31485 – apr new security issue CVE-2022-24963

Bug 31485 - apr new security issue CVE-2022-24963

Summary: apr new security issue CVE-2022-24963

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-01 16:18 CET by David Walser
Modified:	2023-02-27 21:29 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	apr-1.7.0-3.2.mga8.src.rpm
CVE:	CVE-2022-24963
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-01 16:18:01 CET

Apache has announced a security issue fixed upstream in APR on January 31:
https://www.openwall.com/lists/oss-security/2023/01/31/3

The issue is fixed upstream in 1.7.1.

Mageia 8 is also affected.

David Walser 2023-02-01 16:18:12 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.7.1

Comment 1 Marja Van Waes 2023-02-04 22:35:52 CET

Assigning to all packagers collectively, because there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2023-02-06 13:41:36 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. (CVE-2022-24963)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24963
https://www.openwall.com/lists/oss-security/2023/01/31/3
========================

Updated packages in core/updates_testing:
========================
lib(64)apr1_0-1.7.2-1.mga8
lib(64)apr-devel-1.7.2-1.mga8

from SRPM:
apr-1.7.2-1.mga8.src.rpm

CVE: (none) => CVE-2022-24963
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Source RPM: apr-1.7.0-7.mga9.src.rpm => apr-1.7.0-3.2.mga8.src.rpm
Status comment: Fixed upstream in 1.7.1 => (none)

Comment 3 Herman Viaene 2023-02-09 17:40:50 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Bug 31485 shows that starting httpd depends on the apr lib.
After installing this update, I get error on httpd.
But looking with ps -aux found different processes httpd, killed those and then
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2023-02-09 17:30:45 CET; 6s ago
   Main PID: 12958 (httpd)
     Status: "Processing requests..."
      Tasks: 11 (limit: 4364)
     Memory: 36.9M
        CPU: 1.664s
     CGroup: /system.slice/httpd.service
             ├─12958 /usr/sbin/httpd -DFOREGROUND
             ├─12960 /usr/sbin/httpd -DFOREGROUND
             ├─12961 /usr/sbin/httpd -DFOREGROUND
             ├─12963 /usr/sbin/httpd -DFOREGROUND
             ├─12966 /usr/sbin/httpd -DFOREGROUND
             └─12968 /usr/sbin/httpd -DFOREGROUND

Feb 09 17:30:44 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Feb 09 17:30:45 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
# systemctl stop httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Feb 09 17:27:21 mach7.hviaene.thuis httpd[12791]: httpd (pid 12010) already running
Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: httpd.service: Failed with result 'protocol'.
Feb 09 17:27:21 mach7.hviaene.thuis systemd[1]: Failed to start The Apache HTTP Server.
Feb 09 17:30:44 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Feb 09 17:30:45 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
Feb 09 17:32:17 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server...
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded.
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server.
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.272s CPU time.
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2023-02-09 17:33:21 CET; 3s ago
   Main PID: 13081 (httpd)
     Status: "Processing requests..."
      Tasks: 11 (limit: 4364)
     Memory: 36.9M
        CPU: 1.669s
     CGroup: /system.slice/httpd.service
             ├─13081 /usr/sbin/httpd -DFOREGROUND
             ├─13083 /usr/sbin/httpd -DFOREGROUND
             ├─13084 /usr/sbin/httpd -DFOREGROUND
             ├─13086 /usr/sbin/httpd -DFOREGROUND
             ├─13087 /usr/sbin/httpd -DFOREGROUND
             └─13091 /usr/sbin/httpd -DFOREGROUND

Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
A second attempt to stop httpd returns a normal inactive status.
# systemctl stop httpd
[root@mach7 ~]# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
     Active: inactive (dead)

Feb 09 17:32:17 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server...
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded.
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server.
Feb 09 17:32:18 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.272s CPU time.
Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Feb 09 17:33:21 mach7.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
Feb 09 17:35:43 mach7.hviaene.thuis systemd[1]: Stopping The Apache HTTP Server...
Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: httpd.service: Succeeded.
Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server.
Feb 09 17:35:44 mach7.hviaene.thuis systemd[1]: httpd.service: Consumed 2.274s CPU time.

I don't know what to make of this failure at the first stop command. Another start/stop sequence remains normal.
I will not object an OK, but I'd rather have someone look into this.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2023-02-21 00:15:47 CET

@Herman with respect to comment 3.
Stopping and starting httpd worked OK.
Updated the libraries for Mageia8 x64.
No trouble with stopping and starting httpd and restarting it.

localhost:631 brings up the CUPS interface and http://localhost says "It Works!".  Other sites work as before.
Reinforcing your OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2023-02-21 16:36:20 CET

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-25 19:58:56 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-02-27 21:29:00 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0063.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.