www-apache/mod_perl-2.0.10 suffers from a vulnerability that allows a user to execute a Perl code in the context of the httpd process. The issue is that a user can place a <Perl> section into his .htaccess file and a Perl code in the section will be executed by the httpd process before changing UID to the user. This is known as CVE-2011-2767. Upstream bug report: https://rt.cpan.org/Public/Bug/Display.html?id=126984 First disclosure and a patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169 More details: https://bugzilla.redhat.com/show_bug.cgi?id=1623265
tree is clean.
I cannot comprehend your answer. All upstream mod-perl releases since 2.0 version are vulnerable. And the only www-apache/mod_perl ebuild in portage tree still contains the faulty code in mod_perl-2.0.10/src/modules/perl/mod_perl.c: MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
(In reply to Petr Pisar from comment #2) > I cannot comprehend your answer. All upstream mod-perl releases since 2.0 > version are vulnerable. And the only www-apache/mod_perl ebuild in portage > tree still contains the faulty code in > mod_perl-2.0.10/src/modules/perl/mod_perl.c: > > MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"), > MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"), Thank you for catching this. Re-opened until a proper fix is applied.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4 commit 9d1a1f3274d4a7a95a7beb5d4c8ef9ba72e168d4 Author: Andreas K. Huettel <dilfridge@gentoo.org> AuthorDate: 2020-03-17 09:43:16 +0000 Commit: Andreas K. Huettel <dilfridge@gentoo.org> CommitDate: 2020-03-17 09:43:57 +0000 www-apache/mod_perl: Version bump Bug: https://bugs.gentoo.org/672086 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Andreas K. Huettel <dilfridge@gentoo.org> www-apache/mod_perl/Manifest | 1 + www-apache/mod_perl/mod_perl-2.0.11.ebuild | 138 +++++++++++++++++++++++++++++ 2 files changed, 139 insertions(+)
@maintainer(s), please advise if ready for stabilisation, or call yourself
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
stabilisation acked by dilfridge
Sanity check failed: > www-apache/mod_perl-2.0.11 > depend amd64 stable profile default/linux/amd64/17.0 (58 total) > >=dev-perl/Apache-Test-1.420.0 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total) > >=dev-perl/Apache-Test-1.420.0 > rdepend amd64 stable profile default/linux/amd64/17.0 (58 total) > >=dev-perl/Apache-Test-1.420.0 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (4 total) > >=dev-perl/Apache-Test-1.420.0
Bug #655740 not a blocker because we cant repro.
sparc stable
amd64 stable
ppc stable
ppc64 stable
x86 stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab commit 562e0ddc683696a4d4e423ed6b2b3a4f9d5d4eab Author: Kent Fredric <kentnl@gentoo.org> AuthorDate: 2020-05-12 18:01:03 +0000 Commit: Kent Fredric <kentnl@gentoo.org> CommitDate: 2020-05-12 18:02:42 +0000 www-apache/mod_perl: Sec cleanup 2.0.11 re bug #672086 Removing versions affected by CVE-2011-2767 Bug: https://bugs.gentoo.org/672086 Bug: https://rt.cpan.org/Public/Bug/Display.html?id=126984 Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1623265 Bug: https://nvd.nist.gov/vuln/detail/CVE-2011-2767 Bug: https://www.cvedetails.com/cve/CVE-2011-2767/ Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Kent Fredric <kentnl@gentoo.org> www-apache/mod_perl/Manifest | 1 - .../files/mod_perl-2.0.10-apache24-tests-1.patch | 33 ----- .../files/mod_perl-2.0.10-apache24-tests-2.patch | 23 ---- www-apache/mod_perl/mod_perl-2.0.10.ebuild | 140 --------------------- 4 files changed, 197 deletions(-)
Over to sec team to finalize now.
(In reply to Kent Fredric (IRC: kent\n) from comment #16) > Over to sec team to finalize now. Thanks! Will close because vote was no glsa previously.
