Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 672086 (CVE-2011-2767)

Summary: <www-apache/mod_perl-2.0.11: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess (CVE-2011-2767)
Product: Gentoo Security Reporter: Petr Pisar <petr.pisar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kentnl, perl
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
See Also: https://bugs.gentoo.org/show_bug.cgi?id=655740
Whiteboard: B3 [noglsa cve]
Package list:
=www-apache/mod_perl-2.0.11 amd64 ppc ppc64 x86 =dev-perl/Apache-Test-1.420.0
Runtime testing required: No

Description Petr Pisar 2018-11-27 19:56:12 UTC
www-apache/mod_perl-2.0.10 suffers from a vulnerability that allows a user to execute a Perl code in the context of the httpd process. The issue is that a user can place a <Perl> section into his .htaccess file and a Perl code in the section will be executed by the httpd process before changing UID to the user.

This is known as CVE-2011-2767.
Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=126984
First disclosure and a patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
More details: https://bugzilla.redhat.com/show_bug.cgi?id=1623265
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-04 21:23:36 UTC
tree is clean.
Comment 2 Petr Pisar 2018-12-05 19:07:50 UTC
I cannot comprehend your answer. All upstream mod-perl releases since 2.0 version are vulnerable. And the only www-apache/mod_perl ebuild in portage tree still contains the faulty code in mod_perl-2.0.10/src/modules/perl/mod_perl.c:

    MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
    MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-05 22:00:18 UTC
(In reply to Petr Pisar from comment #2)
> I cannot comprehend your answer. All upstream mod-perl releases since 2.0
> version are vulnerable. And the only www-apache/mod_perl ebuild in portage
> tree still contains the faulty code in
> mod_perl-2.0.10/src/modules/perl/mod_perl.c:
> 
>     MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
>     MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),

Thank you for catching this.  Re-opened until a proper fix is applied.
Comment 4 Larry the Git Cow gentoo-dev 2020-03-17 09:44:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4

commit 9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4
Author:     Andreas K. Huettel <dilfridge@gentoo.org>
AuthorDate: 2020-03-17 09:43:16 +0000
Commit:     Andreas K. Huettel <dilfridge@gentoo.org>
CommitDate: 2020-03-17 09:43:57 +0000

    www-apache/mod_perl: Version bump
    
    Bug: https://bugs.gentoo.org/672086
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Andreas K. Huettel <dilfridge@gentoo.org>

 www-apache/mod_perl/Manifest               |   1 +
 www-apache/mod_perl/mod_perl-2.0.11.ebuild | 138 +++++++++++++++++++++++++++++
 2 files changed, 139 insertions(+)
Comment 5 Sam James archtester gentoo-dev Security 2020-03-21 23:31:24 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2020-03-22 06:36:55 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 7 Sam James archtester gentoo-dev Security 2020-04-21 16:47:00 UTC
stabilisation acked by dilfridge
Comment 8 NATTkA bot gentoo-dev 2020-04-21 16:49:12 UTC
Sanity check failed:

> www-apache/mod_perl-2.0.11
>   depend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-perl/Apache-Test-1.420.0
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-perl/Apache-Test-1.420.0
>   rdepend amd64 stable profile default/linux/amd64/17.0 (58 total)
>     >=dev-perl/Apache-Test-1.420.0
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total)
>     >=dev-perl/Apache-Test-1.420.0
Comment 9 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2020-05-04 11:30:49 UTC
Bug #655740 not a blocker because we cant repro.
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-04 15:30:56 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-04 16:56:55 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-05-05 06:46:27 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-05-06 06:28:46 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-05-11 16:49:25 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2020-05-12 18:02:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab

commit 562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-05-12 18:01:03 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-05-12 18:02:42 +0000

    www-apache/mod_perl: Sec cleanup 2.0.11 re bug #672086
    
    Removing versions affected by CVE-2011-2767
    
    Bug: https://bugs.gentoo.org/672086
    Bug: https://rt.cpan.org/Public/Bug/Display.html?id=126984
    Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169
    Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1623265
    Bug: https://nvd.nist.gov/vuln/detail/CVE-2011-2767
    Bug: https://www.cvedetails.com/cve/CVE-2011-2767/
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 www-apache/mod_perl/Manifest                       |   1 -
 .../files/mod_perl-2.0.10-apache24-tests-1.patch   |  33 -----
 .../files/mod_perl-2.0.10-apache24-tests-2.patch   |  23 ----
 www-apache/mod_perl/mod_perl-2.0.10.ebuild         | 140 ---------------------
 4 files changed, 197 deletions(-)
Comment 16 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2020-05-12 18:04:27 UTC
Over to sec team to finalize now.
Comment 17 Sam James archtester gentoo-dev Security 2020-05-12 18:06:56 UTC
(In reply to Kent Fredric (IRC: kent\n) from comment #16)
> Over to sec team to finalize now.

Thanks!

Will close because vote was no glsa previously.