Package: apache2
Version: 2.0.54-4
Severity: grave
Tags: security, patch
Justification: possible DoS
There is a buffer overflow (off-by-one in buffer size checks) in
ssl_engine_kernel.c which could be exploited to DoS the server.
Upstream bug report at
http://issues.apache.org/bugzilla/show_bug.cgi?id=35081
Upstream patch at
http://svn.apache.org/viewcvs.cgi/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=179781&view=diff&r1=179781&r2=179780&p1=httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c&p2=/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
(SVN revision 179781)
patch which can be dropped into the Debian package as
043_fix_buffer_overflow_in_ssl_engine_kernel is attached
-- System Information:
Debian Release: 3.1
APT prefers stable
Architecture: i386 (i686)
Kernel: Linux 2.6.11.12-incase
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.0.54-4 traditional model for Apache2
-- no debconf information
diff -ruN -x Makefile.in -x configure -x '*~' -x build-tree.orig -x '*.rej'
build-tree.orig/apache2/config.layout build-tree/apache2/config.layout
--- build-tree.orig/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03
12:43:35 179780
+++ build-tree/apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53
179781
@@ -1408,7 +1408,7 @@
BIO_printf(bio, ", nextUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
- n = BIO_read(bio, buff, sizeof(buff));
+ n = BIO_read(bio, buff, sizeof(buff) - 1);
buff[n] = '\0';
BIO_free(bio);
