Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Tue, Jul 20, 2004 at 06:19:13PM +0200, Juergen Weigert wrote: On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote: On Fri, Jul 16, 2004, Joe Orton wrote: [...] I think it's portable to assume time_t is a long... [...] I'd appreciate assert(sizof(time_t) == sizeof(long)); near that. Casting the value to a long would be better than a runtime assertion if you're worried about it, there's only one place it happens. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I would prefer either:
#if ...
#error ...
#endif
or
if( ... ) {
log some easy to understand error
exit(1)
}
--- Juergen Weigert [EMAIL PROTECTED] wrote:
On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall
wrote:
On Fri, Jul 16, 2004, Joe Orton wrote:
[...] I think it's portable to assume time_t is
a long...
[...]
I'd appreciate
assert(sizof(time_t) == sizeof(long));
near that.
I could not find any glibc supported architecture,
where
that would not hould.
cheers,
Jw.
--
o \ Juergen Weigert paint it green!__/
_===.===_
V | [EMAIL PROTECTED] linux software/
_---|\/
\ | 0911 74053-508 creator __/ (/
/\
(/) | _/ _/ \_
vim:set sw=2 wm=8
__
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Fri, Jul 16, 2004, Joe Orton wrote:
I'm checking an older version of mod_ssl but there are a couple of other
uninteresting format string warnings from gcc. I think it's portable to
assume time_t is a long...
[...]
Yes, although they are not security related, they could crash the
server, too. So we should fix those formatting bugs, too. A little bit
of extra casting might be required, I think. I've now committed to my
CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback.
Please commit a similar patch to mod_ssl for Apache 2.x, please.
Index: ssl_engine_io.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.36
diff -u -d -r1.36 ssl_engine_io.c
--- ssl_engine_io.c 11 May 2004 18:44:15 - 1.36
+++ ssl_engine_io.c 17 Jul 2004 06:52:22 -
@@ -682,7 +682,7 @@
}
if (trunc 0)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
-| %04x - SPACES/NULS, len + trunc);
+| %04lx - SPACES/NULS, len + trunc);
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
+-+);
return;
@@ -704,21 +704,21 @@
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
if (rc = 0) {
ssl_log(s, SSL_LOG_DEBUG,
-%s: %s %ld/%d bytes %s BIO#%08X [mem: %08lX] %s,
+%s: %s %ld/%d bytes %s BIO#%08lX [mem: %08lX] %s,
SSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? write : read),
rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? to : from),
-bio, argp,
+(long)bio, (long)argp,
(argp != NULL ? (BIO dump follows) : (Ops, no memory
buffer?)));
if (argp != NULL)
ssl_io_data_dump(s, argp, rc);
}
else {
ssl_log(s, SSL_LOG_DEBUG,
-%s: I/O error, %d bytes expected to %s on BIO#%08X [mem: %08lX],
+%s: I/O error, %d bytes expected to %s on BIO#%08lX [mem:
%08lX],
SSL_LIBRARY_NAME, argi,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? write : read),
-bio, argp);
+(long)bio, (long)argp);
}
}
return rc;
Index: ssl_engine_kernel.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.146
diff -u -d -r1.146 ssl_engine_kernel.c
--- ssl_engine_kernel.c 27 May 2004 13:13:32 - 1.146
+++ ssl_engine_kernel.c 17 Jul 2004 06:50:10 -
@@ -1793,10 +1793,10 @@
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, Inter-Process Session Cache:
-request=SET status=%s id=%s timeout=%ds (session caching),
+request=SET status=%s id=%s timeout=%lds (session caching),
rc == TRUE ? OK : BAD,
SSL_SESSION_id2sz(pNew-session_id, pNew-session_id_length),
-t-time(NULL));
+(long)(t-time(NULL)));
/*
* return 0 which means to OpenSSL that the pNew is still
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Sat, Jul 17, 2004 at 08:57:09AM +0200, Ralf S. Engelschall wrote: Yes, although they are not security related, they could crash the server, too. So we should fix those formatting bugs, too. A little bit of extra casting might be required, I think. I've now committed to my CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback. Please commit a similar patch to mod_ssl for Apache 2.x, please. Actually it should just use %pp for printing addresses since the 1.3 ap_snprintf does support that (the 2.0 code does this already). joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
We've today found an ssl_log() related format string vulnerability in the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was created which fixes this potential security hole. Get mod_ssl-2.8.19-1.3.31.tar.gz from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
I'm checking an older version of mod_ssl but there are a couple of other uninteresting format string warnings from gcc. I think it's portable to assume time_t is a long... --- ./ssl_engine_io.c.warnings 2002-02-23 18:45:45.0 + +++ ./ssl_engine_io.c 2004-07-16 22:02:32.0 +0100 @@ -680,7 +680,7 @@ } if (trunc 0) ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, -| %04x - SPACES/NULS, len + trunc); +| %04lx - SPACES/NULS, len + trunc); ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID, +-+); return; --- ./mod_ssl.h.warnings2004-07-16 21:52:26.0 +0100 +++ ./mod_ssl.h 2004-07-16 21:58:19.0 +0100 @@ -806,7 +806,9 @@ /* Logfile Support */ void ssl_log_open(server_rec *, server_rec *, pool *); BOOL ssl_log_applies(server_rec *, int); -void ssl_log(server_rec *, int, const char *, ...); +void ssl_log(server_rec *, int, const char *, ...) + __attribute__((format(printf,3,4))); + void ssl_die(void); /* Variables */ --- ./ssl_engine_kernel.c.warnings 2004-07-16 21:52:26.0 +0100 +++ ./ssl_engine_kernel.c 2004-07-16 22:00:41.0 +0100 @@ -1807,7 +1807,7 @@ * Log this cache operation */ ssl_log(s, SSL_LOG_TRACE, Inter-Process Session Cache: -request=SET status=%s id=%s timeout=%ds (session caching), +request=SET status=%s id=%s timeout=%lds (session caching), rc == TRUE ? OK : BAD, SSL_SESSION_id2sz(pNew-session_id, pNew-session_id_length), t-time(NULL)); __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
