(Initially reported as SITIC Vulnerability Advisory SA04-001, redefined as bug after discussion with ASF httpd security team) Apache's mod_ssl module suffers from a format string bug when logging information about CRLs. If an administrator installs a malicious CRL file, this bug can lead to the execution of arbitrary code. The function ssl_callback_SSLVerify_CRL() in modules/ssl/ssl_engine_kernel.c calls ap_log_error() with data from the CRL as the format string instead of using the data as parameters, leading to a security breach. This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT Incident Centre. The included patch "issue1.patch" is our attempt at correcting this issue: --- modules/ssl/ssl_engine_kernel.c 2004-06-07 12:18:37.000000000 +0200 +++ modules/ssl/ssl_engine_kernel.c.ulf 2004-08-02 12:49:18.000000000 +0200 @@ -1372,7 +1372,7 @@ BIO_free(bio); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, buff); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "%s", buff); } /*
Thanks for the report. Should we credit Ulf Harnhammar for the fix in the CHANGES file?
Please credit me/us as "Ulf Harnhammar (SITIC)".
Thanks for the patch; this has been committed to HEAD: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.108&r2=1.109