412481 – (CVE-2012-0883) <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)

Bug 412481 (CVE-2012-0883) - <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)

Summary: <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)

Status:	RESOLVED FIXED

Alias:	CVE-2012-0883

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal critical (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/48849/
Whiteboard:	A1 [glsa]
Keywords:

Duplicates (1):	412641 (view as bug list)
Depends on:
Blocks:

Reported:	2012-04-18 07:59 UTC by Agostino Sarubbo
Modified:	2012-06-24 14:29 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-04-18 07:59:34 UTC

From secunia security advisory at $URL:

Description
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges by e.g. tricking a user into running certain scripts in a directory containing a malicious library.

The security issue is reported in versions prior to 2.4.2.


Solution
Update to version 2.4.2.

Comment 1 Agostino Sarubbo gentoo-dev

2012-04-18 08:01:21 UTC

@maintainers:

Since there is no fix in 2.2 version, I'd say that vulnerability was introduced in 2.4.x branch, can you check please?

Comment 2 Tomas Hoger 2012-04-18 08:33:25 UTC

(In reply to comment #1)
> Since there is no fix in 2.2 version, I'd say that vulnerability was
> introduced in 2.4.x branch, can you check please?

The fix is proposed for inclusion in 2.2:
http://svn.apache.org/viewvc?view=revision&revision=1296431

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2012-04-18 16:22:08 UTC

(In reply to comment #2)
> 
> The fix is proposed for inclusion in 2.2:
> http://svn.apache.org/viewvc?view=revision&revision=1296431

Thanks, Tomas.

@apache, from that URL:

+    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1296428
+    2.2.x patch: Trunk patch works

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2012-04-19 14:11:45 UTC

*** Bug 412641 has been marked as a duplicate of this bug. ***

Comment 5 Patrick Lauer gentoo-dev

2012-04-20 04:24:11 UTC

+  20 Apr 2012; Patrick Lauer <patrick@gentoo.org> +apache-2.2.22-r1.ebuild,
+  +files/2.2.22-envvars-std.in:
+  Fix for #412481

Since the patch is very simple I committed it with stable keywords. Hope that makes everyone happy :)

Comment 6 Patrick Lauer gentoo-dev

2012-04-20 04:35:23 UTC

2.4.2 is in tree (but masked as 2.4 needs some more massaging to be nice)

Comment 7 Tim Sammut (RETIRED) gentoo-dev

2012-04-20 06:13:49 UTC

Thanks muchly. Added to existing GLSA request.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2012-04-28 00:41:07 UTC

CVE-2012-0883 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883):
  envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a
  zero-length directory name in the LD_LIBRARY_PATH, which allows local users
  to gain privileges via a Trojan horse DSO in the current working directory
  during execution of apachectl.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2012-06-24 14:29:35 UTC

This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).