Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Mon, 17 Jun 2002 20:57:50 +0200

<valcu.gheorghe () caatoosee ro> writes:

The patch that mentioned casting bufsiz from an int to an unsigned int
failed to do a few things:

1) There are 2 instances of the same code in http_protocol.c that need
to be fixed, as both suffer from the same problem
2) The cast to unsigned int was only done in comparison, and was not
done in assignment, which could possibly lead to problems down the road
with the int value?

3) Casting to unsigned int does not help that much if the variable in
question is a long.

The Apache CVS repository now seems contain a correct patch.

Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]