Bug#165155: Triage
Unfortunately, there are many potential bugs discussed in this single
bug report. This makes it hard to know what is done and what is not.
Some of the problems are also described quite vaguely, so forgive me
if I have overlooked something. Here is an attempt at triage.
1. Buffer overrun in support/ab.c:read_connection()
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
2. Race condition in support/htpasswd.c:main()
Now uses mkstemp instead of tmpnam.
3. Race condition in support/htdigest.c:main()
Now uses mkstemp instead of tmpnam.
4. Also, totally bogus call to system() in support/htdigest.c:main()
Still present.
5. Buffer overruns in support/htdigest.c:main()
strcpy() is now only called on validated input.
6. strncat() used incorrectly in support/ab.c:main()
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
Unless I am mistaken, only #4 is still present in today's apache package:
#ifndef NETWARE
#if defined(OS2) || defined(WIN32)
sprintf(command, "copy \"%s\" \"%s\"", tn, argv[1]);
#else
sprintf(command, "cp %s %s", tn, argv[1]);
#endif
system(command);
#else
if (!(tfp = fopen(tn, "r"))) {
fprintf(stderr, "Could not open temp file.\n");
exit(1);
}
if (!(f = fopen(argv[1], "w"))) {
fprintf(stderr, "Could not open %s.\n", argv[1]);
exit(1);
}
copy_file(f, tfp);
#endif
Could this problem not be solved by pretending we're all netware and
doing the dumb copy_file() call? Thom?
--
"It's not Hollywood. War is real, war is primarily not about defeat or
victory, it is about death. I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk
Reply to: