Received: by taz.hyperreal.com (8.8.3/V2.0) id UAA04731;
 Fri, 10 Jan 1997 20:15:49 -0800 (PST)
Received: from scanner.worldgate.com by taz.hyperreal.com (8.8.3/V2.0) with
 ESMTP id UAA04720; Fri, 10 Jan 1997 20:15:40 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com
 (8.7.5/8.7.3) with UUCP id VAA03215 for new-httpd@hyperreal.com;
 Fri, 10 Jan 1997 21:15:54 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3)
 with SMTP id VAA10438 for <new-httpd@hyperreal.com>;
 Fri, 10 Jan 1997 21:15:35 -0700 (MST)
Date: Fri, 10 Jan 1997 21:15:35 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: new-httpd@hyperreal.com
Subject: Re: Might as well be a CERT warning.
In-Reply-To: <Pine.BSI.3.95.970110195400.2510B-100000@taz.hyperreal.com>
Message-ID: <Pine.BSF.3.95.970110210850.9385F-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Fri, 10 Jan 1997, Brian Behlendorf wrote:

> 
> Wonderful.
> 
> The question is, should we release a patch for 1.1.1?  I think so, since
> it looks like it'll be an easy fix.
> 
> COMMENTS PLEASE.

Yup, release a patch; in fact, get a patch out now, linked to from
the main web page and ask him to add a pointer to the "official"
fix.  Note that:
	- I don't think it is the most serious hole in the code
	- I am very doubtful about how easy (or possible) this is to
	  exploit because of several things, including what he mentions.
	- I think there will be more holes found quite soon after
	  the release of this advisory, when people think to start 
	  looking.  It won't take long to find others.  

The suggested patch looks fine, and isn't worth arguing about too
much since it will be fixed with snprintf.

> Fix Information
> ~~~~~~~~~~~~~~~
> We suggest increasing the buffer length to handle 255 character hostnames,
> and verifying that hostname length is within acceptable limits.  Apply the
> following diff, recompile, and then kill and restart your httpd in order
> to fix Apache 1.1.1:
> 
> *** mod_cookies.c       Tue Jan  7 14:38:15 1997
> --- /usr/tmp/mod_cookies.c      Tue Jan  7 14:38:11 1997
> ***************
> *** 119,125 ****
>   void make_cookie(request_rec *r)
>   {
>       struct timeval tv;
> !     char new_cookie[100];     /* blurgh */
>       char *dot;
>       const char *rname = pstrdup(r->pool, 
>                                 get_remote_host(r->connection, r->per_dir_config,
> --- 119,125 ----
>   void make_cookie(request_rec *r)
>   {
>       struct timeval tv;
> !     char new_cookie[1024];    /* blurgh */
>       char *dot;
>       const char *rname = pstrdup(r->pool, 
>                                 get_remote_host(r->connection, r->per_dir_config,
> ***************
> *** 128,133 ****
> --- 128,136 ----
>       struct timezone tz = { 0 , 0 };
>   
>       if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */
> +     if (strlen (rname) > 255)
> +       rname[256] = 0;
> + 
>       gettimeofday(&tv, &tz);
>       sprintf(new_cookie,"%s%s%d%ld%d; path=/",
>           COOKIE_NAME, rname,