/apr-util/branches/1.3.x/CHANGES [utf-8] (original) +++ apr/apr-util/branches/1.3.x/CHANGES [utf-8] Fri Oct 1 11:43:26 2010 @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with APR-util 1.3.10 + *) SECURITY: CVE-2010-1623 (cve.mitre.org) + Fix a denial of service attack against apr_brigade_split_line(). + [Stefan Fritsch] + *) SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org) Fix two buffer over-read flaws in the bundled copy of expat which could cause applications to crash while parsing specially-crafted Modified: apr/apr-util/branches/1.3.x/buckets/apr_brigade.c URL: http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/buckets/apr_brigade.c?rev=1003494&r1=1003493&r2=1003494&view=diff ============================================================================== --- apr/apr-util/branches/1.3.x/buckets/apr_brigade.c (original) +++ apr/apr-util/branches/1.3.x/buckets/apr_brigade.c Fri Oct 1 11:43:26 2010 @@ -331,7 +331,18 @@ APU_DECLARE(apr_status_t) apr_brigade_sp return APR_SUCCESS; } APR_BUCKET_REMOVE(e); - APR_BRIGADE_INSERT_TAIL(bbOut, e); + if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) { + APR_BRIGADE_INSERT_TAIL(bbOut, e); + } + else { + if (len > 0) { + rv = apr_brigade_write(bbOut, NULL, NULL, str, len); + if (rv != APR_SUCCESS) { + return rv; + } + } + apr_bucket_destroy(e); + } readbytes += len; /* We didn't find an APR_ASCII_LF within the maximum line length. */ if (readbytes >= maxbytes) {