Bug 10097 - apache new security issue CVE-2013-1862
: apache new security issue CVE-2013-1862
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/550561/
: has_procedure mga2-32-ok MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-14 19:34 CEST by David Walser
Modified: 2014-05-08 18:06 CEST (History)
4 users (show)

See Also:
Source RPM: apache-2.2.24-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-05-14 19:34:57 CEST
RedHat has issued an advisory on May 13:
https://rhn.redhat.com/errata/RHSA-2013-0815.html

The other CVEs were fixed in our previous 2.2.24 update.

For the new issue, they have a link to the upstream commit and patch in their bug:
https://bugzilla.redhat.com/show_bug.cgi?id=953729

This is a low severity issue, so we could wait until 2.2.25 is released.

I don't know if 2.4.x is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Pablo Saratxaga 2013-05-20 15:00:12 CEST
also, fix the %pretransinstall script in the rpm package; currently it is:

if [ ! -d /etc/httpd/conf/sites.d ]; then
    mkdir -p /etc/httpd/conf/sites.d
    if [ -d /etc/httpd/conf/webapps.d ]; then
        mv -f /etc/httpd/conf/webapps.d/* /etc/httpd/conf/sites.d 2>/dev/null
        rmdir /etc/httpd/conf/webapps.d
    fi
    if [ -d /etc/httpd/conf/vhosts.d ]; then
        mv -f /etc/httpd/conf/vhosts.d/* /etc/httpd/conf/sites.d 2>/dev/null
        rmdir /etc/httpd/conf/vhosts.d
    fi
fi

(it isn't run if /etc/httpd/conf/sites.d present along with old webapps.d or vhosts.d dirs; so those old dirs are not deleted and it conflicts with them being symlinks in new rpm )


it should be:

if [ -d /etc/httpd/conf/webapps.d ]; then
    if [ ! -d /etc/httpd/conf/sites.d ]; then
        mkdir -p /etc/httpd/conf/sites.d
    fi
    mv -f /etc/httpd/conf/webapps.d/* /etc/httpd/conf/sites.d 2>/dev/null
    rmdir /etc/httpd/conf/webapps.d
fi
if [ -d /etc/httpd/conf/vhosts.d ]; then
    if [ ! -d /etc/httpd/conf/sites.d ]; then
        mkdir -p /etc/httpd/conf/sites.d
    fi
    mv -f /etc/httpd/conf/vhosts.d/* /etc/httpd/conf/sites.d 2>/dev/null
    rmdir /etc/httpd/conf/vhosts.d
fi
Comment 2 Pablo Saratxaga 2013-05-20 15:05:09 CEST
(sorry, disregard my previous comment, it was intended for 2.4.x version of the package)
Comment 3 David Walser 2013-06-11 18:38:03 CEST
Oden has uploaded a patched package for Mageia 2.

It fixes this issue, as well as a buffer overflow in htdigest (PR54893 upstream).

Oden, is this ready for QA, and do you have any notes on the second issue fixed?

I guess 2.4.x isn't affected?

Packages built:
apache-2.2.24-1.1.mga2
apache-mpm-prefork-2.2.24-1.1.mga2
apache-mpm-worker-2.2.24-1.1.mga2
apache-mpm-event-2.2.24-1.1.mga2
apache-mpm-itk-2.2.24-1.1.mga2
apache-mpm-peruser-2.2.24-1.1.mga2
apache-mod_dav-2.2.24-1.1.mga2
apache-mod_ldap-2.2.24-1.1.mga2
apache-mod_cache-2.2.24-1.1.mga2
apache-mod_disk_cache-2.2.24-1.1.mga2
apache-mod_mem_cache-2.2.24-1.1.mga2
apache-mod_file_cache-2.2.24-1.1.mga2
apache-mod_deflate-2.2.24-1.1.mga2
apache-mod_proxy-2.2.24-1.1.mga2
apache-mod_proxy_ajp-2.2.24-1.1.mga2
apache-mod_proxy_scgi-2.2.24-1.1.mga2
apache-mod_suexec-2.2.24-1.1.mga2
apache-mod_userdir-2.2.24-1.1.mga2
apache-mod_ssl-2.2.24-1.1.mga2
apache-mod_dbd-2.2.24-1.1.mga2
apache-mod_authn_dbd-2.2.24-1.1.mga2
apache-mod_reqtimeout-2.2.24-1.1.mga2
apache-htcacheclean-2.2.24-1.1.mga2
apache-devel-2.2.24-1.1.mga2
apache-source-2.2.24-1.1.mga2
apache-doc-2.2.24-1.1.mga2

from apache-2.2.24-1.1.mga2.src.rpm
Comment 4 Oden Eriksson 2013-06-12 14:29:38 CEST
PR 54893 is minor, but why not fix it anyway.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54893
http://svn.apache.org/viewvc?view=revision&revision=1476242
 	
htdigest: Fix buffer overflow when reading digest password file with very long lines.

The CVE-2013-1862 flaw has not been fixed in 2.4.x from what I can see so far, so assuming it don't apply.
Comment 5 David Walser 2013-06-12 15:25:06 CEST
Thanks Oden.

Assigning to QA.

Advisory:
========================

Updated apache packages fix security vulnerabilities:

It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If mod_rewrite was configured with the RewriteLog directive,
a remote attacker could use specially-crafted HTTP requests to inject
terminal escape sequences into the mod_rewrite log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user (CVE-2013-1862).

A buffer overflow when reading digest password file with very long lines in
htdigest (PR54893).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862
https://issues.apache.org/bugzilla/show_bug.cgi?id=54893
https://rhn.redhat.com/errata/RHSA-2013-0815.html
========================

Updated packages in core/updates_testing:
========================
apache-2.2.24-1.1.mga2
apache-mpm-prefork-2.2.24-1.1.mga2
apache-mpm-worker-2.2.24-1.1.mga2
apache-mpm-event-2.2.24-1.1.mga2
apache-mpm-itk-2.2.24-1.1.mga2
apache-mpm-peruser-2.2.24-1.1.mga2
apache-mod_dav-2.2.24-1.1.mga2
apache-mod_ldap-2.2.24-1.1.mga2
apache-mod_cache-2.2.24-1.1.mga2
apache-mod_disk_cache-2.2.24-1.1.mga2
apache-mod_mem_cache-2.2.24-1.1.mga2
apache-mod_file_cache-2.2.24-1.1.mga2
apache-mod_deflate-2.2.24-1.1.mga2
apache-mod_proxy-2.2.24-1.1.mga2
apache-mod_proxy_ajp-2.2.24-1.1.mga2
apache-mod_proxy_scgi-2.2.24-1.1.mga2
apache-mod_suexec-2.2.24-1.1.mga2
apache-mod_userdir-2.2.24-1.1.mga2
apache-mod_ssl-2.2.24-1.1.mga2
apache-mod_dbd-2.2.24-1.1.mga2
apache-mod_authn_dbd-2.2.24-1.1.mga2
apache-mod_reqtimeout-2.2.24-1.1.mga2
apache-htcacheclean-2.2.24-1.1.mga2
apache-devel-2.2.24-1.1.mga2
apache-source-2.2.24-1.1.mga2
apache-doc-2.2.24-1.1.mga2

from apache-2.2.24-1.1.mga2.src.rpm
Comment 6 claire robinson 2013-06-12 16:39:16 CEST
Testing complete mga2 32

No PoC so just testing apache generally and mod_rewrite specifically works as expected.

Tested apache using webapps (eg. phpmyadmin, wordpress, drupal, etc)

Edited /etc/httpd/conf/httpd.conf and changed the section below to AllowOverride All

# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit Indexes

    AllowOverride None

Then restarted httpd
# service httpd restart

and followed this to test mod-rewrite:
http://www.webasyst.net/support/help/general-modrewrite-test.html

# cd /var/www/html
# mkdir mod_rewrite_test
# cd mod_rewrite_test

Create two files there .htaccess (don't miss the dot) and index.php with the following content..

.htaccess:

RewriteEngine On
RewriteRule ^.*$ index.php

index.php:

<?php
print 'mod_rewrite works!';
?>


Then browse to http://localhost/mod_rewrite_test/check

It should show 'mod_rewrite works!'
Comment 7 Dave Hodgins 2013-06-13 19:54:52 CEST
Testing Mageia 2 x86_64 shortly.
Comment 8 Dave Hodgins 2013-06-13 20:08:02 CEST
Testing complete on Mageia 2 x86_64.

Could someone from the sysadmin team push the srpm
apache-2.2.24-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated apache packages fix security vulnerabilities:

It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If mod_rewrite was configured with the RewriteLog directive,
a remote attacker could use specially-crafted HTTP requests to inject
terminal escape sequences into the mod_rewrite log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user (CVE-2013-1862).

A buffer overflow when reading digest password file with very long lines in
htdigest (PR54893).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862
https://issues.apache.org/bugzilla/show_bug.cgi?id=54893
https://rhn.redhat.com/errata/RHSA-2013-0815.html

https://bugs.mageia.org/show_bug.cgi?id=10097
Comment 9 Dave Hodgins 2013-06-19 02:10:44 CEST
Advisory 10097.adv ready to push
Comment 10 Nicolas Vigier 2013-06-19 02:36:23 CEST
(In reply to Dave Hodgins from comment #9)
> Advisory 10097.adv ready to push

In the CVE list, what is PR54893 ?

It doesn't look like a CVE identifier.
Comment 11 David Walser 2013-06-19 03:36:12 CEST
It's not a CVE, it's a reference to the upstream bug which is in the references:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54893
Comment 12 Nicolas Vigier 2013-06-19 12:01:57 CEST
Ok, so it should not be listed in the CVE. I removed it.
Comment 13 claire robinson 2013-06-19 12:05:55 CEST
It's still a security issue which was fixed though Nicolas, it's normal for us to list these too.
Comment 14 Nicolas Vigier 2013-06-19 12:07:19 CEST
(In reply to claire robinson from comment #13)
> It's still a security issue which was fixed though Nicolas, it's normal for
> us to list these too.

It can be listed in references, but it should not be in the CVE list.
Comment 15 claire robinson 2013-06-19 12:10:07 CEST
You're altering the rules a bit there. It's never been a 'CVE list' as such, it's just an advisory to say what was fixed. In this case it's a security update which fixes multiple security issues, one has a CVE and one doesn't.
Comment 16 Nicolas Vigier 2013-06-19 12:21:45 CEST
So I should remove the CVE list from advisories ?
Comment 17 Nicolas Vigier 2013-06-19 12:26:41 CEST
In case it's not clear, I'm talking about removing it from this CVE list, not from the advisory text :
http://svnweb.mageia.org/advisories/10097.adv?r1=45&r2=51
Comment 18 Nicolas Vigier 2013-06-19 12:37:51 CEST
http://advisories.mageia.org/MGASA-2013-0174.html
Comment 19 claire robinson 2013-06-19 12:41:10 CEST
Ahh I see, thanks for clarifying, that makes perfect sense.

Just starting to look at these now.

Note You need to log in before you can comment on or make changes to this bug.