SECURITY: CVE-2006-3747 (cve.mitre.org)

author Mark J. Cox <mjc@apache.org>

Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)

committer Mark J. Cox <mjc@apache.org>

Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)
author Mark J. Cox <mjc@apache.org>
Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)
committer Mark J. Cox <mjc@apache.org>
Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)
diff --git a/CHANGES b/CHANGES

index f771b806362b84453a4ea5ec40e508f82c3b10ab..5cc374d3a7937b52f218332ffadd6421dbf6c6e5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,12 @@
  Changes with Apache 2.3.0
    [Remove entries to the current 2.0 and 2.2 section below, when backported]
  
+  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+     handling.  For some RewriteRules this could lead to a pointer being
+     written out of bounds.  Reported by Mark Dowd of McAfee.
+     [Mark Cox]
+
    *) mod_cache: While serving a cached entity ensure that filters that have
       been applied to this cached entity before saving it to the cache are not
       applied again. PR 40090. [Ruediger Pluem]
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c

index 6c9433b0ab4c6be7e969e66d75420e999397f3c0..ca700cce3322d199666d827af756e90308e30b0d 100644 (file)
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -670,7 +670,7 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
              int c = 0;
  
              token[0] = cp = apr_pstrdup(p, cp);
-            while (*cp && c < 5) {
+            while (*cp && c < 4) {
                  if (*cp == '?') {
                      token[++c] = cp + 1;
                      *cp = '\0';
author	Mark J. Cox <mjc@apache.org>
	Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)
committer	Mark J. Cox <mjc@apache.org>
	Thu, 27 Jul 2006 17:03:34 +0000 (17:03 +0000)
CHANGES		patch \| blob \| history
modules/mappers/mod_rewrite.c		patch \| blob \| history