Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631308 (CVE-2017-9798)

Summary: <www-servers/apache-{2.2.34,2.4.27-r1}: Optionsbleed
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hanno, polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Whiteboard: A4 [glsa cve]
Package list:
www-servers/apache-2.2.34 www-servers/apache-2.4.27-r1 app-admin/apache-tools-2.4.27 app-admin/apache-tools-2.2.34
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 622240, 624868    

Description Thomas Deutschmann gentoo-dev Security 2017-09-18 09:00:33 UTC
Incoming Details.
Comment 1 Hanno Böck gentoo-dev 2017-09-18 09:24:01 UTC
Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>

Patch:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

There won't be an apache release, unfortunately the apache team was unable to come up with a coordinated disclosure / release date.

I cannot reproduce it with apache 2.2, but this bug tends to be not reliably reproducible, so this is no assurance that there is no bug.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-09-18 13:06:31 UTC
Arches,

please test and mark stable:

 - =www-servers/apache-2.2.34
 - =www-servers/apache-tools-2.2.34
 - =www-servers/apache-2.4.27-r1
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-09-18 13:07:07 UTC
amd64/x86 stable
Comment 4 Sergei Trofimovich gentoo-dev 2017-09-19 07:38:38 UTC
stable for sparc (thanks to Rolf Eike Beer)
Comment 5 Sergei Trofimovich gentoo-dev 2017-09-19 19:38:22 UTC
ia64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-09-20 20:37:37 UTC
hppa stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-23 12:36:54 UTC
ppc stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-09-23 12:43:04 UTC
ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-10-16 18:12:37 UTC
arm stable
Comment 10 Tobias Klausmann gentoo-dev 2017-10-22 21:46:37 UTC
Stable on alpha.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-23 00:22:39 UTC
@maintainers, please clean the vulnerable versions.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-25 00:55:07 UTC
GLSA Vote: Yes.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 23:05:26 UTC
This issue was resolved and addressed in
 GLSA 201710-32 at https://security.gentoo.org/glsa/201710-32
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-29 23:06:01 UTC
re-opened for cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2017-10-29 23:16:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=760bcf48e497d770435030c1b82246e56665fcdd

commit 760bcf48e497d770435030c1b82246e56665fcdd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-10-29 23:14:37 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-10-29 23:16:15 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/631308
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 www-servers/apache/apache-2.4.27.ebuild | 238 --------------------------------
 1 file changed, 238 deletions(-)}
Comment 16 Thomas Deutschmann gentoo-dev Security 2017-10-29 23:17:58 UTC
Repository is clean, all done.