Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487314 (CVE-2013-4365) - <www-apache/mod_fcgid-2.3.9: heap overflow (CVE-2013-4365)
Summary: <www-apache/mod_fcgid-2.3.9: heap overflow (CVE-2013-4365)
Status: RESOLVED FIXED
Alias: CVE-2013-4365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.mail-archive.com/dev@httpd...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-08 12:25 UTC by Hanno Boeck
Modified: 2014-02-07 20:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2013-10-08 12:25:57 UTC
mod_fcgid 2.3.9 fixes a heap overflow:
http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html

From upstream release notes:
  *) SECURITY: CVE-2013-4365 (cve.mitre.org)
     Fix possible heap buffer overwrite.  Reported and solved by:
     [Robert Matthews <rob tigertech.com>]
Comment 1 Agostino Sarubbo gentoo-dev 2013-10-08 19:29:29 UTC
(In reply to Hanno Boeck from comment #0)
> mod_fcgid 2.3.9 fixes a heap overflow:
> http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html
> 
> From upstream release notes:
>   *) SECURITY: CVE-2013-4365 (cve.mitre.org)
>      Fix possible heap buffer overwrite.  Reported and solved by:
>      [Robert Matthews <rob tigertech.com>]

Please cc the maintainer.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:20:15 UTC
CVE-2013-4365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4365):
  Heap-based buffer overflow in the fcgid_header_bucket_read function in
  fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP
  Server allows remote attackers to have an unspecified impact via unknown
  vectors.
Comment 3 Hanno Boeck gentoo-dev 2014-01-14 08:57:51 UTC
As this package is maintainer-needed, I've bumped it (and before you ask: I don't intend to become the maintainer).
Comment 4 Chris Reffett gentoo-dev Security 2014-01-14 14:20:56 UTC
Much appreciated. Arches, please test and mark stable:
=www-apache/mod_fcgid-2.3.9
Target arches: amd64 ppc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:02 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-16 20:17:48 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-17 20:47:12 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-22 21:10:49 UTC
GLSA Request Filed
Maintainer(s), please drop the vulnerable version(s).
Comment 9 Chris Reffett gentoo-dev Security 2014-02-07 20:02:32 UTC
Dropped old.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-02-07 20:47:33 UTC
This issue was resolved and addressed in
 GLSA 201402-09 at http://security.gentoo.org/glsa/glsa-201402-09.xml
by GLSA coordinator Chris Reffett (creffett).