httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1198940 - in /httpd/httpd/trunk: CHANGES server/util.c
Date Mon, 07 Nov 2011 21:13:40 GMT
Author: sf
Date: Mon Nov  7 21:13:40 2011
New Revision: 1198940

URL: http://svn.apache.org/viewvc?rev=1198940&view=rev
Log:
Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/server/util.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1198940&r1=1198939&r2=1198940&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Nov  7 21:13:40 2011
@@ -12,6 +12,10 @@ Changes with Apache 2.3.15
      PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
      <lowprio20 gmail.com>]
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
+     with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]
+
   *) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and 
      LuaHookQuickHandler) from being configured in <Directory>, <Files>, 
      and htaccess where the configuration would have been ignored.

Modified: httpd/httpd/trunk/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1198940&r1=1198939&r2=1198940&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util.c (original)
+++ httpd/httpd/trunk/server/util.c Mon Nov  7 21:13:40 2011
@@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
+                return APR_ENOMEM;
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }
 



Mime
View raw message