http://www.apacheweek.com/features/security-13 Fixed in Apache httpd 1.3.33-dev moderate: mod_include overflow CAN-2004-0940 A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child. Affects: 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0 _____ http://secunia.com/advisories/12898/ Secunia Advisory: SA12898 Release Date: 2004-10-22 Critical: Less critical Impact: Privilege escalation Where: Local system Solution Status: Vendor Patch Software: Apache 1.3.x CVE reference: CAN-2004-0940 Description: Crazy Einstein has discovered a vulnerability in Apache, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through a HTTP session. Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled. The vulnerability has been confirmed on version 1.3.31. Other versions may also be affected. Solution: The vulnerability has been fixed in version 1.3.33-dev. Disable server-side includes (SSI). Provided and/or discovered by: Crazy Einstein _____ http://securitytracker.com/alerts/2004/Oct/1011783.html SecurityTracker Alert ID: 1011783 SecurityTracker URL: http://securitytracker.com/id?1011783 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Oct 19 2004 Impact: Execution of arbitrary code via local system, User access via local system Exploit Included: Yes Version(s): 1.3.x Description: Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges. It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process. Impact: A local user can execute arbitrary code with the privileges of the Apache httpd child process. Solution: No solution was available at the time of this entry. Vendor URL: httpd.apache.org/ (Links to External Site) Cause: Boundary error Underlying OS: Linux (Any), UNIX (Any) Reported By: Crazy Einstein <crazy_einstein@yahoo.com>
apache team, pls review/patch as appropriate
commited as 1.3.32-r1
thx stuart and tigger arches, pls test apache-1.3.32-r1 and mark stable if possible current KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips" target KEYWORDS="x86 ppc sparc alpha hppa amd64 ia64 mips"
Stable on amd64
Stable on sparc
stable on ppc
Stable on alpha.
Could apache maintainers or someone on x86 test and mark x86 stable ?
FYI, Apache-1.3.33 is now in the tree. Upstream haven't released a corresponding mod_ssl yet, however, so this ebuild is masked for the moment. At this rate of Apache releases, we should start thinking about a dedicated apache security & arch test group ;-) Best regards, Stu
arches, mod_ssl-2.8.21 is also needed to be marked stable current KEYWORDS="x86 ~ppc ~sparc ~alpha ~hppa ~mips" target KEYWORDS="x86 ppc sparc alpha hppa mips"
Stable on sparc.
Stable on ppc.
mod_ssl-2.8.21 still missing amd64 to test and mark stable otherwise ready for GLSA
stable on amd64
GLSA 200411-03 hppa, ia64 and mips, please mark stable to benefit from GLSA
mips stable.