Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 20602 invoked from network); 29 Oct 2004 21:20:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 29 Oct 2004 21:20:12 -0000 Received: (qmail 55354 invoked by uid 500); 29 Oct 2004 21:20:12 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 55242 invoked by uid 500); 29 Oct 2004 21:20:11 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 55227 invoked by uid 99); 29 Oct 2004 21:20:10 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [192.18.33.10] (HELO exchange.sun.com) (192.18.33.10) by apache.org (qpsmtpd/0.28) with SMTP; Fri, 29 Oct 2004 14:20:08 -0700 Received: (qmail 27588 invoked by uid 50); 29 Oct 2004 21:22:14 -0000 Date: 29 Oct 2004 21:22:14 -0000 Message-ID: <20041029212214.27587.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 31975] New: - httpd-1.3.33: buffer overflow in htpasswd if called with long arguments X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=31975 httpd-1.3.33: buffer overflow in htpasswd if called with long arguments Summary: httpd-1.3.33: buffer overflow in htpasswd if called with long arguments Product: Apache httpd-1.3 Version: HEAD Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Other AssignedTo: bugs@httpd.apache.org ReportedBy: michi@bello.engert.org Luiz Fernando wrote an article in the Full-Disclosure Mailing List (see: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html), publishing a PoC how to crash htpasswd. This could become a problem, if htpasswd is run suid root with user supplied arguments at the command line. Larry Cashdollar replied to this message via BUQTRAQ, giving a patch, which replaces all calls to strcpy() with calls to strncpy(). Looking at the code, I found that this wasn't neccessary, because the strcpy()-calls in the original are protected by if-statements. Well, almost all strcpy()-calls are protected. At one place the protecting if-statement slipped into another one, becoming useless in some situations. So I created this little patch against src/support/htpasswd.c shipped with apache-1.3.33.tar.gz: --- cut --- cut --- cut --- --- src/support/htpasswd.c.orig Fri Feb 20 23:02:24 2004 +++ src/support/htpasswd.c Fri Oct 29 21:13:36 2004 @@ -411,11 +411,11 @@ return ERR_OVERFLOW; } strcpy(pwfilename, argv[i]); - if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { - fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], - (unsigned long)(sizeof(user) - 1)); - return ERR_OVERFLOW; - } + } + if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { + fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], + (unsigned long)(sizeof(user) - 1)); + return ERR_OVERFLOW; } strcpy(user, argv[i + 1]); if ((arg = strchr(user, ':')) != NULL) { --- cut --- cut --- cut --- Larry told us, that there is a nessus plugin which recognizes this buffer overflow and recommends an update to apache httpd 1.3.32. But I couldn't find a corresponding entry in the bug database. :-( Comparing the versions 1.3.31, 1.3.32 and 1.3.33, I found no differences between the files. ... --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org