jerenkrantz 2003/05/27 21:39:42
Modified: . CHANGES
test teststr.c
memory/unix apr_pools.c
Log:
Fixed a bug that could be triggered remotely through mod_dav and possibly
other
mechanisms, causing an Apache child process to crash. The crash was first
reported by David Endler <[EMAIL PROTECTED]> and was researched and fixed by
Joe Orton <[EMAIL PROTECTED]>. Details will be released on 30 May 2003.
CVE: CAN-2003-0245
Reported by: David Endler <[EMAIL PROTECTED]>
Submitted by: Joe Orton <[EMAIL PROTECTED]>
Reviewed by: Justin, Jim, Jeff
Revision Changes Path
1.409 +6 -2 apr/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apr/CHANGES,v
retrieving revision 1.408
retrieving revision 1.409
diff -u -u -r1.408 -r1.409
--- CHANGES 24 May 2003 10:30:40 -0000 1.408
+++ CHANGES 28 May 2003 04:39:41 -0000 1.409
@@ -1,7 +1,11 @@
Changes with APR 0.9.4
- *) Added flag APR_FILE_ATTR_HIDDEN for manipulating the "hidden"
- file attribute on Windows and OS/2. [Branko Cibej]
+ *) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
+ remotely through mod_dav and possibly other mechanisms, causing
+ an Apache child process to crash. The crash was first reported
+ by David Endler <[EMAIL PROTECTED]> and was researched and
+ fixed by Joe Orton <[EMAIL PROTECTED]>. Details will be released
+ on 30 May 2003.
*) apr_proc_wait(): Handle interrupted waitpid(2) calls by calling
it repeatedly until it succeeds or fails with errno other than
1.16 +12 -0 apr/test/teststr.c
Index: teststr.c
===================================================================
RCS file: /home/cvs/apr/test/teststr.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -u -r1.15 -r1.16
--- teststr.c 16 Apr 2003 01:26:14 -0000 1.15
+++ teststr.c 28 May 2003 04:39:42 -0000 1.16
@@ -195,6 +195,17 @@
CuAssertStrEquals(tc, "The timeout specified has expired", buf);
}
+#define SIZE 180000
+static void string_long(CuTest *tc)
+{
+ char s[SIZE + 1];
+
+ memset(s, 'A', SIZE);
+ s[SIZE] = '\0';
+
+ apr_psprintf(p, "%s", s);
+}
+
CuSuite *teststr(void)
{
CuSuite *suite = CuSuiteNew("Strings");
@@ -205,6 +216,7 @@
SUITE_ADD_TEST(suite, snprintf_int64);
SUITE_ADD_TEST(suite, test_strtok);
SUITE_ADD_TEST(suite, string_error);
+ SUITE_ADD_TEST(suite, string_long);
return suite;
}
1.196 +1 -1 apr/memory/unix/apr_pools.c
Index: apr_pools.c
===================================================================
RCS file: /home/cvs/apr/memory/unix/apr_pools.c,v
retrieving revision 1.195
retrieving revision 1.196
diff -u -u -r1.195 -r1.196
--- apr_pools.c 7 Mar 2003 12:12:43 -0000 1.195
+++ apr_pools.c 28 May 2003 04:39:42 -0000 1.196
@@ -976,7 +976,7 @@
if (ps->got_a_new_node) {
active->next = ps->free;
- ps->free = node;
+ ps->free = active;
}
ps->got_a_new_node = 1;
