672086 – (CVE-2011-2767) <www-apache/mod_perl-2.0.11: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767)

Bug 672086 (CVE-2011-2767) - <www-apache/mod_perl-2.0.11: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767)

Summary: <www-apache/mod_perl-2.0.11: arbitrary Perl code execution in the context of ...

Status:	RESOLVED FIXED

Alias:	CVE-2011-2767

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugs.debian.org/cgi-bin/bugre...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-11-27 19:56 UTC by Petr Pisar
Modified:	2020-05-12 18:07 UTC (History)
CC List:	2 users (show)

See Also:	655740
Package list:	=www-apache/mod_perl-2.0.11 amd64 ppc ppc64 x86 =dev-perl/Apache-Test-1.420.0
Runtime testing required:	No

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Pisar 2018-11-27 19:56:12 UTC

www-apache/mod_perl-2.0.10 suffers from a vulnerability that allows a user to execute a Perl code in the context of the httpd process. The issue is that a user can place a <Perl> section into his .htaccess file and a Perl code in the section will be executed by the httpd process before changing UID to the user.

This is known as CVE-2011-2767.
Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=126984
First disclosure and a patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
More details: https://bugzilla.redhat.com/show_bug.cgi?id=1623265

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2018-12-04 21:23:36 UTC

tree is clean.

Comment 2 Petr Pisar 2018-12-05 19:07:50 UTC

I cannot comprehend your answer. All upstream mod-perl releases since 2.0 version are vulnerable. And the only www-apache/mod_perl ebuild in portage tree still contains the faulty code in mod_perl-2.0.10/src/modules/perl/mod_perl.c:

    MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
    MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-12-05 22:00:18 UTC

(In reply to Petr Pisar from comment #2)
> I cannot comprehend your answer. All upstream mod-perl releases since 2.0
> version are vulnerable. And the only www-apache/mod_perl ebuild in portage
> tree still contains the faulty code in
> mod_perl-2.0.10/src/modules/perl/mod_perl.c:
> 
>     MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
>     MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),

Thank you for catching this.  Re-opened until a proper fix is applied.

Comment 4 Larry the Git Cow gentoo-dev

2020-03-17 09:44:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4

commit 9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4
Author:     Andreas K. Huettel <dilfridge@gentoo.org>
AuthorDate: 2020-03-17 09:43:16 +0000
Commit:     Andreas K. Huettel <dilfridge@gentoo.org>
CommitDate: 2020-03-17 09:43:57 +0000

    www-apache/mod_perl: Version bump
    
    Bug: https://bugs.gentoo.org/672086
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Andreas K. Huettel <dilfridge@gentoo.org>

 www-apache/mod_perl/Manifest               |   1 +
 www-apache/mod_perl/mod_perl-2.0.11.ebuild | 138 +++++++++++++++++++++++++++++
 2 files changed, 139 insertions(+)

Comment 5 Sam James archtester

2020-03-21 23:31:24 UTC

@maintainer(s), please advise if ready for stabilisation, or call yourself

Comment 6 Yury German Gentoo Infrastructure

2020-03-22 06:36:55 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 7 Sam James archtester

2020-04-21 16:47:00 UTC

stabilisation acked by dilfridge

Comment 8 NATTkA bot gentoo-dev

2020-04-21 16:49:12 UTC

Sanity check failed:

> www-apache/mod_perl-2.0.11
>   depend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-perl/Apache-Test-1.420.0
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-perl/Apache-Test-1.420.0
>   rdepend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-perl/Apache-Test-1.420.0
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-perl/Apache-Test-1.420.0

Comment 9 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2020-05-04 11:30:49 UTC

Bug #655740 not a blocker because we cant repro.

Comment 10 Agostino Sarubbo gentoo-dev

2020-05-04 15:30:56 UTC

sparc stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-05-04 16:56:55 UTC

amd64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2020-05-05 06:46:27 UTC

ppc stable

Comment 13 Agostino Sarubbo gentoo-dev

2020-05-06 06:28:46 UTC

ppc64 stable

Comment 14 Agostino Sarubbo gentoo-dev

2020-05-11 16:49:25 UTC

x86 stable.

Maintainer(s), please cleanup.

Comment 15 Larry the Git Cow gentoo-dev

2020-05-12 18:02:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab

commit 562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-05-12 18:01:03 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-05-12 18:02:42 +0000

    www-apache/mod_perl: Sec cleanup 2.0.11 re bug #672086
    
    Removing versions affected by CVE-2011-2767
    
    Bug: https://bugs.gentoo.org/672086
    Bug: https://rt.cpan.org/Public/Bug/Display.html?id=126984
    Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
    Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1623265
    Bug: https://nvd.nist.gov/vuln/detail/CVE-2011-2767
    Bug: https://www.cvedetails.com/cve/CVE-2011-2767/
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 www-apache/mod_perl/Manifest                       |   1 -
 .../files/mod_perl-2.0.10-apache24-tests-1.patch   |  33 -----
 .../files/mod_perl-2.0.10-apache24-tests-2.patch   |  23 ----
 www-apache/mod_perl/mod_perl-2.0.10.ebuild         | 140 ---------------------
 4 files changed, 197 deletions(-)

Comment 16 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2020-05-12 18:04:27 UTC

Over to sec team to finalize now.

Comment 17 Sam James archtester

2020-05-12 18:06:56 UTC

(In reply to Kent Fredric (IRC: kent\n) from comment #16)
> Over to sec team to finalize now.

Thanks!

Will close because vote was no glsa previously.