Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 506454 (CVE-2013-5705) - <www-apache/mod_security-2.7.7: HTTP Requests Chunked Encoding Security Bypass Vulnerability (CVE-2013-5705)
Summary: <www-apache/mod_security-2.7.7: HTTP Requests Chunked Encoding Security Bypas...
Status: RESOLVED FIXED
Alias: CVE-2013-5705
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57444/
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-01 12:52 UTC by Agostino Sarubbo
Modified: 2016-07-17 22:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-01 12:52:12 UTC
From ${URL} :

Description

Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious 
people to bypass certain security restrictions.

The vulnerability is caused due to an error in the "modsecurity_tx_init()" function 
(apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially 
crafted request using chunked encoding.

The vulnerability is reported in versions prior to 2.7.6.


Solution:
Update to version 2.7.6 or later.

Provided and/or discovered by:
Martin Holst Swende

Original Advisory:
ModSecurity:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.7.6

Martin Holst Swende:
http://martin.swende.se/blog/HTTPChunked.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Pacho Ramos gentoo-dev 2014-12-17 16:30:42 UTC
2.7.7 in the tree... maybe should be stabilized
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 16:08:30 UTC
CVE-2013-5705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5705):
  apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to
  bypass rules by using chunked transfer coding with a capitalized Chunked
  value in the Transfer-Encoding HTTP header.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 08:38:42 UTC
@arches, please stabilize the following:

=www-apache/mod_security-2.7.7
Comment 4 Agostino Sarubbo gentoo-dev 2016-06-27 08:24:04 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:25 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-08 07:54:53 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:05 UTC
sparc stable.

Maintainer(s), please cleanup.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-07-17 22:18:12 UTC
Cleaned:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9f1f3dc99de237ca4fce5c5ee4a540900ce42ca

GLSA Vote: No.