[ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

We've today found an ssl_log() related format string vulnerability in
the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for
Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was
created which fixes this potential security hole.

Get mod_ssl-2.8.19-1.3.31.tar.gz from:

o http://www.modssl.org/source/
o ftp://ftp.modssl.org/source/

Yours,
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
Official Announcement Mailing List modssl-announce@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

I'm checking an older version of mod_ssl but there are a couple of other
uninteresting format string warnings from gcc. I think it's portable to
assume time_t is a long...

--- ./ssl_engine_io.c.warnings 2002-02-23 18:45:45.000000000 +0000
+++ ./ssl_engine_io.c 2004-07-16 22:02:32.000000000 +0100
@@ -680,7 +680,7 @@
}
if (trunc > 0)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
- "| %04x - ", len + trunc);
+ "| %04lx - ", len + trunc);
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+---------------------------------------------------------- ---------------+");
return;
--- ./mod_ssl.h.warnings 2004-07-16 21:52:26.000000000 +0100
+++ ./mod_ssl.h 2004-07-16 21:58:19.000000000 +0100
@@ -806,7 +806,9 @@
/* Logfile Support */
void ssl_log_open(server_rec *, server_rec *, pool *);
BOOL ssl_log_applies(server_rec *, int);
-void ssl_log(server_rec *, int, const char *, ...);
+void ssl_log(server_rec *, int, const char *, ...)
+ __attribute__((format(printf,3,4)));
+
void ssl_die(void);

/* Variables */
--- ./ssl_engine_kernel.c.warnings 2004-07-16 21:52:26.000000000 +0100
+++ ./ssl_engine_kernel.c 2004-07-16 22:00:41.000000000 +0100
@@ -1807,7 +1807,7 @@
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
- "request=SET status=%s id=%s timeout=%ds (session caching)",
+ "request=SET status=%s id=%s timeout=%lds (session caching)",
rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
t-time(NULL));

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

On Fri, Jul 16, 2004, Joe Orton wrote:

> I'm checking an older version of mod_ssl but there are a couple of other
> uninteresting format string warnings from gcc. I think it's portable to
> assume time_t is a long...
> [...]

Yes, although they are not security related, they could crash the
server, too. So we should fix those formatting bugs, too. A little bit
of extra casting might be required, I think. I've now committed to my
CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback.
Please commit a similar patch to mod_ssl for Apache 2.x, please.

Index: ssl_engine_io.c
============================================================ =======
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ io.c,v
retrieving revision 1.36
diff -u -d -r1.36 ssl_engine_io.c
--- ssl_engine_io.c 11 May 2004 18:44:15 -0000 1.36
+++ ssl_engine_io.c 17 Jul 2004 06:52:22 -0000
@@ -682,7 +682,7 @@
}
if (trunc > 0)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
- "| %04x - ", len + trunc);
+ "| %04lx - ", len + trunc);
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+---------------------------------------------------------- ---------------+");
return;
@@ -704,21 +704,21 @@
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
if (rc >= 0) {
ssl_log(s, SSL_LOG_DEBUG,
- "%s: %s %ld/%d bytes %s BIO#%08X [mem: %08lX] %s",
+ "%s: %s %ld/%d bytes %s BIO#%08lX [mem: %08lX] %s",
SSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
- bio, argp,
+ (long)bio, (long)argp,
(argp != NULL ? "(BIO dump follows)" : "(Ops, no memory buffer?)"));
if (argp != NULL)
ssl_io_data_dump(s, argp, rc);
}
else {
ssl_log(s, SSL_LOG_DEBUG,
- "%s: I/O error, %d bytes expected to %s on BIO#%08X [mem: %08lX]",
+ "%s: I/O error, %d bytes expected to %s on BIO#%08lX [mem: %08lX]",
SSL_LIBRARY_NAME, argi,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
- bio, argp);
+ (long)bio, (long)argp);
}
}
return rc;
Index: ssl_engine_kernel.c
============================================================ =======
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ kernel.c,v
retrieving revision 1.146
diff -u -d -r1.146 ssl_engine_kernel.c
--- ssl_engine_kernel.c 27 May 2004 13:13:32 -0000 1.146
+++ ssl_engine_kernel.c 17 Jul 2004 06:50:10 -0000
@@ -1793,10 +1793,10 @@
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
- "request=SET status=%s id=%s timeout=%ds (session caching)",
+ "request=SET status=%s id=%s timeout=%lds (session caching)",
rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
- t-time(NULL));
+ (long)(t-time(NULL)));

/*
* return 0 which means to OpenSSL that the pNew is still

Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

On Sat, Jul 17, 2004 at 08:57:09AM +0200, Ralf S. Engelschall wrote:
> Yes, although they are not security related, they could crash the
> server, too. So we should fix those formatting bugs, too. A little bit
> of extra casting might be required, I think. I've now committed to my
> CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback.
> Please commit a similar patch to mod_ssl for Apache 2.x, please.

Actually it should just use %pp for printing addresses since the 1.3
ap_snprintf does support that (the 2.0 code does this already).

joe

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote:
> On Fri, Jul 16, 2004, Joe Orton wrote:
> > [...] I think it's portable to assume time_t is a long...
> > [...]

I'd appreciate
assert(sizof(time_t) == sizeof(long));
near that.
I could not find any glibc supported architecture, where
that would not hould.

cheers,
Jw.

--
o \ Juergen Weigert paint it green!__/ _=======.=======_
| jw@suse.de linux software/ _---|____________\/
\ | 0911 74053-508 creator __/ (____/ /\
(/) | _________________________/ _/ \_ vim:set sw=2 wm=8
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

I would prefer either:

#if ...
#error ...
#endif
or
if( ... ) {
log some easy to understand error
exit(1)
}



--- Juergen Weigert wrote:
> On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall
> wrote:
> > On Fri, Jul 16, 2004, Joe Orton wrote:
> > > [...] I think it's portable to assume time_t is
> a long...
> > > [...]
>
> I'd appreciate
> assert(sizof(time_t) == sizeof(long));
> near that.
> I could not find any glibc supported architecture,
> where
> that would not hould.
>
> cheers,
> Jw.
>
> --
> o \ Juergen Weigert paint it green!__/
> _=======.=======_
> | jw@suse.de linux software/
> _---|____________\/
> \ | 0911 74053-508 creator __/ (____/
> /\
> (/) | _________________________/ _/ \_
> vim:set sw=2 wm=8
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
> majordomo@modssl.org
>




__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31

On Tue, Jul 20, 2004 at 06:19:13PM +0200, Juergen Weigert wrote:
> On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote:
> > On Fri, Jul 16, 2004, Joe Orton wrote:
> > > [...] I think it's portable to assume time_t is a long...
> > > [...]
>
> I'd appreciate
> assert(sizof(time_t) == sizeof(long));
> near that.

Casting the value to a long would be better than a runtime assertion if
you're worried about it, there's only one place it happens.

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org