diff options
| author |   henning <henning@openbsd.org> | 2004-09-08 16:12:30 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2004-09-08 16:12:30 +0000 |
| commit | 83284c088ef02f083ebb204459ee46a6a11de0ae (patch) | |
| tree | ba0eb869922015070c180fd4c6d434b87f4cad12 /sys/lib/libkern/arch | |
| parent | after openpty() do not close() slave and reopen it. that is just crazy (diff) | |
| download | wireguard-openbsd-83284c088ef02f083ebb204459ee46a6a11de0ae.tar.xz wireguard-openbsd-83284c088ef02f083ebb204459ee46a6a11de0ae.zip | |
security fix:
Apache's mod_rewrite module can be made to write one zero byte in an
arbitrary memory position outside of a char array, causing DoS or
possibly buffer overflows.
The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c
copies data from a DBM file to the char array buf in a _secure_ manner,
but it zero-terminates the array afterwards in an _insecure_ manner. If
the key that is looked up has an n bytes long value, a zero byte will be
written in the memory position n bytes from the start of the char array
buf.
exploiting would require enabling dbm for mod_rewrite and getting it to use
a malicious dbm file.
reported by Ulf.Harnhammar.9485@student.uu.se
fix by me
ok otto, deraadt
Diffstat (limited to 'sys/lib/libkern/arch')
0 files changed, 0 insertions, 0 deletions