Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 344685 (CVE-2010-3872) - <www-apache/mod_fcgid-2.3.6: Stack buffer overflow vulnerability (CVE-2010-3872)
Summary: <www-apache/mod_fcgid-2.3.6: Stack buffer overflow vulnerability (CVE-2010-3872)
Status: RESOLVED FIXED
Alias: CVE-2010-3872
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Lance Albertson (RETIRED)
URL: https://svn.apache.org/repos/asf/http...
Whiteboard: B1? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-08 14:25 UTC by Stefan Behte (RETIRED)
Modified: 2012-07-09 23:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-11-08 14:25:23 UTC
*) SECURITY: CVE-2010-3872 (cve.mitre.org)
     Fix possible stack buffer overwrite.  Diagnosed by the reporter.
     PR 49406.  [Edgar Frank <ef-lists email.de>]
Comment 1 Lance Albertson (RETIRED) gentoo-dev 2010-11-09 22:30:34 UTC
Bumped in portage.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:29:10 UTC
Arches, please test and mark stable:
=www-apache/mod_fcgid-2.3.6
Target keywords : "amd64 ppc x86"
Comment 3 Markus Meier gentoo-dev 2010-11-21 17:55:50 UTC
amd64/x86 stable
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-11 17:51:58 UTC
ppc stable, last arch done
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-01-12 05:04:41 UTC
Thanks, folks. GLSA request filed.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-21 11:16:07 UTC
CVE-2010-3872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3872):
  The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c
  in Apache mod_fcgid before 2.3.6 does not use bytewise pointer
  arithmetic in certain circumstances, which has unknown impact and
  attack vectors related to "untrusted FastCGI applications" and a
  "stack buffer overwrite."

Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-07-09 23:36:55 UTC
This issue was resolved and addressed in
 GLSA 201207-09 at http://security.gentoo.org/glsa/glsa-201207-09.xml
by GLSA coordinator Sean Amoss (ackle).