CVE-2008-3746: NULL pointer dereference in Digest domain support

Joe Orton joe at manyfish.co.uk
Wed Aug 20 16:06:55 EDT 2008


Hi, I've just released neon 0.28.3 which fixes a security issue in the 
Digest domain parameter support.

This issue affects releases 0.28.0, 0.28.1 and 0.28.2 only, and allows a 
malicious server to crash a client application, resulting in possible 
denial of service.  The CVE name CVE-2008-3746 has been assigned.

The bug was originally reported to the Debian BTS here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476571

The fix is in r1532 of the Subversion repository, patch included below 
for reference.  

--- neon/trunk/src/ne_auth.c	(original)
+++ neon/trunk/src/ne_auth.c	Wed Aug 20 11:45:19 2008
@@ -645,11 +645,13 @@
         
         if (ne_uri_parse(token, &rel) == 0) {
             /* Resolve relative to the Request-URI. */
+            base.path = "/";
             ne_uri_resolve(&base, &rel, &absolute);
 
+            /* Compare against the resolved path to check this URI has
+             * the same (scheme, host, port) components; ignore it
+             * otherwise: */
             base.path = absolute.path;
-            
-            /* Ignore URIs not on this server. */
             if (absolute.path && ne_uri_cmp(&absolute, &base) == 0) {
                 sess->domains = ne_realloc(sess->domains, 
                                            ++sess->ndomains *





More information about the neon mailing list