Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 63948 - net-www/apache-2, mod_dav: remotely triggerable NULL pointer dereference
Summary: net-www/apache-2, mod_dav: remotely triggerable NULL pointer dereference
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] vorlon
Depends on: 62626
  Show dependency tree
Reported: 2004-09-13 16:29 UTC by Kurt Lieber (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Lieber (RETIRED) gentoo-dev 2004-09-13 16:29:33 UTC
posted to vendor-sec.  (it's a public bug -- we're cleared to discuss it openly)
------------------------------------------------------------------ describes a
remotely triggerable NULL pointer dereference in mod_dav.  It affects
the mod_dav shipped in Apache httpd 2.0 and mod_dav 1.0.x also.

Simple segfaults like this are "interesting" if you ship 2.0 with a
threaded MPM since in a threaded model a segfault takes out a whole
process, and can possibly deny service to the whole server if you use
(e.g.) pthread mutexes for accept() serialisation, and kill the process
while a thread has the mutex locked.

This is assigned CVE CAN-2004-0809.  The fix is here:
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-09-13 20:34:40 UTC
apache guys,

please apply patch.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 01:05:27 UTC
This is related to bug 62626. We should probably only issue one GLSA for both, titled "Apache2, mod_dav: Multiple Denial of Service vulnerabilities".
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2004-09-14 01:34:20 UTC
Okay, apache-2.0.50-r3 is now in the tree to address this vulnerability.  Ready for marking stable on arches.

Best regards,
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 01:45:25 UTC
Arches called for stable on bug 62626.

Stuart : We also need a new net-www/mod_dav version for Apache 1 users... :)
Comment 5 rob holland (RETIRED) gentoo-dev 2004-09-14 02:07:21 UTC
net-www/mod_dav-1.0.3-r1 already has the dp_scan code in place and isn't susceptible to this problem.
Comment 6 rob holland (RETIRED) gentoo-dev 2004-09-14 03:01:37 UTC
My bad, the code was there. Fixed and commited -r2 for mod_dav.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 03:03:24 UTC
Arches, please test and mark mod_dav-1.0.3-r2 stable.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-14 07:31:44 UTC
Sparc stable.
Comment 9 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-14 17:23:31 UTC
 ppc stable
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2004-09-16 09:33:08 UTC
now stable on x86..
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 11:18:52 UTC
waiting for testing and stable marking of apache-2.0.51 on bug #62626 (amd64)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 13:58:58 UTC
GLSA 200409-21