WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit d265c519 authored Nov 07, 2011 by Stefan Fritsch

Fix integer overflow in ap_pregsub. This can be triggered e.g.

with mod_setenvif via a malicious .htaccess

CVE-2011-3607
http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1198940 13f79535-47bb-0310-9956-ffa450edef68

parent 845d5ca0

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		@@ -12,6 +12,10 @@ Changes with Apache 2.3.15
		PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
		<lowprio20 gmail.com>]

		*) SECURITY: CVE-2011-3607 (cve.mitre.org)
		core: Fix integer overflow in ap_pregsub. This can be triggered e.g.
		with mod_setenvif via a malicious .htaccess. [Stefan Fritsch]

		*) mod_lua: Prevent early Lua hooks (LuaHookTranslateName and
		LuaHookQuickHandler) from being configured in <Directory>, <Files>,
		and htaccess where the configuration would have been ignored.

server/util.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -411,6 +411,8 @@ static apr_status_t regsub_core(apr_pool_t p, char *result,
		len++;
		}
		else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
		if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so)
		return APR_ENOMEM;
		len += pmatch[no].rm_eo - pmatch[no].rm_so;
		}