httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 30585] New: - Apache mod_ssl CRL format string bug
Date Wed, 11 Aug 2004 11:42:37 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30585>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30585

Apache mod_ssl CRL format string bug

           Summary: Apache mod_ssl CRL format string bug
           Product: Apache httpd-2.0
           Version: 2.0.50
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sitic@pts.se


(Initially reported as SITIC Vulnerability Advisory SA04-001, redefined as bug 
after discussion with ASF httpd security team)

Apache's mod_ssl module suffers from a format string bug when logging
information about CRLs. If an administrator installs a malicious CRL file,
this bug can lead to the execution of arbitrary code.

The function ssl_callback_SSLVerify_CRL() in modules/ssl/ssl_engine_kernel.c
calls ap_log_error() with data from the CRL as the format string instead of
using the data as parameters, leading to a security breach.

This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.

The included patch "issue1.patch" is our attempt at correcting this issue:

--- modules/ssl/ssl_engine_kernel.c	2004-06-07 12:18:37.000000000 +0200
+++ modules/ssl/ssl_engine_kernel.c.ulf	2004-08-02 12:49:18.000000000 +0200
@@ -1372,7 +1372,7 @@
 
             BIO_free(bio);
 
-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, buff);
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff);
         }
 
         /*

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message