63948 – net-www/apache-2, mod_dav: remotely triggerable NULL pointer dereference

Bug 63948 - net-www/apache-2, mod_dav: remotely triggerable NULL pointer dereference

Summary: net-www/apache-2, mod_dav: remotely triggerable NULL pointer dereference

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://nagoya.apache.org/bugzilla/sho...
Whiteboard:	A3 [glsa] vorlon
Keywords:

Depends on:	62626
Blocks:
	Show dependency tree

Reported:	2004-09-13 16:29 UTC by Kurt Lieber (RETIRED)
Modified:	2011-10-30 22:39 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kurt Lieber (RETIRED) gentoo-dev

2004-09-13 16:29:33 UTC

posted to vendor-sec.  (it's a public bug -- we're cleared to discuss it openly)
------------------------------------------------------------------
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 describes a
remotely triggerable NULL pointer dereference in mod_dav.  It affects
the mod_dav shipped in Apache httpd 2.0 and mod_dav 1.0.x also.

Simple segfaults like this are "interesting" if you ship 2.0 with a
threaded MPM since in a threaded model a segfault takes out a whole
process, and can possibly deny service to the whole server if you use
(e.g.) pthread mutexes for accept() serialisation, and kill the process
while a thread has the mutex locked.

This is assigned CVE CAN-2004-0809.  The fix is here:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/fs/lock.c?r1=1.32&r2=1.33

Comment 1 Luke Macken (RETIRED) gentoo-dev

2004-09-13 20:34:40 UTC

apache guys,

please apply patch.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2004-09-14 01:05:27 UTC

This is related to bug 62626. We should probably only issue one GLSA for both, titled "Apache2, mod_dav: Multiple Denial of Service vulnerabilities".

Comment 3 Stuart Herbert (RETIRED) gentoo-dev

2004-09-14 01:34:20 UTC

Okay, apache-2.0.50-r3 is now in the tree to address this vulnerability.  Ready for marking stable on arches.

Best regards,
Stu

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-09-14 01:45:25 UTC

Arches called for stable on bug 62626.

Stuart : We also need a new net-www/mod_dav version for Apache 1 users... :)

Comment 5 rob holland (RETIRED) gentoo-dev

2004-09-14 02:07:21 UTC

net-www/mod_dav-1.0.3-r1 already has the dp_scan code in place and isn't susceptible to this problem.

Comment 6 rob holland (RETIRED) gentoo-dev

2004-09-14 03:01:37 UTC

My bad, the code was there. Fixed and commited -r2 for mod_dav.

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2004-09-14 03:03:24 UTC

Arches, please test and mark mod_dav-1.0.3-r2 stable.

Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev

2004-09-14 07:31:44 UTC

Sparc stable.

Comment 9 Pieter Van den Abeele (RETIRED) gentoo-dev

2004-09-14 17:23:31 UTC

 ppc stable

Comment 10 Olivier Crete (RETIRED) gentoo-dev

2004-09-16 09:33:08 UTC

now stable on x86..

Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev

2004-09-16 11:18:52 UTC

waiting for testing and stable marking of apache-2.0.51 on bug #62626 (amd64)

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2004-09-16 13:58:58 UTC

GLSA 200409-21