From: Eric Covener Date: Mon, 5 Jun 2017 12:12:31 +0000 (+0000) Subject: SECURITY: CVE-2017-7679 (cve.mitre.org) X-Git-Tag: 2.4.26~25 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d98d3a43c65477216db43998082608c6935ab08b;p=apache SECURITY: CVE-2017-7679 (cve.mitre.org) mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Merge 1797550 from trunk: mod_mime: fix quoted pair scanning Submitted By: ylavic Reviewed By: covener, ylavic, jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1797653 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 301cb7061c..9583c92d07 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,8 @@ Changes with Apache 2.4.26 + *) mod_mime: Fix error checking for quoted pairs. [Yann Ylavic] + *) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other protocols. [Jean-Frederic Clere] diff --git a/STATUS b/STATUS index 191de52010..f38da4ca99 100644 --- a/STATUS +++ b/STATUS @@ -120,11 +120,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_mime: Fix scanning of quoted-pairs. - trunk patch: http://svn.apache.org/r1797550 - 2.4.x patch: svn merge -c 1797550 ^/httpd/httpd/trunk . - +1: covener, ylavic, jim - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c index f92119b633..28c53be132 100644 --- a/modules/http/mod_mime.c +++ b/modules/http/mod_mime.c @@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s) int res = -1; int c; - if (((s + 1) != NULL) && (*s == '\\')) { + if (*s == '\\') { c = (int) *(s + 1); - if (apr_isascii(c)) { + if (c && apr_isascii(c)) { res = 1; } }