Commit 5b03afca authored Sep 30, 2012 by Jim Jagielski

Merge r1198940 from trunk:

Fix integer overflow in ap_pregsub. This can be triggered e.g.
with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1392042 13f79535-47bb-0310-9956-ffa450edef68

parent f0e08528

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.0.65

		*) SECURITY: CVE-2011-3607 (cve.mitre.org)
		core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
		with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

		*) SECURITY: CVE-2011-3368 (cve.mitre.org)
		Reject requests where the request-URI does not match the HTTP
		specification, preventing unexpected expansion of target URLs in

STATUS

+0 −7

Original line number	Diff line number	Diff line
		@@ -128,13 +128,6 @@ RELEASE SHOWSTOPPERS:
		I checked proxy_http and could not find a code path to fix.
		More eyes welcome.

		*) SECURITY: CVE-2011-3607 (cve.mitre.org)
		Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
		is enabled, could allow local users to gain privileges via a .htaccess
		file. [Stefan Fritsch, Greg Ames]
		From 2.2.x; http://svn.apache.org/viewvc?view=revision&revision=1227280
		+1: gregames, wrowe, trawick

		*) SECURITY: CVE-2011-4317 (cve.mitre.org)
		Resolve additional cases of URL rewriting with ProxyPassMatch or
		RewriteRule, where particular request-URIs could result in undesired

server/util.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -410,6 +410,8 @@ AP_DECLARE(char ) ap_pregsub(apr_pool_t p, const char *input,
		len++;
		}
		else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
		if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
		return APR_ENOMEM;
		len += pmatch[no].rm_eo - pmatch[no].rm_so;
		}