From 9a9867a40aacf54474786f7f4d6a0b2ba64cfec3 Mon Sep 17 00:00:00 2001
From: "William A. Rowe Jr" <wrowe@apache.org>
Date: Thu, 6 Jul 2017 00:02:54 +0000
Subject: [PATCH] SECURITY: CVE-2017-9788: Uninitialized memory reflection in
 mod_auth_digest.

The value placeholder in [Proxy-]Authorization headers type 'Digest' was not
initialized or reset before or between successive key=value assignments by
mod_auth_digest.  Providing an initial key with no '=' assignment could reflect
the stale value of uninitialized pool memory used by the prior request, leading
to leakage of potentially confidential information, and a segfault.

Submitted by: wrowe
Backports: r1800919
Reviewed by: wrowe, jim, jchampion



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1800955 13f79535-47bb-0310-9956-ffa450edef68
---
 STATUS                        | 5 -----
 modules/aaa/mod_auth_digest.c | 4 ++--
 2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/STATUS b/STATUS
index cc2f9e5592..6f4ef92edc 100644
--- a/STATUS
+++ b/STATUS
@@ -115,11 +115,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   *) Correct string scope to prevent duplicated values for subsequent tokens.
-      Submitted by: wrowe
-      trunk patch: http://svn.apache.org/r1800919
-      +1: wrowe, jim, jchampion
-
    *) Fix negotiation type parsing to be strict about "*", "*/*" and "type/*"
       comparisons.
       Submitted by: wrowe, Robert ÅwiÄcki <robert swiecki.net>
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index d0c77dc569..e99cb3b3f1 100644
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -965,13 +965,13 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
 
         /* find value */
 
+        vv = 0;
         if (auth_line[0] == '=') {
             auth_line++;
             while (apr_isspace(auth_line[0])) {
                 auth_line++;
             }
 
-            vv = 0;
             if (auth_line[0] == '\"') {         /* quoted string */
                 auth_line++;
                 while (auth_line[0] != '\"' && auth_line[0] != '\0') {
@@ -990,8 +990,8 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
                     value[vv++] = *auth_line++;
                 }
             }
-            value[vv] = '\0';
         }
+        value[vv] = '\0';
 
         while (auth_line[0] != ',' && auth_line[0] != '\0') {
             auth_line++;
-- 
2.49.0

