DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30585>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30585 Apache mod_ssl CRL format string bug Summary: Apache mod_ssl CRL format string bug Product: Apache httpd-2.0 Version: 2.0.50 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] (Initially reported as SITIC Vulnerability Advisory SA04-001, redefined as bug after discussion with ASF httpd security team) Apache's mod_ssl module suffers from a format string bug when logging information about CRLs. If an administrator installs a malicious CRL file, this bug can lead to the execution of arbitrary code. The function ssl_callback_SSLVerify_CRL() in modules/ssl/ssl_engine_kernel.c calls ap_log_error() with data from the CRL as the format string instead of using the data as parameters, leading to a security breach. This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT Incident Centre. The included patch "issue1.patch" is our attempt at correcting this issue: --- modules/ssl/ssl_engine_kernel.c 2004-06-07 12:18:37.000000000 +0200 +++ modules/ssl/ssl_engine_kernel.c.ulf 2004-08-02 12:49:18.000000000 +0200 @@ -1372,7 +1372,7 @@ BIO_free(bio); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, buff); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff); } /* --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
