Bug 22017 - apr new security issue CVE-2017-12613
Summary: apr new security issue CVE-2017-12613
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-11-12 20:06 CET by David Walser
Modified: 2017-11-19 11:24 CET (History)
5 users (show)

See Also:
Source RPM: apr-1.5.2-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-11-12 20:06:31 CET
Fedora has issued an advisory on November 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/

Mageia 5 is also affected.

The issue was fixed upstream in 1.6.3.

The RedHat bug contains a link to the upstream commit that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1506523#c7
David Walser 2017-11-12 20:06:47 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-11-12 22:23:47 CET
Assigning to the registered apr maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Stig-Ørjan Smelror 2017-11-14 10:05:34 CET
Updated RPM pushed to core/updates_testing for MGA5 and MGA6.


apr-1.5.1-3.1.mga5

apr-1.5.2-2.1.mga6

CC: (none) => smelror

Comment 3 David Walser 2017-11-14 15:07:17 CET
Advisory:
========================

Updated apr packages fix security vulnerability:

An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker
could abuse an unvalidated usage of this function to cause a denial of service
or potentially lead to data leak (CVE-2017-12613).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/
========================

Updated packages in core/updates_testing:
========================
libapr1_0-1.5.1-3.1.mga5
libapr-devel-1.5.1-3.1.mga5
libapr1_0-1.5.2-2.1.mga6
libapr-devel-1.5.2-2.1.mga6

from SRPMS:
apr-1.5.1-3.1.mga5.src.rpm
apr-1.5.2-2.1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CC: (none) => shlomif

Comment 4 Len Lawrence 2017-11-15 18:44:11 CET
Mageia 6 on x86_64

apr seems to be used by apache, anjuta and some SVN applications and tools which all have learning curves.  The simplest application to test is hydra.  Installed that and tried it out against a local machine.  Updated the apr libraries and tried it again.

$ strace hydra -l lcl -p Rapunzel ftp://192.168.1.3 2> trace
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-15 17:30:08
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service ftp on port 21
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-15 17:30:11
[lcl@belexeuli qa]$ cat trace | grep apr
open("/lib64/libapr-1.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3


Tried this with a valid password and it succeeded.  
Also restarted apache to make sure httpd still functions.
This looks OK.  No regressions.

CC: (none) => tarazed25

Len Lawrence 2017-11-15 18:45:08 CET

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 5 Len Lawrence 2017-11-16 11:47:43 CET
Mageia 5 on X86_64

Installed hydra then updated the apr libraries.
Tried accessing another machine on the network with valid user and a mixture of false and one real password.
$ hydra -l lcl -p shibboleth ftp://192.168.1.156
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-16 10:44:21
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service ftp on port 21
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 10:44:23

$ hydra -l lcl -P psswdz ftp://192.168.1.156
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-16 10:46:04
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.156   login: lcl   password: <whatever>
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 10:46:06

OK for 64 bits.
Comment 6 Len Lawrence 2017-11-16 12:26:47 CET
Mageia 5 on i586 in virtualbox

Ran the password cracking trials using hydra as reported in previous comments.

$ strace hydra -l lcl -p Rapunzel ftp://192.168.1.156 2> trace
$ cat trace | grep apr
open("/lib/libapr-1.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib/libaprutil-1.so.0", O_RDONLY|O_CLOEXEC) = 3

$ hydra -l lcl -P psswdz ftp://192.168.1.156
......
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.156   login: lcl   password: <..........>
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-11-16 11:25:22

OK for 32 bits.
Len Lawrence 2017-11-16 12:27:48 CET

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK

Comment 7 Len Lawrence 2017-11-16 12:42:03 CET
Mageia 6 on i586 in virtualbox

Installed hydra and ran the updates on libapr1_0 and libapr-devel.
Mounted a pseudo ftp attack across the LAN as before.  That worked as expected.

Good for 32 bits.
Len Lawrence 2017-11-16 12:42:22 CET

Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OK MGA6-32-OK

Comment 8 Len Lawrence 2017-11-16 12:43:37 CET
Validating this on the basis of the four OKs.
Len Lawrence 2017-11-16 12:43:48 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 David Walser 2017-11-18 18:00:56 CET
Adding one URL to the references.

Advisory:
========================

Updated apr packages fix security vulnerability:

An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker
could abuse an unvalidated usage of this function to cause a denial of service
or potentially lead to data leak (CVE-2017-12613).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613
http://www.apache.org/dist/apr/Announcement1.x.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/
Lewis Smith 2017-11-19 10:46:20 CET

Keywords: (none) => advisory

Comment 10 Mageia Robot 2017-11-19 11:24:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0417.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.