[Mod_gzip] any idea about security bugs reported on oreillyne t.com

mod_gzip@lists.over.net mod_gzip@lists.over.net
Tue, 17 Jun 2003 20:21:13 +0200 

Hi Jin,


> Just looked at the source code of mod_gzip -1.3.26.1a. and
> learned that 'debug' is turned off by default.
> Thus the security bug mentioned in my last email should not
> be a problem to most users.
>
> For those who turned debug on, comment the 'MOD_GZIP_DEBUG1'
> declaration line, recompile and it will be fine.

thanks for posting this (I have just been offline for
holidays recently).

Just to confirm your statement, and make things clear to
all users on the list:

Matthew Murphy contacted me and Christian Kruse via mail,
and we discussed the issue.
Christian stated that all three problems are related to
the debugging code only, which isn't compiled in by
default, and even should not be compiled in for any
productive installation (thus there is not even a "make"
target for doing that, you need to edit either the source
code or the Makefile - Christian has his own Makefile for
sure, different from the one generated by "configure").

Therefore Matthew published these security problems at
bugtraq as he did, noting them to be of "minimal impact".
(http://lists.insecure.org/lists/bugtraq/2003/Jun/0024.html)

Christian then told me he is already working on some new
mod_gzip release and will then care about these security
problems as well - but please don't ask me (or him ...)
about any time schedule.

And when it comes to security issues, I don't actually
dare to implement a fix myself, having not used the C
language for about 5 years now. So I rather tell you
what's the status than improvising any "solution" ...


Regards, Michael



P.S.: As I am just posting here - this isn't quite recent

      stuff, but hasn't been posted here on the list yet

      AFAIK:

The mod_gzip installation document
     http://www.schroepl.net/projekte/mod_gzip/install.htm
has substantially improved during spring of 2003, compared
to the version you may know from getting the mod_gzip
1.3.26.1a download.
It is still far from being perfect, but may be worth a
look if you want to know just how many possibilities
there are to install mod_gzip.
Any suggestions about this one are always welcome ...