DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30586>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30586 Apache htdbm utility buffer overflows/format strings Summary: Apache htdbm utility buffer overflows/format strings Product: Apache httpd-2.0 Version: 2.0.50 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: support AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] (Initially reported as SITIC Vulnerability Advisory SA04-004, redefined as bug after discussion with ASF httpd security team) Apache's htdbm utility suffers from various buffer overflows and potential format string bugs when listing or verifying database contents. This could be an issue when several system administrators handle the same Apache installation. Administrator A could store malicious data in a database and Administrator B could list or verify that database, causing actions to be carried out in Administrator B's name. This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT Incident Centre. The included patch is our attempt at correcting this issue: --- support/htdbm.c 2004-03-30 01:07:46.000000000 +0200 +++ support/htdbm.c.ulf 2004-08-02 13:14:52.000000000 +0200 @@ -225,6 +225,8 @@ if (apr_dbm_fetch(htdbm->dbm, key, &val) != APR_SUCCESS) return APR_ENOENT; rec = apr_pstrndup(htdbm->pool, val.dptr, val.dsize); + if (strlen(rec) > MAX_STRING_LEN) + return APR_EINVAL; /* buffer overflow */ cmnt = strchr(rec, ';'); if (cmnt) strncpy(pwd, rec, cmnt - rec); @@ -240,6 +242,7 @@ char *rec, *cmnt; char kb[MAX_STRING_LEN]; int i = 0; + unsigned int copylen; rv = apr_dbm_firstkey(htdbm->dbm, &key); if (rv != APR_SUCCESS) { @@ -256,14 +259,20 @@ fprintf(stderr, "Failed getting data from %s\n", htdbm->filename); return APR_EGENERAL; } - strncpy(kb, key.dptr, key.dsize); - kb[key.dsize] = '\0'; + copylen = (key.dsize > sizeof(kb)) ? + sizeof(kb) : + key.dsize; + strncpy(kb, key.dptr, copylen); + kb[copylen] = '\0'; fprintf(stderr, " %-32s", kb); - strncpy(rec, val.dptr, val.dsize); - rec[val.dsize] = '\0'; + copylen = (val.dsize > HUGE_STRING_LEN) ? + HUGE_STRING_LEN : + val.dsize; + strncpy(rec, val.dptr, copylen); + rec[copylen] = '\0'; cmnt = strchr(rec, ':'); if (cmnt) - fprintf(stderr, cmnt + 1); + fprintf(stderr, "%s", cmnt + 1); fprintf(stderr, "\n"); rv = apr_dbm_nextkey(htdbm->dbm, &key); if (rv != APR_SUCCESS) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
