From: Mark J. Cox Date: Thu, 27 Jul 2006 17:05:41 +0000 (+0000) Subject: SECURITY: CVE-2006-3747 (cve.mitre.org) X-Git-Tag: 2.2.3~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d0be9d9520437aa516090d625713319a533a30b;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being written out of bounds. Reported by Mark Dowd of McAfee. Ack: trawick, lars, jorton, wrowe, benl git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@426141 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 1e13aaecf72..9ea66a88dfd 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.3 + *) SECURITY: CVE-2006-3747 (cve.mitre.org) + mod_rewrite: Fix an off-by-one security problem in the ldap scheme + handling. For some RewriteRules this could lead to a pointer being + written out of bounds. Reported by Mark Dowd of McAfee. + [Mark Cox] + *) mod_authn_alias: Add a check to make sure that the base provider and the alias names are different and also that the alias has not been registered before. PR 40051. [Brad Nicholes] diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index aa54ffba9ab..58f348a6223 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -667,7 +667,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme) int c = 0; token[0] = cp = apr_pstrdup(p, cp); - while (*cp && c < 5) { + while (*cp && c < 4) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0';