Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Tue, Jul 20, 2004 at 06:19:13PM +0200, Juergen Weigert wrote: > On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote: > > On Fri, Jul 16, 2004, Joe Orton wrote: > > > [...] I think it's portable to assume time_t is a long... > > > [...] > > I'd appreciate > assert(sizof(time_t) == sizeof(long)); > near that. Casting the value to a long would be better than a runtime assertion if you're worried about it, there's only one place it happens. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I would prefer either:
#if ...
#error ...
#endif
or
if( ... ) {
log some easy to understand error
exit(1)
}
--- Juergen Weigert <[EMAIL PROTECTED]> wrote:
> On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall
> wrote:
> > On Fri, Jul 16, 2004, Joe Orton wrote:
> > > [...] I think it's portable to assume time_t is
> a long...
> > > [...]
>
> I'd appreciate
> assert(sizof(time_t) == sizeof(long));
> near that.
> I could not find any glibc supported architecture,
> where
> that would not hould.
>
> cheers,
> Jw.
>
> --
> o \ Juergen Weigert paint it green!__/
> _===.===_
> | [EMAIL PROTECTED] linux software/
> _---|\/
> \ | 0911 74053-508 creator __/ (/
> /\
> (/) | _/ _/ \_
> vim:set sw=2 wm=8
>
__
> Apache Interface to OpenSSL (mod_ssl)
>www.modssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
>
__
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote: > On Fri, Jul 16, 2004, Joe Orton wrote: > > [...] I think it's portable to assume time_t is a long... > > [...] I'd appreciate assert(sizof(time_t) == sizeof(long)); near that. I could not find any glibc supported architecture, where that would not hould. cheers, Jw. -- o \ Juergen Weigert paint it green!__/ _===.===_ | [EMAIL PROTECTED] linux software/_---|\/ \ | 0911 74053-508 creator __/ (//\ (/) | _/ _/ \_ vim:set sw=2 wm=8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Sat, Jul 17, 2004 at 08:57:09AM +0200, Ralf S. Engelschall wrote: > Yes, although they are not security related, they could crash the > server, too. So we should fix those formatting bugs, too. A little bit > of extra casting might be required, I think. I've now committed to my > CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback. > Please commit a similar patch to mod_ssl for Apache 2.x, please. Actually it should just use %pp for printing addresses since the 1.3 ap_snprintf does support that (the 2.0 code does this already). joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Fri, Jul 16, 2004, Joe Orton wrote:
> I'm checking an older version of mod_ssl but there are a couple of other
> uninteresting format string warnings from gcc. I think it's portable to
> assume time_t is a long...
> [...]
Yes, although they are not security related, they could crash the
server, too. So we should fix those formatting bugs, too. A little bit
of extra casting might be required, I think. I've now committed to my
CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback.
Please commit a similar patch to mod_ssl for Apache 2.x, please.
Index: ssl_engine_io.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.36
diff -u -d -r1.36 ssl_engine_io.c
--- ssl_engine_io.c 11 May 2004 18:44:15 - 1.36
+++ ssl_engine_io.c 17 Jul 2004 06:52:22 -
@@ -682,7 +682,7 @@
}
if (trunc > 0)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
-"| %04x - ", len + trunc);
+"| %04lx - ", len + trunc);
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+-+");
return;
@@ -704,21 +704,21 @@
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
if (rc >= 0) {
ssl_log(s, SSL_LOG_DEBUG,
-"%s: %s %ld/%d bytes %s BIO#%08X [mem: %08lX] %s",
+"%s: %s %ld/%d bytes %s BIO#%08lX [mem: %08lX] %s",
SSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
-bio, argp,
+(long)bio, (long)argp,
(argp != NULL ? "(BIO dump follows)" : "(Ops, no memory
buffer?)"));
if (argp != NULL)
ssl_io_data_dump(s, argp, rc);
}
else {
ssl_log(s, SSL_LOG_DEBUG,
-"%s: I/O error, %d bytes expected to %s on BIO#%08X [mem: %08lX]",
+"%s: I/O error, %d bytes expected to %s on BIO#%08lX [mem:
%08lX]",
SSL_LIBRARY_NAME, argi,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
-bio, argp);
+(long)bio, (long)argp);
}
}
return rc;
Index: ssl_engine_kernel.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.146
diff -u -d -r1.146 ssl_engine_kernel.c
--- ssl_engine_kernel.c 27 May 2004 13:13:32 - 1.146
+++ ssl_engine_kernel.c 17 Jul 2004 06:50:10 -
@@ -1793,10 +1793,10 @@
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
-"request=SET status=%s id=%s timeout=%ds (session caching)",
+"request=SET status=%s id=%s timeout=%lds (session caching)",
rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
-t-time(NULL));
+(long)(t-time(NULL)));
/*
* return 0 which means to OpenSSL that the pNew is still
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I'm checking an older version of mod_ssl but there are a couple of other uninteresting format string warnings from gcc. I think it's portable to assume time_t is a long... --- ./ssl_engine_io.c.warnings 2002-02-23 18:45:45.0 + +++ ./ssl_engine_io.c 2004-07-16 22:02:32.0 +0100 @@ -680,7 +680,7 @@ } if (trunc > 0) ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, -"| %04x - ", len + trunc); +"| %04lx - ", len + trunc); ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, "+-+"); return; --- ./mod_ssl.h.warnings2004-07-16 21:52:26.0 +0100 +++ ./mod_ssl.h 2004-07-16 21:58:19.0 +0100 @@ -806,7 +806,9 @@ /* Logfile Support */ void ssl_log_open(server_rec *, server_rec *, pool *); BOOL ssl_log_applies(server_rec *, int); -void ssl_log(server_rec *, int, const char *, ...); +void ssl_log(server_rec *, int, const char *, ...) + __attribute__((format(printf,3,4))); + void ssl_die(void); /* Variables */ --- ./ssl_engine_kernel.c.warnings 2004-07-16 21:52:26.0 +0100 +++ ./ssl_engine_kernel.c 2004-07-16 22:00:41.0 +0100 @@ -1807,7 +1807,7 @@ * Log this cache operation */ ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: " -"request=SET status=%s id=%s timeout=%ds (session caching)", +"request=SET status=%s id=%s timeout=%lds (session caching)", rc == TRUE ? "OK" : "BAD", SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length), t-time(NULL)); __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
We've today found an ssl_log() related format string vulnerability in the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was created which fixes this potential security hole. Get mod_ssl-2.8.19-1.3.31.tar.gz from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
