Bug 13831

Summary: apache-mod_wsgi new security issue fixed upstream in 4.2.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: oe, rverschelde, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/607286/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory
Source RPM: apache-mod_wsgi-3.5-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-07-31 20:11:25 CEST 
OpenSuSE has issued an advisory on July 30:
http://lists.opensuse.org/opensuse-updates/2014-07/msg00033.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-31 20:11:31 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-08-01 09:44:15 CEST 
http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.6.html

1. Apache 2.2.3 and older doesnât provide the ap_get_server_description() function. Using mod_wsgi with such older versions would therefore cause processes to crash when Apache was being started up. For older versions of Apache now fallback to using ap_get_server_version() instead.

Seems like a non issue to me.

CC: (none) => oe

Comment 2 Oden Eriksson 2014-08-01 09:44:48 CEST 
Oops! Need more coffey.
Comment 3 Oden Eriksson 2014-08-01 10:07:26 CEST 
Fixed with apache-mod_wsgi-3.5-1.mga3, apache-mod_wsgi-3.5-1.1.mga4 and apache-mod_wsgi-4.2.6-1.mga5.
Comment 4 David Walser 2014-08-01 16:05:43 CEST 
Thanks Oden!

Advisory:
========================

Updated apache-mod_wsgi package fixes security vulnerability:

apache-mod_wsgi before 4.2.4 contained an off-by-one error in applying a
limit to the number of supplementary groups allowed for a daemon process
group. The result could be that if more groups than the operating system
allowed were specified to the option supplementary-groups, then memory
corruption or a process crash could occur.

References:
http://lists.opensuse.org/opensuse-updates/2014-07/msg00033.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_wsgi-3.5-1.mga3
apache-mod_wsgi-3.5-1.1.mga4

from SRPMS:
apache-mod_wsgi-3.5-1.mga3.src.rpm
apache-mod_wsgi-3.5-1.1.mga4.src.rpm

CC: (none) => shlomif
Version: Cauldron => 4
Assignee: shlomif => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 5 claire robinson 2014-08-06 18:18:26 CEST 
Some info about this here: 
http://code.google.com/p/modwsgi/wiki/QuickConfigurationGuide
Comment 6 claire robinson 2014-08-06 18:30:49 CEST 
Testing complete mga4 64

Using the example code from the link in comment 5 saved as 
/var/www/wsgi-scripts/helloworld.wsgi

def application(environ, start_response):
    status = '200 OK'
    output = 'Hello World!'

    response_headers = [('Content-type', 'text/plain'),
                        ('Content-Length', str(len(output)))]
    start_response(status, response_headers)

    return [output]


Edited /etc/httpd/conf/conf.d/wsgi.conf and added the WSGIScriptAlias line below the IfModule, as below..

<IfModule mod_wsgi.c>
    WSGIScriptAlias /wsgi /var/www/wsgi-scripts/helloworld.wsgi


Browsed to http://localhost/wsgi to see the "Hello World!" text displayed
claire robinson 2014-08-06 18:31:06 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 7 claire robinson 2014-08-06 18:35:51 CEST 
Another working example..

import cgi

def application(environ, start_response):
    form = cgi.FieldStorage(fp=environ['wsgi.input'],
                            environ=environ,
                            keep_blank_values=1)
    write = start_response('200 OK', [('Content-type', 'text/html')])
    if form.getvalue('name'):
        write('<html><head><title>Hello!</title></head>\n')
        write('<body>\n')
        write('<h1>Hello %s!</h1>\n' % form['name'].value)
    else:
        write('<html><head><title>Who is there?</title></head>\n')
        write('<body>\n')
        write('<h1>Who is there?</h1>\n')
    write('<form action="%s" method="POST">\n' % environ['SCRIPT_NAME'])
    write('What is your name?<br>\n')
    write('<input type="text" name="name" value="%s"><br>\n'
          % cgi.escape(form.getvalue('name', ''), 1))
    write('<input type="submit" value="That is my name"></form>\n')
    write('</body></html>\n')
    return None
Comment 8 Rémi Verschelde 2014-08-07 22:50:06 CEST 
Testing complete on Mageia 3 32bit, using the procedure in comment 6 and 7.

Small addendum to the procedure, one has to restart Apache (systemctl restart httpd) after having edited /etc/httpd/conf/conf.d/wsgi.conf.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 9 Rémi Verschelde 2014-08-07 22:52:49 CEST 
As discussed during today's QA meeting [1], most updates can now be validated once they have been tested on each release and at least one arch (preferably different arches on each release).

Validating the update, advisory uploaded.

[1] http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-08-07-19.06.html

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-08-08 13:24:30 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0323.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED