Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715204 (CVE-2006-1681, CVE-2019-20798, CVE-2019-20799, CVE-2019-20800, CVE-2020-12845)

Summary: www-servers/cherokee: Multiple vulnerabilities (CVE-2006-1681, CVE-2019-{20798,20799,20800}, CVE-2020-12845)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness, treecleaner
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---
Deadline: 2020-10-09   

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-29 00:22:45 UTC 
1) Heap buffer overflow in CGI handler

Patch: https://github.com/cherokee/webserver/commit/2d4ed5f277ba8d46aa988cdec3935a0650802f0d

Bug: https://github.com/cherokee/webserver/issues/1225

2) XSS vulnerability in handler_error via cherokee_buffer_add_escape_html()

Patch: https://github.com/cherokee/webserver/commit/4f4f85a348caa2c271c43260d20b9aef43701ffc

Bug: https://github.com/cherokee/webserver/issues/1222

3) CVE-2006-1681

Description:
"Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated."

Patch: https://github.com/cherokee/webserver/commit/998c4fe5bd34b41b252a4baf7a899368f2a314ee

Bug: https://github.com/cherokee/webserver/issues/1223
---

At least some of these seem to have been reproduced on the version in tree (last released version, 1.2.104).
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 23:56:48 UTC 
* CVE-2019-20798

Description:
"An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands."

URL: https://github.com/cherokee/webserver/issues/1227

* CVE-2019-20799

Description:
"In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server."

URLs:
* https://github.com/cherokee/webserver/issues/1221
* https://github.com/cherokee/webserver/issues/1222
* https://github.com/cherokee/webserver/issues/1225
* https://github.com/cherokee/webserver/issues/1226
* https://logicaltrust.net/blog/2019/11/cherokee.html 

* CVE-2019-20800

Description:
"In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers."
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 23:51:45 UTC 
* CVE-2020-12845

Description:
"Cherokee 0.4.27 to 1.2.104 is affected by a denial of service due to a NULL pointer dereferences. A remote unauthenticated attacker can crash the server by sending an HTTP request to protected resources using a malformed Authorization header that is mishandled during a cherokee_buffer_add call within cherokee_validator_parse_basic or cherokee_validator_parse_digest."

https://github.com/cherokee/webserver/issues/1242
Comment 3 Larry the Git Cow gentoo-dev 2020-09-09 10:18:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d46fe7a85ed834c7605fe7616ab0a2465ed895c6

commit d46fe7a85ed834c7605fe7616ab0a2465ed895c6
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-09 10:17:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-09 10:18:08 +0000

    package.mask: Last rite www-servers/cherokee
    
    Bug: https://bugs.gentoo.org/715204
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2020-10-09 07:23:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32b08650cb9978cfac955ab232858feea15e1a6b

commit 32b08650cb9978cfac955ab232858feea15e1a6b
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-10-09 07:20:53 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-10-09 07:21:04 +0000

    www-servers/cherokee: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/715204
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask                              |   8 -
 www-servers/cherokee/Manifest                      |   1 -
 www-servers/cherokee/cherokee-1.2.104-r2.ebuild    | 197 ---------------------
 .../cherokee/files/cherokee-1.2.99-gentoo.patch    |  38 ----
 www-servers/cherokee/files/cherokee-confd-1.2.98   |   4 -
 www-servers/cherokee/files/cherokee-initd-1.2.99   |  67 -------
 www-servers/cherokee/files/cherokee.logrotate-r1   |  10 --
 www-servers/cherokee/files/cherokee.service        |  10 --
 www-servers/cherokee/metadata.xml                  |  15 --
 9 files changed, 350 deletions(-)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 16:56:55 UTC 
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:17:59 UTC 
This issue was resolved and addressed in
 GLSA 202012-09 at https://security.gentoo.org/glsa/202012-09
by GLSA coordinator Thomas Deutschmann (whissi).