Return-Path: 
 <cvs-return-45174-apmail-httpd-cvs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 72DA5D5C0
	for <apmail-httpd-cvs-archive@www.apache.org>;
 Wed,  3 Oct 2012 16:18:58 +0000 (UTC)
Received: (qmail 87120 invoked by uid 500); 3 Oct 2012 16:18:58 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 87068 invoked by uid 500); 3 Oct 2012 16:18:58 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 87061 invoked by uid 99); 3 Oct 2012 16:18:58 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Oct 2012 16:18:58 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Oct 2012 16:18:55 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id 2F22C23888CD;
	Wed,  3 Oct 2012 16:18:11 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1393580 - in /httpd/httpd/branches/2.0.x: ./ CHANGES
 STATUS
 server/util.c
Date: Wed, 03 Oct 2012 16:18:10 -0000
To: cvs@httpd.apache.org
From: rjung@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20121003161811.2F22C23888CD@eris.apache.org>

Author: rjung
Date: Wed Oct  3 16:18:10 2012
New Revision: 1393580

URL: http://svn.apache.org/viewvc?rev=1393580&view=rev
Log:
Merge r1198940 from trunk resp. r1227280 from 2.2.x:

Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf
Reviewed/backported by: rjung

Modified:
    httpd/httpd/branches/2.0.x/   (props changed)
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/server/util.c

Propchange: httpd/httpd/branches/2.0.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/branches/2.2.x:r1227280
  Merged /httpd/httpd/trunk:r1198940

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Oct  3 16:18:10 2012
@@ -23,6 +23,11 @@ Changes with Apache 2.0.65
      PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
      Eric Covener, <lowprio20 gmail.com>]
 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+     is enabled, could allow local users to gain privileges via a .htaccess
+     file. [Stefan Fritsch, Greg Ames]
+
 Changes with Apache 2.0.64
 
   *) SECURITY: CVE-2010-1452 (cve.mitre.org)

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Oct  3 16:18:10 2012
@@ -129,13 +129,6 @@ RELEASE SHOWSTOPPERS:
             More eyes welcome.
      jim: not a showstopper, imo
 
-  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
-     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
-     is enabled, could allow local users to gain privileges via a .htaccess
-     file. [Stefan Fritsch, Greg Ames]
-     From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280
-       +1: gregames, wrowe, trawick
-
   *) SECURITY: CVE-2011-4317 (cve.mitre.org)
      Resolve additional cases of URL rewriting with ProxyPassMatch or
      RewriteRule, where particular request-URIs could result in undesired

Modified: httpd/httpd/branches/2.0.x/server/util.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/server/util.c?rev=1393580&r1=1393579&r2=1393580&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/server/util.c (original)
+++ httpd/httpd/branches/2.0.x/server/util.c Wed Oct  3 16:18:10 2012
@@ -82,6 +82,8 @@
 #define IS_SLASH(s) (s == '/')
 #endif
 
+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
+#define UTIL_SIZE_MAX (~((apr_size_t)0))
 
 /*
  * Examine a field value (such as a media-/content-type) string and return
@@ -385,7 +387,7 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t
     char *dest, *dst;
     char c;
     size_t no;
-    int len;
+    apr_size_t len;
 
     if (!source)
         return NULL;
@@ -410,6 +412,11 @@ AP_DECLARE(char *) ap_pregsub(apr_pool_t
             len++;
         }
         else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+            if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
+                             "integer overflow or out of memory condition." );
+                return NULL;
+            }
             len += pmatch[no].rm_eo - pmatch[no].rm_so;
         }