Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271470 (CVE-2009-1195) - <www-servers/apache-2.2.11-r1 AllowOverride/Options Security Bypass (CVE-2009-1195)
Summary: <www-servers/apache-2.2.11-r1 AllowOverride/Options Security Bypass (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-1195
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/35261/
Whiteboard: B1 [glsa]
Keywords:
Depends on: 276589
Blocks:
  Show dependency tree
 
Reported: 2009-05-27 21:22 UTC by cilly
Modified: 2009-07-12 15:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch against 2.2.11 from RedHat's bugzilla (apache-CVE-2009-1195.patch,6.14 KB, patch)
2009-05-28 09:35 UTC, Alex Legler (RETIRED)
no flags Details | Diff
CVE-2009-1195.patch (without CHANGES) (CVE-2009-1195.patch,5.23 KB, text/plain)
2009-06-24 05:28 UTC, Stefan Behte (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description cilly 2009-05-27 21:22:19 UTC
Description:
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to bypass certain security restrictions.

The security issue is caused due to an error when processing "AllowOverride" directives and certain "Options" arguments in ".htaccess" files, which can be exploited to e.g. execute commands via Server Side Includes.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-28 09:34:18 UTC
This has limited impact, as there is no remote command execution.. I'd go for B3, other opinions?
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-28 09:35:43 UTC
Created attachment 192689 [details, diff]
Patch against 2.2.11 from RedHat's bugzilla
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-28 09:50:34 UTC
This allows for local privilege escalation. Users can run shell commands as the apache user in environments that are configured not to allow script execution.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-23 15:22:52 UTC
GLSA request filed.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-06-24 00:33:05 UTC
shall we fix this first?
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 05:28:21 UTC
Created attachment 195624 [details]
CVE-2009-1195.patch (without CHANGES)

Argh. Well, we don't need to patch the CHANGES file (which fails):

patch -p0 < CVE-2009-1195.patch
patching file server/config.c
patching file server/core.c
patching file CHANGES
Hunk #1 FAILED at 5.
1 out of 1 hunk FAILED -- saving rejects to file CHANGES.rej
patching file modules/filters/mod_include.c
Hunk #1 succeeded at 3573 (offset -1 lines).
patching file include/http_core.h

It looks better this way:
patching file server/config.c
patching file server/core.c
patching file modules/filters/mod_include.c
Hunk #1 succeeded at 3573 (offset -1 lines).
patching file include/http_core.h
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-27 12:21:34 UTC
Can someone from the apache team have a look and commit this, or do you wait for 2.2.12?!
Comment 8 Benedikt Böhm (RETIRED) gentoo-dev 2009-07-05 16:13:15 UTC
patch added to 2.2.11-r1, stabilization should probably be done in a new bug, since multiple issues have been fixed with 2.2.11-r1
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-05 16:34:24 UTC
Thanks, stabilization handled in 276589.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-12 15:23:40 UTC
GLSA 200907-04, thanks everyone.