Summary: | net-www/mod_ssl: Buffer Overflow in Processing CRLs | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jean-François Brunette (RETIRED) <formula7> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | apache-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://securitytracker.com/alerts/2005/Jul/1014575.html | ||
Whiteboard: | C2 [ebuild?] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Jean-François Brunette (RETIRED)
2005-07-26 11:54:33 UTC
Apache please advise Advisory talks about SVN, it's here: http://svn.apache.org/viewcvs.cgi?rev=179781&view=rev --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c 2005/04/19 20:02:09 161958 +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781 @@ -1408,7 +1408,7 @@ BIO_printf(bio, ", nextUpdate: "); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl)); - n = BIO_read(bio, buff, sizeof(buff)); + n = BIO_read(bio, buff, sizeof(buff) - 1); buff[n] = '\0'; BIO_free(bio); This one is very lame. Not sure we should consider it a vulnerability. Apache do you agree? =========================================================== Ubuntu Security Notice USN-160-1 August 04, 2005 apache2 vulnerabilities [...] Marc Stern discovered a buffer overflow in the SSL module's certificate revocation list (CRL) handler. If Apache is configured to use a malicious CRL, this could possibly lead to a server crash or arbitrary code execution with the privileges of the Apache web server. (CAN-2005-1268) =========================================================== I am still to be convinced. Examining the patch provided suggests that despite the description this is definitely not exploitable to execute arbitrary code, simply cause a denial of service. As the server must be in debug mode and configured to accept a malicious CRL we consider this highly unlikely to ever affect any users. Closing this security bug, the fix will filter down from upstream. If anyone disagrees, please REOPEN. |