CVE-2008-3746: NULL pointer dereference in Digest domain support
Joe Orton
joe at manyfish.co.uk
Wed Aug 20 16:06:55 EDT 2008
Hi, I've just released neon 0.28.3 which fixes a security issue in the
Digest domain parameter support.
This issue affects releases 0.28.0, 0.28.1 and 0.28.2 only, and allows a
malicious server to crash a client application, resulting in possible
denial of service. The CVE name CVE-2008-3746 has been assigned.
The bug was originally reported to the Debian BTS here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476571
The fix is in r1532 of the Subversion repository, patch included below
for reference.
--- neon/trunk/src/ne_auth.c (original)
+++ neon/trunk/src/ne_auth.c Wed Aug 20 11:45:19 2008
@@ -645,11 +645,13 @@
if (ne_uri_parse(token, &rel) == 0) {
/* Resolve relative to the Request-URI. */
+ base.path = "/";
ne_uri_resolve(&base, &rel, &absolute);
+ /* Compare against the resolved path to check this URI has
+ * the same (scheme, host, port) components; ignore it
+ * otherwise: */
base.path = absolute.path;
-
- /* Ignore URIs not on this server. */
if (absolute.path && ne_uri_cmp(&absolute, &base) == 0) {
sess->domains = ne_realloc(sess->domains,
++sess->ndomains *
More information about the neon
mailing list