httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] ap_pregsub_ex and somewhat-limited ap_pregsub() to 2.2.x branch
Date Mon, 24 Jun 2013 15:47:17 GMT
On Sat, 22 Jun 2013 10:09:35 -0400
Jeff Trawick <trawick@gmail.com> wrote:

> On Fri, Jun 21, 2013 at 2:43 PM, William A. Rowe Jr.
> <wrowe@rowe-clan.net>wrote:
> 
> > On Fri, 21 Jun 2013 13:19:36 -0400
> > Jeff Trawick <trawick@gmail.com> wrote:
> >
> > > Even with the CVE-2011-3607 it is still possible to DOS the
> > > server by consuming huge amounts of memory with mod_setenvif
> > > using a specially crafted configuration.
> > >
> > > Here's a backport of an existing fix in 2.4.x which resolves the
> > > issue I reproduced.  Note that unlike in 2.4.x we need ap_pregsub
> > > to handle somewhat arbitrary string lengths.  I picked 64MB,
> > > which can be overridden at compile time.
> > >
> > > http://people.apache.org/~trawick/ap_pregsub_ex_22x.txt
> > >
> > > This is essentially a grab of ap_pregsub/ap_pregsub_ex from 2.4.x
> > > HEAD with the minimal required changes plus
> > > http://svn.apache.org/viewvc?view=revision&revision=1198966
> > >
> > > See the XXX notes in the patch for apparent semantic changes
> > > which I probably need to back out.  (I haven't researched that
> > > yet.)
> > >
> > > Normally we use STATUS to track this but I don't think it is as
> > > polished as we normally expect.  Still to do (tomorrow?):
> > > Investigate the XXX's, run the regression suite.
> > >
> > > Concerns with the patch?
> > >
> > > Interested in any of this in the final 2.0.x release?
> >
> > I am happy to hold up a short while to adopt this patch.  I'm
> > neutral on adding it to 2.0.x but will certainly pause for it to be
> > committed if others agree and will review the 2.0.x backport.
> >
> >
> I'm not motivated to put it in 2.0.x either, but if anyone has time
> to play I will assist if I can.

Then is it still appropriate to claim this in 2.0.65 CHANGES without 
the pcre change?

  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
     is enabled, could allow local users to gain privileges via a .htaccess
     file. [Stefan Fritsch, Greg Ames]

or have we implied this same fix under that same CVE number?  Granted we
don't overflow, we simply run OOM now.

Mime
View raw message