Re: New worm segfaults apache

[Marc Slemko <marcs () znep com>]

One possible reason for Apache segfaulting when hit by this worm in some
configurations is addressed in the below patch that has been committed to
the 1.3 tree.

This does not represent a security problem, just a good old normal bug.  
A very mild DoS potential, but that is Very with a capital V.



dgaudet     01/09/20 20:51:54

  Modified:    src      CHANGES
               src/include httpd.h
               src/modules/standard mod_include.c
  Log:
  ErrorDocument 404 pointing to a parsed html file with a
  <!--#include virtual="file" --> with a request URI containing
  %2f would result in a segfault (NULL pointer deref, not a
  security problem).
  
  PR:           8362
  
  Revision  Changes    Path
  1.1708    +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1707
  retrieving revision 1.1708
  diff -u -r1.1707 -r1.1708
  --- CHANGES   2001/09/12 15:16:41     1.1707
  +++ CHANGES   2001/09/21 03:51:53     1.1708
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.21
   
  +  *) ErrorDocument 404 pointing to a parsed html file with a
  +     <!--#include virtual="file" --> with a request URI containing
  +     %2f would result in a segfault (NULL pointer deref, not a
  +     security problem).  [Jeff Moe <tux () themoes org>, Dean Gaudet] PR#8362
  +
     *) UnsetEnv from main body of httpd.conf file didn't work; backport
        of bugfix from 2.0 codebase. [Gary Benson <gbenson () redhat com>] PR#8254
   
  
  
  
  1.345     +1 -1      apache-1.3/src/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
  retrieving revision 1.344
  retrieving revision 1.345
  diff -u -r1.344 -r1.345
  --- httpd.h   2001/08/13 17:09:42     1.344
  +++ httpd.h   2001/09/21 03:51:54     1.345
  @@ -806,7 +806,7 @@
   
       char *unparsed_uri;              /* the uri without any parsing performed */
       char *uri;                       /* the path portion of the URI */
  -    char *filename;
  +    char *filename;          /* filename if found, otherwise NULL */
       char *path_info;
       char *args;                      /* QUERY_ARGS, if any */
       struct stat finfo;               /* ST_MODE set to zero if no such file */
  
  
  
  1.130     +1 -1      apache-1.3/src/modules/standard/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
  retrieving revision 1.129
  retrieving revision 1.130
  diff -u -r1.129 -r1.130
  --- mod_include.c     2001/07/13 19:45:52     1.129
  +++ mod_include.c     2001/09/21 03:51:54     1.130
  @@ -718,7 +718,7 @@
                   for (p = r; p != NULL && !founddupe; p = p->main) {
                    request_rec *q;
                    for (q = p; q != NULL; q = q->prev) {
  -                     if ( (strcmp(q->filename, rr->filename) == 0) ||
  +                     if ( (q->filename && strcmp(q->filename, rr->filename) == 0) ||
                             (strcmp(q->uri, rr->uri) == 0) ){
                            founddupe = 1;
                            break;
  
  
  


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com