From: Eric Covener <covener@apache.org>
Date: Mon, 19 Jun 2017 17:04:13 +0000 (+0000)
Subject: SECURITY: CVE-2017-7679 (cve.mitre.org)
X-Git-Tag: 2.2.33~4
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=9016722b3e8d6eb0f85270c7f5ed21012cc2c9ea;p=thirdparty%2Fapache%2Fhttpd.git

SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.

Merge r1797550 from trunk:
mod_mime: fix quoted pair scanning

Submitted By: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1799235 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b77503c31cd..43795251174 100644
--- a/CHANGES
+++ b/CHANGES
@@ -18,6 +18,10 @@ Changes with Apache 2.2.33
      authentication phase may lead to authentication requirements being
      bypassed.
      [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
+  *) SECURITY: CVE-2017-7679 (cve.mitre.org)
+     mod_mime can read one byte past the end of a buffer when sending a
+     malicious Content-Type response header.  [Yann Ylavic]
   
   *) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
      [Joe Orton]
diff --git a/STATUS b/STATUS
index 095be39d233..5e029fec4f2 100644
--- a/STATUS
+++ b/STATUS
@@ -104,11 +104,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_mime: Fix scanning of quoted-pairs.
-      trunk patch: http://svn.apache.org/r1797550
-      2.4.x patch: svn merge -c 1797550 ^/httpd/httpd/trunk .
-      +1: covener, ylavic, wrowe
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c
index eed6ebd9b93..f3c643c0b82 100644
--- a/modules/http/mod_mime.c
+++ b/modules/http/mod_mime.c
@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
     int res = -1;
     int c;
 
-    if (((s + 1) != NULL) && (*s == '\\')) {
+    if (*s == '\\') {
         c = (int) *(s + 1);
-        if (apr_isascii(c)) {
+        if (c && apr_isascii(c)) {
             res = 1;
         }
     }