Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Tue, Jul 20, 2004 at 06:19:13PM +0200, Juergen Weigert wrote: On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote: On Fri, Jul 16, 2004, Joe Orton wrote: [...] I think it's portable to assume time_t is a long... [...] I'd appreciate assert(sizof(time_t) == sizeof(long)); near that. Casting the value to a long would be better than a runtime assertion if you're worried about it, there's only one place it happens. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I would prefer either: #if ... #error ... #endif or if( ... ) { log some easy to understand error exit(1) } --- Juergen Weigert [EMAIL PROTECTED] wrote: On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote: On Fri, Jul 16, 2004, Joe Orton wrote: [...] I think it's portable to assume time_t is a long... [...] I'd appreciate assert(sizof(time_t) == sizeof(long)); near that. I could not find any glibc supported architecture, where that would not hould. cheers, Jw. -- o \ Juergen Weigert paint it green!__/ _===.===_ V | [EMAIL PROTECTED] linux software/ _---|\/ \ | 0911 74053-508 creator __/ (/ /\ (/) | _/ _/ \_ vim:set sw=2 wm=8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Fri, Jul 16, 2004, Joe Orton wrote: I'm checking an older version of mod_ssl but there are a couple of other uninteresting format string warnings from gcc. I think it's portable to assume time_t is a long... [...] Yes, although they are not security related, they could crash the server, too. So we should fix those formatting bugs, too. A little bit of extra casting might be required, I think. I've now committed to my CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback. Please commit a similar patch to mod_ssl for Apache 2.x, please. Index: ssl_engine_io.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v retrieving revision 1.36 diff -u -d -r1.36 ssl_engine_io.c --- ssl_engine_io.c 11 May 2004 18:44:15 - 1.36 +++ ssl_engine_io.c 17 Jul 2004 06:52:22 - @@ -682,7 +682,7 @@ } if (trunc 0) ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, -| %04x - SPACES/NULS, len + trunc); +| %04lx - SPACES/NULS, len + trunc); ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, +-+); return; @@ -704,21 +704,21 @@ || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { if (rc = 0) { ssl_log(s, SSL_LOG_DEBUG, -%s: %s %ld/%d bytes %s BIO#%08X [mem: %08lX] %s, +%s: %s %ld/%d bytes %s BIO#%08lX [mem: %08lX] %s, SSL_LIBRARY_NAME, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? write : read), rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? to : from), -bio, argp, +(long)bio, (long)argp, (argp != NULL ? (BIO dump follows) : (Ops, no memory buffer?))); if (argp != NULL) ssl_io_data_dump(s, argp, rc); } else { ssl_log(s, SSL_LOG_DEBUG, -%s: I/O error, %d bytes expected to %s on BIO#%08X [mem: %08lX], +%s: I/O error, %d bytes expected to %s on BIO#%08lX [mem: %08lX], SSL_LIBRARY_NAME, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? write : read), -bio, argp); +(long)bio, (long)argp); } } return rc; Index: ssl_engine_kernel.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.146 diff -u -d -r1.146 ssl_engine_kernel.c --- ssl_engine_kernel.c 27 May 2004 13:13:32 - 1.146 +++ ssl_engine_kernel.c 17 Jul 2004 06:50:10 - @@ -1793,10 +1793,10 @@ * Log this cache operation */ ssl_log(s, SSL_LOG_TRACE, Inter-Process Session Cache: -request=SET status=%s id=%s timeout=%ds (session caching), +request=SET status=%s id=%s timeout=%lds (session caching), rc == TRUE ? OK : BAD, SSL_SESSION_id2sz(pNew-session_id, pNew-session_id_length), -t-time(NULL)); +(long)(t-time(NULL))); /* * return 0 which means to OpenSSL that the pNew is still Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Sat, Jul 17, 2004 at 08:57:09AM +0200, Ralf S. Engelschall wrote: Yes, although they are not security related, they could crash the server, too. So we should fix those formatting bugs, too. A little bit of extra casting might be required, I think. I've now committed to my CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback. Please commit a similar patch to mod_ssl for Apache 2.x, please. Actually it should just use %pp for printing addresses since the 1.3 ap_snprintf does support that (the 2.0 code does this already). joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
We've today found an ssl_log() related format string vulnerability in the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was created which fixes this potential security hole. Get mod_ssl-2.8.19-1.3.31.tar.gz from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I'm checking an older version of mod_ssl but there are a couple of other uninteresting format string warnings from gcc. I think it's portable to assume time_t is a long... --- ./ssl_engine_io.c.warnings 2002-02-23 18:45:45.0 + +++ ./ssl_engine_io.c 2004-07-16 22:02:32.0 +0100 @@ -680,7 +680,7 @@ } if (trunc 0) ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, -| %04x - SPACES/NULS, len + trunc); +| %04lx - SPACES/NULS, len + trunc); ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, +-+); return; --- ./mod_ssl.h.warnings2004-07-16 21:52:26.0 +0100 +++ ./mod_ssl.h 2004-07-16 21:58:19.0 +0100 @@ -806,7 +806,9 @@ /* Logfile Support */ void ssl_log_open(server_rec *, server_rec *, pool *); BOOL ssl_log_applies(server_rec *, int); -void ssl_log(server_rec *, int, const char *, ...); +void ssl_log(server_rec *, int, const char *, ...) + __attribute__((format(printf,3,4))); + void ssl_die(void); /* Variables */ --- ./ssl_engine_kernel.c.warnings 2004-07-16 21:52:26.0 +0100 +++ ./ssl_engine_kernel.c 2004-07-16 22:00:41.0 +0100 @@ -1807,7 +1807,7 @@ * Log this cache operation */ ssl_log(s, SSL_LOG_TRACE, Inter-Process Session Cache: -request=SET status=%s id=%s timeout=%ds (session caching), +request=SET status=%s id=%s timeout=%lds (session caching), rc == TRUE ? OK : BAD, SSL_SESSION_id2sz(pNew-session_id, pNew-session_id_length), t-time(NULL)); __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]