<!-- SBZ_reproduce  -->
-

I started working on it.

additional comments: 
Date: Wed, 29 Oct 2003 11:51:19 +0100 
From: Ralf S. Engelschall <rse+openpkg-security@openpkg.org> 
Reply-To: rse@engelschall.com 
To: vendor-sec@lst.de 
Cc: openpkg-team@openpkg.org 
Subject: Re: [vendor-sec] Apache security issues headsup 
 
On Tue, Oct 28, 2003, Mark J Cox wrote: 
 
> Hi folks; if you take a look at http://httpd.apache.org/dist/ you'll see 
> new Apache 1.3 and 2.0 packages which are due to be public probably today. 
> 
> Apache 1.3.29 is released to fix: 
> 
>     Local configuration regular expression overflow  CAN-2003-0542 
> 
>     By using a regular expression with more than 9 captures a buffer 
>     overflow can occur in mod_alias or mod_rewrite. To exploit this an 
>     attacker would need to be able to create a carefully crafted 
>     configuration file (.htaccess or httpd.conf) 
> 
>     Affects: 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 
>     1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 
>     1.3.1, 1.3.0 
> 
>     Patch: http://marc.theaimsgroup.com/?l=apache-cvs&m=106701190026083 
 
Just for additional information before more people investigate and try 
to understand the patch for Apache 1.3 in more detail: For the OpenPKG 
security advisory related to this issue we yesterday looked in more 
detail on this issue, especially, whether the patch is sufficient enough 
and does not introduce new problems. In advance, yes, we also think it 
sufficiently fixes the problems. Nevertheless, we think the fixes are 
not a really clean solution and just work because of lucky (intentional 
or not intentional) arrangements. 
 
The main point is that previously the actual number of used clustering 
parenthesis ("re_nsub" field of "regmatch_t") were checked while now the 
maximum allowed (AP_MAX_REG_MATCH = 10) are checked during substitution 
iteration over the result array (see mod_rewrite.c:2445 and util.c:314). 
That's fine if the used number would be larger than the maximum allowed, 
because then no buffer overflow can happen, etc. But if the used number 
is lower (the usual case), the array iteration now still goes for the 
maximum number of possible results! Luckily, the embedded regex library 
initializes the unused elements in the result array ("regmatch_t") with 
"rm_eo" and "rm_so" set to -1 and luckily the two code parts doing 
the problematic iterations have an extra sanity check for "rm_eo > 
rm_so" and so no bad side-effects are happening during the iteration 
over unused "regmatch_t" elements. So, be not confused if you try to 
understand why the fixed code still works and does not segfault. It is 
because of this subtle detail. 
 
The correct solution IMHO would be to calculate the minimum between the 
used (re_nsub) and maximum (AP_MAX_REG_MATCH) number of elements and 
iterate always over just this calculated number of elements. But ok... 
 
                                       Ralf S. Engelschall 
                                       rse@engelschall.com 
                                       www.engelschall.com 
 
 

Proposed putonftp text:

Security update: This update fixes a vulnerability in the apache package, known
as Local configuration regular expression overflow (CAN-2003-0542), which could
allow a remote attacker the execution of arbitrary code. When configuring a
regular expression with more than 9 captures, buffer overflows in mod_alias and
mod_rewrite were possible.
EOT
Sicherheitsupdate für das apache-Paket. Dieses Update schliesst eine
Sicherheitsluecke, die als "Local configuration regular expression overflow
(CAN-2003-0542) bekannt ist und potentiell die Ausführung von beliebigem Code
über das Netzwerk gestattet. In mod_alias und mod_rewrite konnte ein
Pufferüberlauf auftreten, wenn ein regulärer Ausdrück mit mehr als 9
speichernden Klammernpaaren konfiguriert wurde.
EOT

> Date: Wed, 29 Oct 2003 17:03:32 +0100
> From: Peter Poeml <poeml@suse.de>
> To: suse-dist@suse.de
> Cc: security-team@suse.de
> Subject: [SUSE-DIST] Apache1 security updates
> 
> [-- PGP output follows (current time: Wed 29 Oct 2003 05:13:28 PM CET) --]
> gpg: Signature made Wed 29 Oct 2003 05:03:32 PM CET using DSA key ID EFB694EA
> gpg: Good signature from "Peter Poeml <poeml@suse.de>"
> [-- End of PGP output --]
> 
> [-- The following data is signed --]
> 
> Hi,
> 
> I submitted apache1 packages with a fix for
> http://bugzilla.suse.de/show_bug.cgi?id=32756
> (patch taken from apache-1.3 CVS)
> 
> /work/SRC/old-versions/7.2/arch/sles-i386/apache -> /work/src/done/SLES7
> /work/SRC/old-versions/7.2/arch/sles-s390x/apache -> /work/src/done/SLES7-s390x
> /work/SRC/old-versions/7.3/all/apache -> /work/src/done/7.3
> /work/SRC/old-versions/8.0/all/apache -> /work/src/done/8.0
> /work/SRC/old-versions/8.1/UL/all/apache -> /work/src/done/8.1
> /work/SRC/old-versions/8.2/all/apache -> /work/src/done/8.2
> /work/SRC/old-versions/9.0/all/apache -> /work/src/done/9.0
> 
> 
> I have fixed /work/SRC/old-versions/7.2/all/apache too because
> sles7-ia64 is based on it and it's listed as maintained; however, there
> is no /work/src/done/7.2 directory any longer, and I would need advice
> on how to proceed.
> 
> For 8.0, I additionally removed ghost file entries for log files that
> trip our patchrpm scripts since recently (a change that has already been
> done for 8.1 in the past).
[...]

Addition to comment #4: those putonftps were for apache1.

As the 1.3.29 changelog also states,

     * Prevent creation of subprocess Zombies when using CGI wrappers
       such as suEXEC and cgiwrap.  PR 21737.

our announcement should mention that this problem was already fixed in
the 1.3.28 packages that shipped with 9.0. (Earlier packages were not
affected at all.)

Now to apache2: I think this is a good occasion to address the bugs from
Bug 42822. I'm currently checking what's the best course of action.

For apache2, the list of open security issues in our 8.2 and 8.1
packages is now quite long:

  Security [CAN-2003-0789]: Resolve some mishandling of the AF_UNIX
    socket used to communicate with the cgid daemon and the CGI
    script.
  Security [CAN-2003-0542]: Fix buffer overflows in mod_alias and
    mod_rewrite which occurred if one configured a regular
    expression with more than 9 captures.
  Security [CAN-2003-0192]: Fixed a bug whereby certain sequences
    of per-directory renegotiations and the SSLCipherSuite
    directive being used to upgrade from a weak ciphersuite to a
    strong one could result in the weak ciphersuite being used in
    place of the strong one.
  Security [CAN-2003-0253]: Fixed a bug in prefork MPM causing
    temporary denial of service when accept() on a rarely accessed
    port returns certain errors.
  Security [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
    of service when target host is IPv6 but proxy server can't
    create IPv6 socket.  Fixed by the reporter.
  Security [VU#379828]: Prevent the server from crashing when entering
    infinite loops. The new LimitInternalRecursion directive
    configures limits of subsequent internal redirects and nested
    subrequests, after which the request will be aborted.  PR 19753+

As Chris already gave his okay to update those packages to from 2.0.46
to 2.0.47 in Bug 42822, I assume that now an update to 2.0.48 should be
okay, too.  There are no changes between .47 and .48 that pose a problem
here.  There is a configuration change regarding the manual that I have
to account for in my packages (that change was already in .47). Apart
from that, I have the packages ready.
Chris, can you give your okay to this?

In 9.0, where we have .47, an update to .48 would be an option as
well. Staying at .47 is possible, patches are not published, but can be
taken from CVS. Rebuilding the package with .48 is less work and fixes
more bugs. Guess what I suggest :)

[reassigning to Chris to help with the decision]

Ok, go ahead. But these version updates should not become a habit with apache! 

Of course, such decisions need to be done case by case.

Proposed putonftp for 8.1 and 8.2 (I handled them before 9.0 because
their userbase is still much higher):

ALL                               8.2-ALL         %UPDATE8.2      clsdxp
Security update: These packages update the Apache server to version 2.0.48. In
addition to a number of bug fixes, the security problems registered as
CAN-2003-0789, CAN-2003-0542, CAN-2003-0192, CAN-2003-0253, CAN-2003-0254, and
VU#379828 have been fixed, most of which could in some conditions result in a
local Denial of Service attack, or, in one case, in a buffer overflow. You
should restart apache2 after applying this update.
EOT
Sicherheitsupdate: Dieses Update enthaelt Version 2.0.48 des Apache-Servers.
Neben der Beseitigung einer Reihe von Fehlern wurden die Sicherheitsprobleme
behoben, die unter den IDs CAN-2003-0789, CAN-2003-0542, CAN-2003-0192,
CAN-2003-0253, CAN-2003-0254 and VU#379828 bekannt geworden sind. Bis auf eine
Ausnahme (moeglicher Pufferueberlauf bei manchen Konfigurationen) handelte es
sich um moegliche DoS-Angriffe in bestimmten Konstellationen. Nach dem
Einspielen des Pakets sollte Apache2 neu gestartet werden.
EOT

The description of the security issues was not complete. Better:

ALL                               8.2-ALL         %UPDATE8.2      clsdxp
Security update: These packages update the Apache server to version 2.0.48. In
addition to a number of bug fixes, the security problems registered as
CAN-2003-0789, CAN-2003-0542, CAN-2003-0192, CAN-2003-0253, CAN-2003-0254, and
VU#379828 have been fixed, most of which could in some conditions result
in a Denial of Service attack; in one case, a possible buffer overflow
was fixed, and a problem with cipher choice in per-directory SSL
renegotiation was found. You should restart apache2 after applying this
update.
EOT
Sicherheitsupdate: Dieses Update enthaelt Version 2.0.48 des
Apache-Servers.  Neben der Beseitigung einer Reihe von Fehlern wurden
die Sicherheitsprobleme behoben, die unter den IDs CAN-2003-0789,
CAN-2003-0542, CAN-2003-0192, CAN-2003-0253, CAN-2003-0254 and VU#379828
bekannt geworden sind.  Dabei handelte sich erstens um einen moeglichen
Pufferueberlauf in manchen Konfigurationen, zweitens um ein Problem mit
der Auswahl des staerksten Algorithmus, wenn selbiger bei SSL
verzeichnisweise neu ausgehandelt wurde, und in den restlichen Faellen
um moegliche DoS-Angriffe, die in manchen Konstellationen moeglich
waren. Nach dem Einspielen des Pakets sollte Apache2 neu gestartet
werden.
EOT

Proposed putonftp for 9.0:

ALL                               9.0-ALL         %UPDATE9.0      clsdxp
Security update: These packages update the Apache server to version 2.0.48. In
addition to a number of bug fixes, two security problems have been fixed:
mod_cgid mishandling of CGI redirect paths could result in CGI output going to
the wrong client when a threaded MPM is used (CAN-2003-0789); a buffer overflow
could occur in mod_alias and mod_rewrite if a regular expression with more than
9 captures was configured (CAN-2003-0542). You should restart apache2 after
applying this update.
EOT
Sicherheitsupdate: Dieses Update enthaelt Version 2.0.48 des
Apache-Servers.  Neben der Beseitigung einer Reihe von Fehlern wurden
zwei Sicherheitsprobleme behoben: Bei der Verwendung eines
Thread-faehigen MPMs konnte eine falsche Handhabung von CGI-Redirects in
mod_cgid dazu fuehren, dass CGI-Ausgaben an den falschen Client
ausgeliefert wurden (CAN-2003-0789); In mod_alias und mod_rewrite konnte
ein Pufferueberlauf auftreten, wenn ein regulaerer Ausdruck mit mehr als
9 speichernden Klammernpaaren angewendet wurde (CAN-2003-0542). Nach dem
Einspielen des Pakets sollte Apache2 neu gestartet werden.
EOT

Package submitted (with this putonftp).

Thank you! 

All packages have been checked in. I'll re-assign to the security-team
for closure of the bug.

Packages are approved. 

CVE-2003-0789: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)