httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r426146 - in /httpd/httpd/branches/1.3.x/src: CHANGES modules/standard/mod_rewrite.c
Date Thu, 27 Jul 2006 17:09:04 GMT
Author: mjc
Date: Thu Jul 27 10:09:03 2006
New Revision: 426146

URL: http://svn.apache.org/viewvc?rev=426146&view=rev
Log:
SECURITY: CVE-2006-3747 (cve.mitre.org)
mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling.  For some RewriteRules this could lead to a pointer being
written out of bounds.  Reported by Mark Dowd of McAfee.

Reviewed by: trawick, lars, jorton, wrowe, benl


Modified:
    httpd/httpd/branches/1.3.x/src/CHANGES
    httpd/httpd/branches/1.3.x/src/modules/standard/mod_rewrite.c

Modified: httpd/httpd/branches/1.3.x/src/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/CHANGES?rev=426146&r1=426145&r2=426146&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/CHANGES (original)
+++ httpd/httpd/branches/1.3.x/src/CHANGES Thu Jul 27 10:09:03 2006
@@ -1,5 +1,11 @@
 Changes with Apache 1.3.37
 
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+
 Changes with Apache 1.3.36
 
   *) Reverted SVN rev #396294 due to unwanted regression.

Modified: httpd/httpd/branches/1.3.x/src/modules/standard/mod_rewrite.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/1.3.x/src/modules/standard/mod_rewrite.c?rev=426146&r1=426145&r2=426146&view=diff
==============================================================================
--- httpd/httpd/branches/1.3.x/src/modules/standard/mod_rewrite.c (original)
+++ httpd/httpd/branches/1.3.x/src/modules/standard/mod_rewrite.c Thu Jul 27 10:09:03 2006
@@ -2736,7 +2736,7 @@
             int c = 0;
 
             token[0] = cp = ap_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                 if (*cp == '?') {
                     token[++c] = cp + 1;
                     *cp = '\0';



Mime
View raw message