Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 271470 (CVE-2009-1195)

Summary: <www-servers/apache-2.2.11-r1 AllowOverride/Options Security Bypass (CVE-2009-1195)
Product: Gentoo Security Reporter: cilly <cilly>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/35261/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 276589    
Bug Blocks:    
Attachments:
Description Flags
Patch against 2.2.11 from RedHat's bugzilla
none
CVE-2009-1195.patch (without CHANGES) none

Description cilly 2009-05-27 21:22:19 UTC 
Description:
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to an error when processing "AllowOverride" directives and certain "Options" arguments in ".htaccess" files, which can be exploited to e.g. execute commands via Server Side Includes.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-28 09:34:18 UTC 
This has limited impact, as there is no remote command execution.. I'd go for B3, other opinions?
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-28 09:35:43 UTC 
Created attachment 192689 [details, diff]
Patch against 2.2.11 from RedHat's bugzilla
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-28 09:50:34 UTC 
This allows for local privilege escalation. Users can run shell commands as the apache user in environments that are configured not to allow script execution.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-23 15:22:52 UTC 
GLSA request filed.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-06-24 00:33:05 UTC 
shall we fix this first?
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 05:28:21 UTC 
Created attachment 195624 [details]
CVE-2009-1195.patch (without CHANGES)

Argh. Well, we don't need to patch the CHANGES file (which fails):

patch -p0 < CVE-2009-1195.patch
patching file server/config.c
patching file server/core.c
patching file CHANGES
Hunk #1 FAILED at 5.
1 out of 1 hunk FAILED -- saving rejects to file CHANGES.rej
patching file modules/filters/mod_include.c
Hunk #1 succeeded at 3573 (offset -1 lines).
patching file include/http_core.h

It looks better this way:
patching file server/config.c
patching file server/core.c
patching file modules/filters/mod_include.c
Hunk #1 succeeded at 3573 (offset -1 lines).
patching file include/http_core.h
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-27 12:21:34 UTC 
Can someone from the apache team have a look and commit this, or do you wait for 2.2.12?!
Comment 8 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:13:15 UTC 
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:34:24 UTC 
Thanks, stabilization handled in 276589.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-12 15:23:40 UTC 
GLSA 200907-04, thanks everyone.