rpluem at apache
Oct 18, 2009, 1:13 PM
Post #1 of 2
(78 views)
Permalink
|
|
Re: svn commit: r826506 - /httpd/httpd/trunk/support/htdigest.c
|
|
On 10/18/2009 09:35 PM, sf[at]apache.org wrote:
> Author: sf
> Date: Sun Oct 18 19:35:42 2009
> New Revision: 826506
>
> URL: http://svn.apache.org/viewvc?rev=826506&view=rev
> Log:
> htdigest: Fix possible overflow in command line processing. htdigest is not
> supposed to be suid save, therefore not treated as a security issue.
>
> CVE-2005-1344
> Submitted by: Adam Conrad
> Reviewed by: Stefan Fritsch
>
> Modified:
> httpd/httpd/trunk/support/htdigest.c
>
> Modified: httpd/httpd/trunk/support/htdigest.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htdigest.c?rev=826506&r1=826505&r2=826506&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/support/htdigest.c (original)
> +++ httpd/httpd/trunk/support/htdigest.c Sun Oct 18 19:35:42 2009
> @@ -222,9 +222,11 @@
> apr_strerror(rv, errmsg, sizeof errmsg));
> exit(1);
> }
> + apr_cpystrn(user, argv[4], sizeof(user));
> + apr_cpystrn(realm, argv[3], sizeof(realm));
Don't we still have an overflow? If argv[3] and argv[4] are of size MAX_STRING_LEN (which
is sizeof(user) and sizeof(realm) we still have a
sprintf(string, "%s:%s:%s", user, realm, pw);
in line 147 with string, user, realm and pw all of size MAX_STRING_LEN.
I guess string should be char[3 * MAX_STRING_LEN] instead of char[MAX_STRING_LEN].
Regards
RĂ¼diger
|
