From: Mark J. Cox Date: Thu, 27 Jul 2006 17:03:34 +0000 (+0000) Subject: SECURITY: CVE-2006-3747 (cve.mitre.org) X-Git-Tag: 2.3.0~2199 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=862dd4e3e7a3391afd6fe392e4ab568d73b9c873;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. Ack: trawick, lars, jorton, wrowe, benl git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@426138 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index f771b806362..5cc374d3a79 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,12 @@ Changes with Apache 2.3.0 [Remove entries to the current 2.0 and 2.2 section below, when backported] + *) SECURITY: CVE-2006-3747 (cve.mitre.org) + mod_rewrite: Fix an off-by-one security problem in the ldap scheme + handling. For some RewriteRules this could lead to a pointer being + written out of bounds. Reported by Mark Dowd of McAfee. + [Mark Cox] + *) mod_cache: While serving a cached entity ensure that filters that have been applied to this cached entity before saving it to the cache are not applied again. PR 40090. [Ruediger Pluem] diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 6c9433b0ab4..ca700cce332 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -670,7 +670,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme) int c = 0; token[0] = cp = apr_pstrdup(p, cp); - while (*cp && c < 5) { + while (*cp && c < 4) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0';