Re: Patch for fixing CAN-2004-0940 in apache 1.3, update
Martin Pitt wrote:
> Martin Pitt [2004-10-29 14:22 +0200]:
> > I prepared a patch for fixing a mod_include buffer overflow in Ubuntu
> > and was asked by Fabio to upload a fixed sid version as well
> > (1.3.31-7).
> >
> > Please find attached the interdiff that was used for 1.3.31-7; you can
> > remove the "Uploaders:" change; the "patch" patch should give no
> > problems, just the changelog patch will probably fail due to a
> > different woody version.
>
> katie rejected my upload because libapache-mod-perl was still the old
> version. One has to manually tweak that in debian/rules. I reuploaded
> using attached (updated) interdiff. The two new hunks will not apply
> to woody, too (since woody has other revision numbers), but at least
> you know where to change what :-)
Thanks a lot. There's another update in the work that fixes problem
with htpasswd. I'm attaching the patch. I haven't received a CVE Id
so will forward it when it is there.
For sid please let me know which version of Apache that will have both
problems fixed.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
diff -ru build-tree.orig/apache_1.3.26/src/support/htpasswd.c build-tree/apache_1.3.26/src/support/htpasswd.c
--- build-tree.orig/apache_1.3.26/src/support/htpasswd.c 2004-10-30 20:08:25.000000000 +0200
+++ build-tree/apache_1.3.26/src/support/htpasswd.c 2004-10-30 19:57:44.000000000 +0200
@@ -455,11 +455,11 @@ int main(int argc, char *argv[])
return ERR_OVERFLOW;
}
strcpy(pwfilename, argv[i]);
- if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
- fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
- (unsigned long)(sizeof(user) - 1));
- return ERR_OVERFLOW;
- }
+ }
+ if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
+ fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
+ (unsigned long)(sizeof(user) - 1));
+ return ERR_OVERFLOW;
}
strcpy(user, argv[i + 1]);
if ((arg = strchr(user, ':')) != NULL) {
@@ -598,7 +598,8 @@ int main(int argc, char *argv[])
putline(ftemp, line);
continue;
}
- strcpy(scratch, line);
+ strncpy(scratch, line,MAX_STRING_LEN -1);
+ scratch[MAX_STRING_LEN -1] = '\0';
/*
* See if this is our user.
*/
Reply to: