Re: CSSA-2003-007.0 Advisory withdrawn.

[Mark J Cox <mjc () apache org>]

-----BEGIN PGP SIGNED MESSAGE-----

Just to clarify this a bit further, the mod_dav module for Apache is not
vulnerable to the format string vulnerability (as outlined in the original
advisory from SCO, CAN-2002-0842)

mod_dav contains code that logs various errors and uses ap_log_rerror() to
do so.  In mod_dav for Apache, ap_log_rerror is never called with strings
that can be influenced by a remote user.

Now Oracle added code to their version of mod_dav to log gateway errors,
but gateway errors contain strings that can be controlled by a remote
user.  Therefore Oracle was vulnerable to a format string issue, but no
base release of Apache with mod_dav was vulnerable.

We did some research this morning after SCO released their advisory.  
According to their ftp site SCO shipped OpenLinux with a standard copy of
mod_dav which was not vulnerable to this format string issue.  Their
advisory, CSSA-2003-007.0 referenced new packages where they added a patch
which, unfortunately, added in code to log of gateway errors and contained
a format string vulnerability.

Thanks, Mark 






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBPlKFj+6tTP1JpWPZAQE6awQA43RYlKHCZME4KszH/zDOMbuTeTUybvaW
GWP88jowg0+JtVDl+D7JFGFxdgrrxBD/sWTPRV361l3TKUYXnXcuDIW2OnWdWRtq
4zulMANv1kFs/mqRPz1naJ+hZPaVrYKVxSv2mhDz4fjohsBjUVlNOuaoosONl0se
lWS9MFQTRaI=
=mhD7
-----END PGP SIGNATURE-----