From 70e8b228dc3f413fb73dafc5438d6dc364b1d9f1 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 5 Dec 1998 04:59:35 +0000 Subject: Add two patches released post-Apache-1.3.3 on www.apache.org. THESE FIX POTENTIAL DENIAL OF SERVICE BUGS IN APACHE 1.3.3 (and 1.3.2, in the case of patch-core-404). --- www/apache/patches/patch-core-404 | 45 +++++++++++++++++++++++++++++++++++++ www/apache/patches/patch-proxy-segv | 19 ++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 www/apache/patches/patch-core-404 create mode 100644 www/apache/patches/patch-proxy-segv (limited to 'www') diff --git a/www/apache/patches/patch-core-404 b/www/apache/patches/patch-core-404 new file mode 100644 index 00000000000..6a1e7dcd8b0 --- /dev/null +++ b/www/apache/patches/patch-core-404 @@ -0,0 +1,45 @@ +This patch fixes a potential denial-of-service vulnerability in +Apache 1.3.2 and 1.3.3. It is strongly recommended that you apply +it or upgrade to a more recent version of Apache when it is available. + +Thanks to Studenten Net Twente for finding and reporting the problem. + +Index: include/http_log.h +=================================================================== +RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v +retrieving revision 1.31 +diff -u -r1.31 http_log.h +--- src/include/http_log.h 1998/08/06 17:30:24 1.31 ++++ src/include/http_log.h 1998/10/30 02:23:06 +@@ -105,6 +105,15 @@ + #define APLOG_MARK __FILE__,__LINE__ + + void ap_open_logs (server_rec *, pool *p); ++ ++/* The two primary logging functions, ap_log_error and ap_log_rerror, ++ * use a printf style format string to build the log message. It is ++ * VERY IMPORTANT that you not include any raw data from the network, ++ * such as the request-URI or request header fields, within the format ++ * string. Doing so makes the server vulnerable to a denial-of-service ++ * attack and other messy behavior. Instead, use a simple format string ++ * like "%s", followed by the string containing the untrusted data. ++ */ + API_EXPORT(void) ap_log_error(const char *file, int line, int level, + const server_rec *s, const char *fmt, ...) + __attribute__((format(printf,5,6))); +Index: main/http_core.c +=================================================================== +RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v +retrieving revision 1.237 +diff -u -r1.237 http_core.c +--- src/main/http_core.c 1998/10/23 20:07:39 1.237 ++++ src/main/http_core.c 1998/10/30 02:23:07 +@@ -2783,7 +2783,7 @@ + else { + emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL); + } +- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg); ++ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg); + return HTTP_NOT_FOUND; + } + if (r->method_number != M_GET) { diff --git a/www/apache/patches/patch-proxy-segv b/www/apache/patches/patch-proxy-segv new file mode 100644 index 00000000000..cd40514f526 --- /dev/null +++ b/www/apache/patches/patch-proxy-segv @@ -0,0 +1,19 @@ +This patch fixes a segmentation violation in mod_proxy when a +response is non-cachable. Problem reported by Doug Bloebaum. + +Index: modules/proxy/proxy_util.c +=================================================================== +RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v +retrieving revision 1.70 +diff -u -r1.70 proxy_util.c +--- src/modules/proxy/proxy_util.c 1998/08/31 19:51:59 1.70 ++++ src/modules/proxy/proxy_util.c 1998/10/09 16:21:14 +@@ -581,7 +581,7 @@ + ap_reset_timeout(r); + + if (w <= 0) { +- if (c != NULL) { ++ if (c != NULL && c->fp != NULL) { + /* when a send failure occurs, we need to decide + * whether to continue loading and caching the + * document, or to abort the whole thing -- cgit v1.2.3