[28932] in bugtraq
Re: CSSA-2003-007.0 Advisory withdrawn.
daemon@ATHENA.MIT.EDU (Mark J Cox)
Tue Feb 18 17:15:10 2003
Date: Tue, 18 Feb 2003 19:12:12 +0000 (GMT)
From: Mark J Cox <mjc@apache.org>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0302181902040.23163-100000@dell1.moose.awe.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
Just to clarify this a bit further, the mod_dav module for Apache is not
vulnerable to the format string vulnerability (as outlined in the original
advisory from SCO, CAN-2002-0842)
mod_dav contains code that logs various errors and uses ap_log_rerror() to
do so. In mod_dav for Apache, ap_log_rerror is never called with strings
that can be influenced by a remote user.
Now Oracle added code to their version of mod_dav to log gateway errors,
but gateway errors contain strings that can be controlled by a remote
user. Therefore Oracle was vulnerable to a format string issue, but no
base release of Apache with mod_dav was vulnerable.
We did some research this morning after SCO released their advisory.
According to their ftp site SCO shipped OpenLinux with a standard copy of
mod_dav which was not vulnerable to this format string issue. Their
advisory, CSSA-2003-007.0 referenced new packages where they added a patch
which, unfortunately, added in code to log of gateway errors and contained
a format string vulnerability.
Thanks, Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQCVAwUBPlKFj+6tTP1JpWPZAQE6awQA43RYlKHCZME4KszH/zDOMbuTeTUybvaW
GWP88jowg0+JtVDl+D7JFGFxdgrrxBD/sWTPRV361l3TKUYXnXcuDIW2OnWdWRtq
4zulMANv1kFs/mqRPz1naJ+hZPaVrYKVxSv2mhDz4fjohsBjUVlNOuaoosONl0se
lWS9MFQTRaI=
=mhD7
-----END PGP SIGNATURE-----
