Bug 49115 (CVE-2004-0096)

Summary: VUL-0: CVE-2004-0096: mod_python: query string can crash apache
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0096: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-box.modpython
patchinfo.modpython
Proposed patch (diff between mod_python-2.7 patchlevel 8 and 10)

Description Thomas Biege 2004-01-23 20:09:16 UTC 
Date: Fri, 23 Jan 2004 12:46:55 +0100 
From: Peter Poeml <poeml@suse.de> 
Reply-To: security-team@suse.de 
To: security-team@suse.de 
Subject: [security-team] (forw) [ANNOUNCE] Mod_python 2.7.10 
Parts/Attachments: 
   1.1   Shown    ~11 lines  Text 
   1.2   Shown    2.9 KB     Message, "[ANNOUNCE] Mod_python 2.7.10" 
   1.2.1 Shown     34 lines  Text 
   2              205 bytes  Application 
---------------------------------------- 
 
Hi, 
 
This should affect us. We have version 2.7.8 everywhere. 
(sles8 and box) 
 
We can do a version update to 2.7.10. 
 
Peter 
 
-- 
Thought is limitation. Free your mind. 
 
    [ Part 1.2: "Included Message" ] 
 
Date: Thu, 22 Jan 2004 19:14:15 -0500 (EST) 
From: "Gregory (Grisha) Trubetskoy" <grisha@apache.org> 
To: announce@httpd.apache.org, mod_python@modpython.org 
Cc: python-dev@httpd.apache.org 
Newsgroups: comp.lang.python 
Subject: [ANNOUNCE] Mod_python 2.7.10 
 
 
The Apache Software Foundation and The Apache HTTP Server Project are 
pleased to announce the release of version 2.7.10 of mod_python. 
 
This release addresses a vulnerability in mod_python 2.7.9 whereby a 
specific query string processed by mod_python would cause the httpd 
rocess to crash. 
 
The previously released version 2.7.9 was supposed to correct this issue, 
but is still vulnerable. 
 
There are no other changes or improvements from the previous version in 
this release. 
 
If you are currently using mod_python 2.7.9 or earlier, it is highly 
recommended that you upgrade to 2.7.10 as soon as possible. 
 
If you are using mod_python 3.0.4, no action is necessary. 
 
Mod_python is available for download from: 
 
http://httpd.apache.org/modules/python-download.cgi 
 
For more information about mod_python visit 
http://www.modpython.org/ 
 
Regards, 
 
Grisha Trubetskoy
Comment 1 Thomas Biege 2004-01-23 20:09:16 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-01-23 20:21:35 UTC 
Created attachment 15735 [details]
patchinfo-box.modpython
Comment 3 Thomas Biege 2004-01-23 20:22:17 UTC 
Created attachment 15736 [details]
patchinfo.modpython
Comment 4 Peter Poeml 2004-02-10 20:29:45 UTC 
Created attachment 15929 [details]
Proposed patch (diff between mod_python-2.7 patchlevel 8 and 10)
Comment 5 Peter Poeml 2004-02-10 20:40:57 UTC 
I recommend to update all mod_python packages to 2.7.10. We have 2.7.8
in all packages, because we previously updated all packages to that
version/patchlevel. As compared to 2.7.8, 2.7.10 contains only the fix,
updated HTML documentation, and one hunk defining the LONG_LONG which
disappeared in Python 2.3. The latter hunk is not needed in our packages
and we could drop it, but it shouldn't harm.

I need the okay from SLES and SUSE Linux project managers.

Ralf, please comment; and could you please re-assign to <aj> thereafter?
Comment 6 Peter Poeml 2004-02-10 20:58:56 UTC 
I forgot to mention, for apache2-mod_python (3.0.3) there is an
equivalent patch to 3.0.4. Same situation here.
apache2-mod_python is shipped only with SUSE LINUX 9.0.
Comment 7 Peter Poeml 2004-02-16 21:58:45 UTC 
I have just submitted the patchinfo files.
Comment 8 Peter Poeml 2004-02-16 22:05:19 UTC 
Comment #7: Stupid mistake -- patchinfo files deleted, since the
packages are not even submitted. 

Status: still waiting for approval on fixing the packages. (work is
already done)

Let's try Andreas...
Comment 9 Andreas Jaeger 2004-02-16 22:27:50 UTC 
The patch looks ok but Ralf has to approve this.  NExt time please ask
first before doing any work on released products!
Comment 10 Ralf Flaxa 2004-02-16 22:33:10 UTC 
The patch looks ok. It is a version update, but if you look at the patch 
it really only fixes the security issue. 
 
Thorsten, could the version update break any dependencies? 
If so, then we should apply the patch but stay with the version we have. 
 
Approval from my side to release this patch.
Comment 11 Peter Poeml 2004-02-16 22:57:39 UTC 
Thanks.

Clarification: I did _not_ work on the released product. No packages are
checked in, yet. 

I only looked at the feasibility of fixing mod_python and built a test
package for myself. The rest of the work (fixing the actual packages) is
a finger exercise and will take only a few minutes.
Comment 12 Thorsten Kukuk 2004-02-17 00:16:54 UTC 
Since only apache loads this module and no autobuild package 
depends on it, we can make whatever we wish, as long as the python 
interpreter is compatible and apache can load it.
Comment 13 Peter Poeml 2004-02-17 01:17:12 UTC 
Packages and patchinfo files have been submitted for autobuild.

Thomas, I assign to you for further processing.
Comment 14 Thomas Biege 2004-03-15 18:54:12 UTC 
packages approved (YOU only test).
Comment 15 Marcus Meissner 2007-12-04 07:37:29 UTC 
CVE-2004-0096
Comment 16 Thomas Biege 2009-10-13 19:59:34 UTC 
CVE-2004-0096: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)