Patches for CVE-2006-3747

1 files changed, 26 insertions, 0 deletions

diff --git a/2.0/patches/99_all_2.0.58-cve-2006-3747.patch b/2.0/patches/99_all_2.0.58-cve-2006-3747.patch
new file mode 100644
index 0000000..180608f
--- /dev/null
+++ b/2.0/patches/99_all_2.0.58-cve-2006-3747.patch
@@ -0,0 +1,26 @@
+diff -ur httpd-2.0.58.orig/CHANGES httpd-2.0.58/CHANGES
+--- httpd-2.0.58.orig/CHANGES	2006-04-24 10:12:21.000000000 -0700
++++ httpd-2.0.58/CHANGES	2006-07-26 09:24:18.000000000 -0700
+@@ -1,4 +1,10 @@
+                                                          -*- coding: utf-8 -*-
++  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
++     mod_rewrite: Fix an off-by-one security problem in the ldap scheme
++     handling.  For some RewriteRules this could lead to a pointer being
++     written out of bounds.  Reported by Mark Dowd of McAfee Avert Labs.
++     [Mark Cox]
++	 
+ Changes with Apache 2.0.58
+ 
+   *) Legal: Restored original years in copyright notices.
+diff -ur httpd-2.0.58.orig/modules/mappers/mod_rewrite.c httpd-2.0.58/modules/mappers/mod_rewrite.c
+--- httpd-2.0.58.orig/modules/mappers/mod_rewrite.c	2006-04-24 10:12:21.000000000 -0700
++++ httpd-2.0.58/modules/mappers/mod_rewrite.c	2006-07-26 09:21:47.000000000 -0700
+@@ -2906,7 +2906,7 @@
+             int c = 0;
+ 
+             token[0] = cp = apr_pstrdup(p, cp);
+-            while (*cp && c < 5) {
++            while (*cp && c < 4) {
+                 if (*cp == '?') {
+                     token[++c] = cp + 1;
+                     *cp = '\0';