DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=44073>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44073 Summary: SSL client certificate extensions parsing bug Product: Apache httpd-2 Version: 2.0.61 Platform: All OS/Version: All Status: NEW Severity: critical Priority: P2 Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] The following code in httpd-2.2.6/modules/ssl/ssl_expr_eval.c assume a nul-terminated string which isn't (always) : apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr) { <snip> BIO *bio = BIO_new(BIO_s_mem()); if (X509V3_EXT_print(bio, ext, 0, 0) == 1) { BUF_MEM *buf; char **new = apr_array_push(val_array); BIO_get_mem_ptr(bio, &buf); *new = apr_pstrdup(r->pool, buf->data); } <snip> if (val_array->nelts == 0) return NULL; else return val_array; } Neither X509V3_EXT_print() nor BIO_get_mem_ptr() nul-terminate the BIO buffer, so 'buf->data' should be used in the limit of 'buf->length', that is : *new = apr_pstrndup(r->pool, buf->data, buf->length); When SSLRequire is used with OIDs, the server can crash (exploitable?), or the certificate extensions requirements can be bypassed since the value may contain arbitrary trailing data. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
