Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 412481 (CVE-2012-0883)

Summary: <www-servers/apache-2.2.22-r1 : LD_LIBRARY_PATH Security Issue (CVE-2012-0883)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: apache-bugs, hanno, mail, patrick, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48849/
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-04-18 07:59:34 UTC 
From secunia security advisory at $URL:

Description
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges by e.g. tricking a user into running certain scripts in a directory containing a malicious library.

The security issue is reported in versions prior to 2.4.2.


Solution
Update to version 2.4.2.
Comment 1 Agostino Sarubbo gentoo-dev 2012-04-18 08:01:21 UTC 
@maintainers:

Since there is no fix in 2.2 version, I'd say that vulnerability was introduced in 2.4.x branch, can you check please?
Comment 2 Tomas Hoger 2012-04-18 08:33:25 UTC 
(In reply to comment #1)
> Since there is no fix in 2.2 version, I'd say that vulnerability was
> introduced in 2.4.x branch, can you check please?

The fix is proposed for inclusion in 2.2:
http://svn.apache.org/viewvc?view=revision&revision=1296431
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-04-18 16:22:08 UTC 
(In reply to comment #2)
> 
> The fix is proposed for inclusion in 2.2:
> http://svn.apache.org/viewvc?view=revision&revision=1296431

Thanks, Tomas.

@apache, from that URL:

+    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1296428
+    2.2.x patch: Trunk patch works
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-04-19 14:11:45 UTC 
*** Bug 412641 has been marked as a duplicate of this bug. ***
Comment 5 Patrick Lauer gentoo-dev 2012-04-20 04:24:11 UTC 
+  20 Apr 2012; Patrick Lauer <patrick@gentoo.org> +apache-2.2.22-r1.ebuild,
+  +files/2.2.22-envvars-std.in:
+  Fix for #412481

Since the patch is very simple I committed it with stable keywords. Hope that makes everyone happy :)
Comment 6 Patrick Lauer gentoo-dev 2012-04-20 04:35:23 UTC 
2.4.2 is in tree (but masked as 2.4 needs some more massaging to be nice)
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-04-20 06:13:49 UTC 
Thanks muchly. Added to existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:41:07 UTC 
CVE-2012-0883 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883):
  envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a
  zero-length directory name in the LD_LIBRARY_PATH, which allows local users
  to gain privileges via a Trojan horse DSO in the current working directory
  during execution of apachectl.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:35 UTC 
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).