From: yjaaidi@shookalabs.com
To: bugtraq@securityfocus.com
Subject: [SECURITY][CVE-2013-2765][ModSecurity] Remote Null Pointer Dereference

CVE Number: CVE-2013-2765 / ModSecurity Remote Null Pointer Dereference


When ModSecurity receives a request body with a size bigger than the
value set by the "SecRequestBodyInMemoryLimit" and with a
"Content-Type" that has no request body processor mapped to it,
ModSecurity will systematically crash on every call to
"forceRequestBodyVariable" (in phase 1).

In addition to the segfault that occurs here, ModSecurity will not
remove the temporary request body file and the temporary directory
(set by the "SecTmpDir" directive) will keep growing until saturation.

Details : http://www.shookalabs.com/#advisory-cve-2013-2765

Exploit : https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py

Solution : Upgrade to 2.7.4 https://www.modsecurity.org

Fedora has issued an advisory for this on May 29:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107848.html

URL: (none) => http://lwn.net/Vulnerabilities/553177/

fixed packages has been submitted.

apache-mod_security-2.6.3-3.5.mga2
apache-mod_security-2.7.4-1.mga3

Thanks Oden!

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

When ModSecurity receives a request body with a size bigger than the
value set by the "SecRequestBodyInMemoryLimit" and with a
"Content-Type" that has no request body processor mapped to it,
ModSecurity will systematically crash on every call to
"forceRequestBodyVariable" (in phase 1) (CVE-2013-2765).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765
http://www.shookalabs.com/#advisory-cve-2013-2765
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107848.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.5.mga2
mlogc-2.6.3-3.5.mga2
apache-mod_security-2.7.4-1.mga3
mlogc-2.7.4-1.mga3

from SRPMS:
apache-mod_security-2.6.3-3.5.mga2.src.rpm
apache-mod_security-2.7.4-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Testing complete mga2 32 & 64

As previous updates for this, just checking it loads ok.

# httpd -M 2>/dev/null |grep security

security_module (shared)

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-32-ok mga2-64-ok

Testing complete mga3 64

# httpd -M 2>/dev/null |grep security
 security2_module (shared)

Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok

Testing complete mga3 32

Validating

Advisory uploaded.

SRPMS:
apache-mod_security-2.6.3-3.5.mga2.src.rpm
apache-mod_security-2.7.4-1.mga3.src.rpm

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

http://advisories.mageia.org/MGASA-2013-0179.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

======================================================
Name: CVE-2013-2765
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2765
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130407
Category: 
Reference: MISC:http://www.shookalabs.com/
Reference: MISC:https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py
Reference: CONFIRM:http://www.modsecurity.org/
Reference: CONFIRM:https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES

The ModSecurity module before 2.7.4 for the Apache HTTP Server allows
remote attackers to cause a denial of service (NULL pointer
dereference, process crash, and disk consumption) via a POST request
with a large body and a crafted Content-Type header.