- fix for possible format string problem

  (doesn't affect directly mod_dav, but can lead to security hole in
   connection with some other programs - e.g. Oracle 9i)

Changed files:
    apache-mod_dav-format.patch -> 1.1
    apache1-mod_dav-format.patch -> 1.1

diff --git a/apache-mod_dav-format.patch b/apache-mod_dav-format.patch
new file mode 100644 (file)
index 0000000..890eb8f
--- /dev/null
+++ b/apache-mod_dav-format.patch
@@ -0,0 +1,11 @@
+--- mod_dav-1.0.3-1.3.6/mod_dav.c.orig Sun Sep 23 00:22:39 2001
++++ mod_dav-1.0.3-1.3.6/mod_dav.c      Wed Feb 26 15:07:31 2003
+@@ -2298,7 +2298,7 @@
+       if (lookup.err.status == HTTP_BAD_REQUEST) {
+           /* This supplies additional information for the default message. */
+           ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r,
+-                        lookup.err.desc);
++                        "%s", lookup.err.desc);
+           return HTTP_BAD_REQUEST;
+       }
+ 

diff --git a/apache1-mod_dav-format.patch b/apache1-mod_dav-format.patch
new file mode 100644 (file)
index 0000000..890eb8f
--- /dev/null
+++ b/apache1-mod_dav-format.patch
@@ -0,0 +1,11 @@
+--- mod_dav-1.0.3-1.3.6/mod_dav.c.orig Sun Sep 23 00:22:39 2001
++++ mod_dav-1.0.3-1.3.6/mod_dav.c      Wed Feb 26 15:07:31 2003
+@@ -2298,7 +2298,7 @@
+       if (lookup.err.status == HTTP_BAD_REQUEST) {
+           /* This supplies additional information for the default message. */
+           ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r,
+-                        lookup.err.desc);
++                        "%s", lookup.err.desc);
+           return HTTP_BAD_REQUEST;
+       }
+