Bug 6678 - apache-mod_security new security issue CVE-2012-2751
Summary: apache-mod_security new security issue CVE-2012-2751
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/504908/
Whiteboard: MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-07-03 22:52 CEST by David Walser
Modified: 2012-07-10 14:25 CEST (History)
7 users (show)

See Also:
Source RPM: apache-mod_security-2.6.3-3.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-07-03 22:52:47 CEST
Debian has issued an advisory on July 2:
http://www.debian.org/security/2012/dsa-2506

I updated the package to 2.6.6 in Cauldron which fixes it, and added the patch in SVN for Mageia 2.  Something is broken in Cauldron and it won't build (builds fine locally).
David Walser 2012-07-03 22:53:02 CEST

CC: (none) => guillomovitch
Whiteboard: (none) => MGA2TOO

David Walser 2012-07-03 22:53:14 CEST

CC: (none) => dlucio

Comment 1 AL13N 2012-07-04 20:04:58 CEST
can you post the build failure link?

CC: (none) => alien

Comment 2 David Walser 2012-07-04 20:39:47 CEST
Fails early in the process during autotools.

Trying to build patched version:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20120703204008.luigiwalser.valstar.32609/log/apache-mod_security-2.6.3-4.mga3/build.0.20120703204020.log

Trying to build updated version:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20120703204820.luigiwalser.valstar.723/log/apache-mod_security-2.6.6-1.mga3/build.0.20120703204834.log

Same error both times.

The last time this package was built wasn't too awful long before mga2 came out, so I suspect it still builds there.  I didn't actually try it on mga2 when I was working on it yesterday, but it does build fine on mga1.
Comment 3 AL13N 2012-07-04 20:56:46 CEST
i suspect this is some kind of updated autotools for what is building this. since guillomovitch didn't have any issue and this autotools thing is definately something unrelated.

perhaps ask sysadmin team to look into this... either that, or autotools was updated and had new features...
Comment 4 AL13N 2012-07-04 21:03:21 CEST
this is probably due to newer autotools which requires that missing section.

in any case, you should try to build the patch for mga2 and submit this to updates_testing, that's the more important fix.

then just add that missing macro it's complaining about.
Comment 5 AL13N 2012-07-04 21:49:41 CEST
i think submitting to update testing on mga2 takes priority,

but cauldron is unstable, therefor it's normal for it to take time to fix.

in any case, i think just adding the AC_LANG_SOURCE and possible AM_PROG_AR macro in configure.ac or configure.in will do wonders for this...

see also http://www.flameeyes.eu/autotools-mythbuster/forwardporting/autoconf.html
Comment 6 Guillaume Rousse 2012-07-05 12:15:31 CEST
regenerating the build system without explicit reason seems overkill here, I just fixed the cauldron package.
Comment 7 David Walser 2012-07-05 16:28:02 CEST
Thanks Guillaume.  Pushed to the build system in Cauldron and Mageia 2.

Advisory:
========================

Updated apache-mod_security package fixes security vulnerability:

Qualys Vulnerability & Malware Research Labs discovered a
vulnerability in ModSecurity, a security module for the Apache webserver.
In situations where both "Content:Disposition: attachment" and
"Content-Type: multipart" were present in HTTP headers, the vulnerability
could allow an attacker to bypass policy and execute cross-site script
(XSS) attacks through properly crafted HTML documents (CVE-2012-2751).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2751
http://www.debian.org/security/2012/dsa-2506
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.1.mga2
mlogc-2.6.3-3.1.mga2

from apache-mod_security-2.6.3-3.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 8 Dave Hodgins 2012-07-07 04:38:53 CEST
apache-mod_security should have a requires on perl-GnuPG as
/usr/sbin/rules-updater.pl will not run without it.

I'm looking through http://www.modsecurity.org/documentation/
to try and figure out how to test this one properly.

Does this apply to Mageia 1 as well?

CC: (none) => davidwhodgins

Comment 9 David Walser 2012-07-07 05:31:37 CEST
It's not packaged for Mageia 1 :o)
Comment 10 AL13N 2012-07-07 08:46:17 CEST
(In reply to comment #8)
> apache-mod_security should have a requires on perl-GnuPG as
> /usr/sbin/rules-updater.pl will not run without it.

well, i see no problem with someone adding this requires (it looks required to my untrained eye). but if no packager does the work, let's not wait too long without validating it, for that reason.

can i ask what will be tested for validation? is there a reproducer method for the vulnerability itself? or are you just trying to run it and looking for regressions? (or both).
Comment 11 claire robinson 2012-07-07 12:09:16 CEST
As we always have done AL13N:

https://wiki.mageia.org/en/QA_process_for_validating_updates
Comment 12 David Walser 2012-07-07 18:11:16 CEST
Requires added.  It was missed by the autoreq script because it was pulled in inside of an eval statement.  I guess perl-GnuPG will require linking.

Advisory:
========================

Updated apache-mod_security package fixes security vulnerability:

Qualys Vulnerability & Malware Research Labs discovered a
vulnerability in ModSecurity, a security module for the Apache webserver.
In situations where both "Content:Disposition: attachment" and
"Content-Type: multipart" were present in HTTP headers, the vulnerability
could allow an attacker to bypass policy and execute cross-site script
(XSS) attacks through properly crafted HTML documents (CVE-2012-2751).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2751
http://www.debian.org/security/2012/dsa-2506
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.2.mga2
mlogc-2.6.3-3.2.mga2

from apache-mod_security-2.6.3-3.2.mga2.src.rpm
Comment 13 Dave Hodgins 2012-07-08 01:54:43 CEST
The missing requires wouldn't have blocked the update, as it's not
a regression, the program will generate a message if it isn't installed, and the program that uses it requires configuration
before it can be run anyway, and appears to be optional to use.

I would have opened a new bug report for the requires, if it wasn't
added.

There is no POC for the bug, so I'm just trying to figure out how to
test it to confirm it's actually working.
Comment 14 AL13N 2012-07-08 08:54:54 CEST
ok, awesome. Sorry to be checking this. I just wanted to make sure that it didn't became like those 2 BR's.
Comment 15 claire robinson 2012-07-08 10:31:50 CEST
Those two were exactly the same AL13N as has been said time and time again. At no point since Mageia 1 was release have we changed anything in the way we work. Some respond better to it than others.
Comment 16 Dave Hodgins 2012-07-10 01:49:07 CEST
Unless someone has a better idea how to test this, I'm willing to go with
just having ...
# httpd -M|grep security
 security_module (shared)
be considered adequate, as it shows that the module is loading ok.

Testing complete on Mageia 2 i586.

Whiteboard: (none) => MGA2-32-OK

Comment 17 Derek Jennings 2012-07-10 09:58:23 CEST
Testing complete x86_64
I went  a little further in testing. The default configuration does not enable any rule sets so mod_security will not be doing much. So I uncommented the lines
    Include conf/modsecurity/*.conf
    Include conf/modsecurity/base_rules/*.conf

in /etc/httpd/modules.d/82_mod_security.conf

mod_security then fails to load with a syntax error in one of the base rules


Syntax error on line 47 of /etc/httpd/conf/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf

This may simply be because it is a long time since I have used mod_security and have done something wrong, or else there is an issue with the rule set.

This should be the subject of another bug report and not a reason to delay this update.

Update Validated
Could sysadmin please push apache-mod_security-2.6.3-3.2.mga2.src.rpm  from core/updares/testing to core/updates

depcheck tells me that perl-GnuPG-0.180.0-1.mga2 will require linking

Advisory:
========================

Updated apache-mod_security package fixes security vulnerability:

Qualys Vulnerability & Malware Research Labs discovered a
vulnerability in ModSecurity, a security module for the Apache webserver.
In situations where both "Content:Disposition: attachment" and
"Content-Type: multipart" were present in HTTP headers, the vulnerability
could allow an attacker to bypass policy and execute cross-site script
(XSS) attacks through properly crafted HTML documents (CVE-2012-2751).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2751
http://www.debian.org/security/2012/dsa-2506

Keywords: (none) => validated_update
CC: (none) => derekjenn, sysadmin-bugs

Comment 18 Derek Jennings 2012-07-10 10:04:11 CEST
I should add that I checked that the previous version of mod_security gave the same syntax error with that rule set, so it is not a regression.
Comment 19 Derek Jennings 2012-07-10 13:36:48 CEST
Bug 6736 has been opened regarding the syntax errors in mod_secure rule sets
Comment 20 Thomas Backlund 2012-07-10 14:25:18 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0158

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.