Bug 829057 – VUL-1: CVE-2013-1862: apache2: mod_rewrite: escape logdata to avoid terminal escapes

Bug 829057 - (CVE-2013-1862) VUL-1: CVE-2013-1862: apache2: mod_rewrite: escape logdata to avoid terminal escapes

(CVE-2013-1862)
Summary:	VUL-1: CVE-2013-1862: apache2: mod_rewrite: escape logdata to avoid terminal...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:53829 maint:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-07-11 13:14 UTC by Marcus Meissner
Modified:	2018-10-19 18:12 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
foo.txt (32 bytes, text/plain) 2013-11-28 09:57 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-07-11 13:14:38 UTC

+++ This bug was initially created as a clone of Bug #829056 +++

is public, via apache2

http://www.apache.org/dist/httpd/Announcement2.2.html

 Apache HTTP Server 2.2.25 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.2.25 of the Apache HTTP Server ("Apache"). This version of Apache is principally a security and bug fix legacy release, including the following security fixes:

    SECURITY: CVE-2013-1896 (cve.mitre.org) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.
    SECURITY: CVE-2013-1862 (cve.mitre.org) mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

The Apache HTTP Project thanks Ben Riser and Ramiro Molina for bringing these issues to the attention of the project security team.

Comment 1 Swamp Workflow Management 2013-07-11 22:00:23 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2013-07-19 15:11:58 UTC

CONFIRM:http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=r1469311
CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=953729

Comment 3 Marcus Meissner 2013-07-19 15:13:39 UTC

affects SLE10 and SLE11 apaprently.

Comment 5 Bernhard Wiedemann 2013-07-30 12:00:30 UTC

This is an autogenerated message for OBS integration:
This bug (829057) was mentioned in
https://build.opensuse.org/request/show/184942 Evergreen:11.2 / apache2
https://build.opensuse.org/request/show/184943 Maintenance /

Comment 6 Roman Drahtmueller 2013-07-30 12:12:08 UTC

packages submitted to sle11, sle10, openSUSE-12.{2,3} and evergreen 11.{2,4} codebases.
Reassigning to security-team@ for further processing.
Unfortunately, the maintenancerequest for openSUSE went wrong, the packages were solely submitted to their parent project.

Comment 7 Bernhard Wiedemann 2013-07-30 13:00:13 UTC

This is an autogenerated message for OBS integration:
This bug (829057) was mentioned in
https://build.opensuse.org/request/show/184944 Maintenance / 
https://build.opensuse.org/request/show/184945 Maintenance /

Comment 8 Swamp Workflow Management 2013-08-14 01:08:06 UTC

openSUSE-SU-2013:1337-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 829056,829057
CVE References: CVE-2013-1862,CVE-2013-1896
Sources used:
openSUSE 12.2 (src):    apache2-2.2.22-4.18.1

Comment 9 Swamp Workflow Management 2013-08-14 01:10:30 UTC

openSUSE-SU-2013:1340-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 829056,829057
CVE References: CVE-2013-1862,CVE-2013-1896
Sources used:
openSUSE 12.3 (src):    apache2-2.2.22-10.8.1

Comment 10 Swamp Workflow Management 2013-08-14 07:04:41 UTC

openSUSE-SU-2013:1341-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 829056,829057
CVE References: CVE-2013-1862,CVE-2013-1896
Sources used:
openSUSE 11.4 (src):    apache2-2.2.17-4.72.1

Comment 11 Bernhard Wiedemann 2013-08-23 06:00:40 UTC

This is an autogenerated message for OBS integration:
This bug (829057) was mentioned in
https://build.opensuse.org/request/show/196053 Evergreen:11.2 / apache2

Comment 12 Swamp Workflow Management 2013-08-26 09:05:22 UTC

Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 13 Swamp Workflow Management 2013-08-26 11:04:59 UTC

Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 14 Swamp Workflow Management 2013-08-26 11:32:41 UTC

Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 15 Swamp Workflow Management 2013-08-26 12:04:29 UTC

Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 16 Matthias Weckbecker 2013-08-27 10:17:05 UTC

released

Comment 17 Andrej Semen 2013-11-27 14:27:36 UTC

for qa maintenance testing could you be so kind to provide a reproducer?

Comment 18 Marcus Meissner 2013-11-28 09:57:41 UTC

Created attachment 569491 [details]
foo.txt

nc server 80 <foo.txt

then in the logfile it should have: \x1b  and not the escape charactert iself.


GOOD:
42.42.42.42 - - [28/Nov/2013:10:54:22 +0100] "GET /\x1b[43m hallo\x1b[0m HTTP/1.0" 403 986 "-" "-"

Comment 19 Marcus Meissner 2013-11-28 09:57:53 UTC

provided

Comment 20 Andrej Semen 2013-11-28 16:16:14 UTC

I do not see a difference in log file before and after 

before:
10.120.4.103 - - [28/Nov/2013:17:13:39 +0100] "GET /\x1b[43m hallo\x1b[0m HTTP/1.0" 404 1052 "-" "-"

after:
10.120.4.103 - - [28/Nov/2013:17:15:41 +0100] "GET /\x1b[43m hallo\x1b[0m HTTP/1.0" 404 1051 "-" "-"


could you be so kind to help me on this?

Comment 21 Marcus Meissner 2013-11-30 10:07:01 UTC

(its in the rewrite log, not in regular access.log ... told andrej offline)

Comment 22 Swamp Workflow Management 2013-12-04 16:49:23 UTC

Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
SLES4VMWARE 11-SP1-LTSS (i386, x86_64)

Comment 23 Marcus Meissner 2013-12-04 16:55:51 UTC

done