Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
Date: 11 Aug 2004 11:49:05 -0000
Message-ID: <20040811114905.25564.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 30586] New:  -
    Apache htdbm utility buffer overflows/format strings

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30586>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30586

Apache htdbm utility buffer overflows/format strings

           Summary: Apache htdbm utility buffer overflows/format strings
           Product: Apache httpd-2.0
           Version: 2.0.50
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: support
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sitic@pts.se


(Initially reported as SITIC Vulnerability Advisory SA04-004, redefined as bug 
after discussion with ASF httpd security team)

Apache's htdbm utility suffers from various buffer overflows and potential
format string bugs when listing or verifying database contents. This could be
an issue when several system administrators handle the same Apache
installation. Administrator A could store malicious data in a database and
Administrator B could list or verify that database, causing actions to be
carried out in Administrator B's name.

This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.

The included patch is our attempt at correcting this issue:

--- support/htdbm.c	2004-03-30 01:07:46.000000000 +0200
+++ support/htdbm.c.ulf	2004-08-02 13:14:52.000000000 +0200
@@ -225,6 +225,8 @@
     if (apr_dbm_fetch(htdbm->dbm, key, &val) != APR_SUCCESS)
         return APR_ENOENT;
     rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize);
+    if (strlen(rec) > MAX_STRING_LEN)
+        return APR_EINVAL; /* buffer overflow */
     cmnt = strchr(rec, ';');
     if (cmnt)
         strncpy(pwd, rec, cmnt - rec);
@@ -240,6 +242,7 @@
     char *rec, *cmnt;
     char kb[MAX_STRING_LEN];
     int i = 0;
+    unsigned int copylen;
 
     rv = apr_dbm_firstkey(htdbm->dbm, &key);
     if (rv != APR_SUCCESS) {
@@ -256,14 +259,20 @@
             fprintf(stderr, "Failed getting data from %s\n", htdbm->filename);
             return APR_EGENERAL;
         }
-        strncpy(kb, key.dptr, key.dsize);
-        kb[key.dsize] = '\0';
+        copylen = (key.dsize > sizeof(kb)) ?
+                  sizeof(kb) :
+                  key.dsize;
+        strncpy(kb, key.dptr, copylen);
+        kb[copylen] = '\0';
         fprintf(stderr, "    %-32s", kb);
-        strncpy(rec, val.dptr, val.dsize);
-        rec[val.dsize] = '\0';
+        copylen = (val.dsize > HUGE_STRING_LEN) ?
+                  HUGE_STRING_LEN :
+                  val.dsize;
+        strncpy(rec, val.dptr, copylen);
+        rec[copylen] = '\0';
         cmnt = strchr(rec, ':');
         if (cmnt)
-            fprintf(stderr, cmnt + 1);
+            fprintf(stderr, "%s", cmnt + 1);
         fprintf(stderr, "\n");
         rv = apr_dbm_nextkey(htdbm->dbm, &key);
         if (rv != APR_SUCCESS)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org