Bug 10333

Summary: apache-mod_security new security issue CVE-2013-2765
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: guillomovitch, oe, sysadmin-bugs
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/553177/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: apache-mod_security-2.7.3-1.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-05-28 19:41:59 CEST 
Upstream has released 2.7.4 to fix a DoS issue:
http://openwall.com/lists/oss-security/2013/05/28/4

Link to the upstream commit is in that post.

Oden has already updated it in Cauldron, so it needs updates for Mageia 2 and 3.

Reproducible: 

Steps to Reproduce:
David Walser 2013-05-28 19:42:29 CEST

CC: (none) => guillomovitch, oe
Whiteboard: (none) => MGA2TOO

Comment 1 Oden Eriksson 2013-05-31 08:59:23 CEST 
From: yjaaidi@shookalabs.com
To: bugtraq@securityfocus.com
Subject: [SECURITY][CVE-2013-2765][ModSecurity] Remote Null Pointer Dereference

CVE Number: CVE-2013-2765 / ModSecurity Remote Null Pointer Dereference


When ModSecurity receives a request body with a size bigger than the
value set by the "SecRequestBodyInMemoryLimit" and with a
"Content-Type" that has no request body processor mapped to it,
ModSecurity will systematically crash on every call to
"forceRequestBodyVariable" (in phase 1).

In addition to the segfault that occurs here, ModSecurity will not
remove the temporary request body file and the temporary directory
(set by the "SecTmpDir" directive) will keep growing until saturation.

Details : http://www.shookalabs.com/#advisory-cve-2013-2765

Exploit : https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py

Solution : Upgrade to 2.7.4 https://www.modsecurity.org
Comment 2 David Walser 2013-06-06 19:22:27 CEST 
Fedora has issued an advisory for this on May 29:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107848.html

URL: (none) => http://lwn.net/Vulnerabilities/553177/

Comment 3 Oden Eriksson 2013-06-19 13:51:28 CEST 
fixed packages has been submitted.

apache-mod_security-2.6.3-3.5.mga2
apache-mod_security-2.7.4-1.mga3
Comment 4 David Walser 2013-06-19 20:18:44 CEST 
Thanks Oden!

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

When ModSecurity receives a request body with a size bigger than the
value set by the "SecRequestBodyInMemoryLimit" and with a
"Content-Type" that has no request body processor mapped to it,
ModSecurity will systematically crash on every call to
"forceRequestBodyVariable" (in phase 1) (CVE-2013-2765).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765
http://www.shookalabs.com/#advisory-cve-2013-2765
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107848.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.5.mga2
mlogc-2.6.3-3.5.mga2
apache-mod_security-2.7.4-1.mga3
mlogc-2.7.4-1.mga3

from SRPMS:
apache-mod_security-2.6.3-3.5.mga2.src.rpm
apache-mod_security-2.7.4-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 claire robinson 2013-06-20 08:48:18 CEST 
Testing complete mga2 32 & 64

As previous updates for this, just checking it loads ok.

# httpd -M 2>/dev/null |grep security

security_module (shared)

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-32-ok mga2-64-ok

Comment 6 claire robinson 2013-06-20 09:05:31 CEST 
Testing complete mga3 64

# httpd -M 2>/dev/null |grep security
 security2_module (shared)

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Comment 7 claire robinson 2013-06-20 09:41:02 CEST 
Testing complete mga3 32

Validating

Advisory uploaded.

SRPMS:
apache-mod_security-2.6.3-3.5.mga2.src.rpm
apache-mod_security-2.7.4-1.mga3.src.rpm

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Nicolas Vigier 2013-06-26 20:22:34 CEST 
http://advisories.mageia.org/MGASA-2013-0179.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Comment 9 Oden Eriksson 2013-07-15 17:13:41 CEST 
======================================================
Name: CVE-2013-2765
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130407
Category: 
Reference: MISC:http://www.shookalabs.com/
Reference: MISC:https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py
Reference: CONFIRM:http://www.modsecurity.org/
Reference: CONFIRM:https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows
remote attackers to cause a denial of service (NULL pointer
dereference, process crash, and disk consumption) via a POST request
with a large body and a crafted Content-Type header.
Nicolas Vigier 2014-05-08 18:04:37 CEST

CC: boklm => (none)