Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466502 (CVE-2013-1862) - <www-servers/apache-2.2.25: mod_rewrite allows terminal escape sequences to be written to the log file (CVE-2013-1862)
Summary: <www-servers/apache-2.2.25: mod_rewrite allows terminal escape sequences to b...
Status: RESOLVED FIXED
Alias: CVE-2013-1862
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2013-1896
Blocks:
  Show dependency tree
 
Reported: 2013-04-19 19:37 UTC by Agostino Sarubbo
Modified: 2013-09-23 23:43 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
A modified ebuild of version 2.2.24 which applies files/mod_rewrite-CVE-2013-1862.patch (apache-2.2.24.ebuild,3.13 KB, patch)
2013-07-05 05:42 UTC, J.O. Aho
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-19 19:37:00 UTC
From ${URL} :

It was found that mod_rewrite writes data to a log file without sanitizing non-printable 
characters. A remote attacker could use this flaw to write terminal escape sequences to log files 
(if the RewriteLog directive was used by mod_rewrite). This could possibly cause arbitrary command 
execution, via HTTP requests containing an escape sequence for a terminal emulator. (if for example 
the log files were viewed in a terminal emulator)

Reference:
http://svn.apache.org/viewvc?view=revision&revision=r1469311

Proposed patch:
http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
Comment 1 Andreis Vinogradovs ( slepnoga ) 2013-05-14 15:16:13 UTC
patch avaible:
http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
Comment 2 J.O. Aho 2013-07-05 05:38:32 UTC
Vulnerability Summary for CVE-2013-1862:

Exploitability Subscore: 4.9
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service 

Vulnerable software and versions (version from portage listed)
cpe:/a:apache:http_server:2.2.4
cpe:/a:apache:http_server:2.2.24
Comment 3 J.O. Aho 2013-07-05 05:42:01 UTC
Created attachment 352658 [details, diff]
A modified ebuild of version 2.2.24 which applies files/mod_rewrite-CVE-2013-1862.patch
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 22:01:30 UTC
@maintainers: This is fixed in 2.2.25, just released.
Comment 5 Sergey Popov (RETIRED) gentoo-dev 2013-08-24 05:16:30 UTC
Added to existing GLSA draft
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-08-30 00:55:42 UTC
CVE-2013-1862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1862):
  mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x
  before 2.2.25 writes data to a log file without sanitizing non-printable
  characters, which might allow remote attackers to execute arbitrary commands
  via an HTTP request containing an escape sequence for a terminal emulator.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-09-23 23:43:55 UTC
This issue was resolved and addressed in
 GLSA 201309-12 at http://security.gentoo.org/glsa/glsa-201309-12.xml
by GLSA coordinator Sean Amoss (ackle).