Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172676 - www-apache/mod_perl "path_info" Denial of Service Vulnerability (CVE-2007-1349)
Summary: www-apache/mod_perl "path_info" Denial of Service Vulnerability (CVE-2007-1349)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24678/
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-29 14:24 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-03-28 22:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
error_log (error_log,39.73 KB, text/plain)
2007-03-31 10:08 UTC, Christian Faulhammer (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-29 14:24:40 UTC
Description:
A vulnerability has been reported in mod_perl, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).
 
 The vulnerability is caused due to a regular expression in "RegistryCooker.pm" (mod_perl 2.x) or "PerlRun.pm" (mod_perl 1.x) that uses the "path_info" variable without properly escaping it. This can be exploited to cause a DoS by sending requests with specially crafted URLs to a vulnerable server.

Solution:
Fixed in the SVN repository.

Provided and/or discovered by:
Alex Solovey
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-30 20:06:19 UTC
perl please advise.
Comment 2 Michael Cummings (RETIRED) gentoo-dev 2007-03-30 22:39:05 UTC
looking into it.
Comment 3 Michael Cummings (RETIRED) gentoo-dev 2007-03-31 00:17:39 UTC
1.30 added, which covers CVE-2007-1349. Also posted a patched (and bumped) 2.0.3.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-31 06:14:51 UTC
Thx Micheal.

Arches please test and mark stable. Target keywords are:

mod_perl-1.30.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"
mod_perl-2.0.3-r1.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-31 10:08:16 UTC
Created attachment 115011 [details]
error_log

Perl team:

version 1.30:
dodoc: ToDo does not exist
chmod: cannot access `/var/tmp/portage/www-apache/mod_perl-1.30/image//etc/apache/modules.d/75_mod_perl': No such file or directory
x86 stable on this though


test suite version 2.0.3-r1 fails, see attached log
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-04-02 18:08:24 UTC
ppc64 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-02 18:26:34 UTC
ppc stable
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-03 19:16:33 UTC
sparc stable.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-04-04 09:45:29 UTC
ia64 stable
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-04 10:29:45 UTC
alpha stable
Comment 11 Markus Meier gentoo-dev 2007-04-06 10:01:58 UTC
www-apache/mod_perl-2.0.3-r1
1. emerges on x86
2. fails the test suite:
t/directive/perldo......................FAILED tests 18-22
        Failed 5/22 tests, 77.27% okay

t/modules/include.......................# Failed test 1 in t/modules/include.t at line 26
# Failed test 3 in t/modules/include.t at line 33
# Failed test 4 in t/modules/include.t at line 33 fail #2
# Failed test 5 in t/modules/include.t at line 33 fail #3
# Failed test 6 in t/modules/include.t at line 33 fail #4
FAILED tests 1, 3-6
        Failed 5/6 tests, 16.67% okay


Failed 2/236 test scripts. 10/2393 subtests failed.

3. but passes collision test


Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.7 i686)
=================================================================
System uname: 2.6.19.7 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 05 Apr 2007 13:00:08 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2007-04-06 10:40:22 UTC
x86 stable as ian told me to ignore failing test suite for now
Comment 13 Christian Hartmann (RETIRED) gentoo-dev 2007-04-06 11:50:22 UTC
MIPS: Can you please keyword 1.30 so that we can remove the vulnerable versions later on?
Comment 14 Michael Cummings (RETIRED) gentoo-dev 2007-04-06 21:50:54 UTC
amd64 all set
Comment 15 Christian Hartmann (RETIRED) gentoo-dev 2007-04-07 20:34:01 UTC
Alpha, amd64: Please don't forget about mod_perl-1.30.
Comment 16 Michael Cummings (RETIRED) gentoo-dev 2007-04-09 16:19:22 UTC
(In reply to comment #5)
> Created an attachment (id=115011) [edit]
> error_log
> 
> Perl team:
> 
> version 1.30:
> dodoc: ToDo does not exist
> chmod: cannot access
> `/var/tmp/portage/www-apache/mod_perl-1.30/image//etc/apache/modules.d/75_mod_perl':
> No such file or directory

fixed :)


(In reply to comment #15)
> Alpha, amd64: Please don't forget about mod_perl-1.30.

all set on amd64 for 1.30 as well now
Comment 17 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-10 11:46:32 UTC
(In reply to comment #15)
> Alpha, amd64: Please don't forget about mod_perl-1.30.

Ouch! now done. Thanks.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:17:11 UTC
This one is ready for GLSA decision. I tend to vote YES.
Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-12 15:21:33 UTC
tend to vote yes
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-23 19:53:39 UTC
filing a GLSA request
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 11:02:38 UTC
GLSA 200705-04