Security fix for Shibboleth SP and nul character in certs
Russ Allbery
rra at debian.org
Fri Sep 18 01:57:55 UTC 2009
Scott, is this the correct hunk of the multiple changes between 2.2 and
2.2.1 to pull out for the security vulnerability? I'm working on
preparing patches for Debian stable. We would generally encourage people
to use the backports I'm also working on, since there are a ton of other
bug fixes, but I would feel more comfortable getting the vulnerabilities
patched in the versions shipping with stable.
There were a fair number of other changes, and my C++ was never very good,
so I'm not completely sure I identified the right hunk or got all of it.
diff --git a/apache/mod_apache.cpp b/apache/mod_apache.cpp
index c5106dd..c5fabab 100644
--- a/apache/mod_apache.cpp
+++ b/apache/mod_apache.cpp
@@ -1114,8 +1114,9 @@ AccessControl::aclresult_t htAccessControl::authorized(const SPRequest& request,
re=temp;
}
- for (; !status && attrs.first!=attrs.second; ++attrs.first) {
- if (checkAttribute(request, attrs.first->second, w, regexp ? re.get() : NULL)) {
+ pair<multimap<string,const Attribute*>::const_iterator,multimap<string,const Attribute*>::const_iterator> attrs2(attrs);
+ for (; !status && attrs2.first!=attrs2.second; ++attrs2.first) {
+ if (checkAttribute(request, attrs2.first->second, w, regexp ? re.get() : NULL)) {
status = true;
}
}
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list