[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#320048: security: Buffer overflow in ssl_engine_kernel.c



Package: apache2
Version: 2.0.54-4
Severity: grave
Tags: security, patch
Justification: possible DoS


There is a buffer overflow (off-by-one in buffer size checks) in
ssl_engine_kernel.c which could be exploited to DoS the server.

Upstream bug report at
http://issues.apache.org/bugzilla/show_bug.cgi?id=35081

Upstream patch at
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=179781&view=diff&r1=179781&r2=179780&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c&p2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

(SVN revision 179781)

patch which can be dropped into the Debian package as
043_fix_buffer_overflow_in_ssl_engine_kernel is attached

-- System Information:
Debian Release: 3.1
  APT prefers stable
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork           2.0.54-4   traditional model for Apache2

-- no debconf information
diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej' build-tree.orig/apache2/config.layout build-tree/apache2/config.layout
--- build-tree.orig/apache2/modules/ssl/ssl_engine_kernel.c	2005/06/03 12:43:35	179780
+++ build-tree/apache2/modules/ssl/ssl_engine_kernel.c	2005/06/03 12:54:53	179781
@@ -1408,7 +1408,7 @@
             BIO_printf(bio, ", nextUpdate: ");
             ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
 
-            n = BIO_read(bio, buff, sizeof(buff));
+            n = BIO_read(bio, buff, sizeof(buff) - 1);
             buff[n] = '\0';
 
             BIO_free(bio);



Reply to: