SECURITY: CVE-2017-7679 (cve.mitre.org)

mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.

Merge 1797550 from trunk:
mod_mime: fix quoted pair scanning

Submitted By: ylavic
Reviewed By: covener, ylavic, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1797653 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 301cb7061c95ae3fbfd11a0b1697336052b8a5eb..9583c92d07603721716501a919b66d591061f02e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
 
 Changes with Apache 2.4.26
 
+  *) mod_mime: Fix error checking for quoted pairs.  [Yann Ylavic]
+
   *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
      protocols.  [Jean-Frederic Clere]
 

diff --git a/STATUS b/STATUS
index 191de520104ad48f4494d392408e3b1198768ae9..f38da4ca99b07e7b0245bccb75d0d5f951decbb9 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -120,11 +120,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) mod_mime: Fix scanning of quoted-pairs.
-      trunk patch: http://svn.apache.org/r1797550
-      2.4.x patch: svn merge -c 1797550 ^/httpd/httpd/trunk .
-      +1: covener, ylavic, jim
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 

diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c
index f92119b633e474632efb6b48df1f99158d1b316b..28c53be132b455a5a31572d4a934705c68fbf7b9 100644 (file)
--- a/modules/http/mod_mime.c
+++ b/modules/http/mod_mime.c
@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
     int res = -1;
     int c;
 
-    if (((s + 1) != NULL) && (*s == '\\')) {
+    if (*s == '\\') {
         c = (int) *(s + 1);
-        if (apr_isascii(c)) {
+        if (c && apr_isascii(c)) {
             res = 1;
         }
     }