Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517298 (CVE-2014-0226) - <www-servers/apache-2.2.27-r4: httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability (CVE-2014-0226)
Summary: <www-servers/apache-2.2.27-r4: httpd mod_status Heap Buffer Overflow Remote C...
Status: RESOLVED FIXED
Alias: CVE-2014-0226
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.zerodayinitiative.com/advi...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-17 07:29 UTC by Hanno Böck
Modified: 2014-08-31 11:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-07-17 07:29:53 UTC
A race condition in apache's mod_status can lead to a buffer overflow.
Source:
http://www.zerodayinitiative.com/advisories/ZDI-14-236/
Fix is in upstream's apache 2.4.10 which is not yet released but a pre-release package is available and release should be ready within the next days:
https://mail-archives.apache.org/mod_mbox/httpd-dev/201407.mbox/%3C81300987-8AB3-4364-81F5-53F803B39DA4%40jaguNET.com%3E

I don't know about the status in apache 2.2.
Comment 1 Marcel Pennewiß 2014-07-17 20:13:29 UTC
(In reply to Hanno Boeck from comment #0)
> I don't know about the status in apache 2.2.

Seems to be fixed in 2.2.28, but also not released yet:
http://mail-archives.apache.org/mod_mbox/httpd-cvs/201407.mbox/%3C20140714203433.31B4D23889D5@eris.apache.org%3E
Comment 2 Hanno Böck gentoo-dev 2014-07-21 22:56:51 UTC
Finally apache 2.4.10 has been released. 2.2.28 not yet.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-07-22 12:33:12 UTC
CVE-2014-0226 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0226):
  Race condition in the mod_status module in the Apache HTTP Server before
  2.4.10 allows remote attackers to cause a denial of service (heap-based
  buffer overflow), or possibly obtain sensitive credential information or
  execute arbitrary code, via a crafted request that triggers improper
  scoreboard handling within the status_handler function in
  modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in
  modules/lua/lua_request.c.
Comment 4 Patrick Lauer gentoo-dev 2014-07-24 02:30:32 UTC
Ebuilds for 2.4.10 have been committed
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-07-26 04:03:52 UTC
Maintainer(s): please let us know when the ebuild is ready for  stabilization.
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2014-07-27 10:16:57 UTC
(In reply to Yury German from comment #5)
> Maintainer(s): please let us know when the ebuild is ready for 
> stabilization.

Unfortunately not yet. Patrick added the ebuilds without my permission omitting all the changes I wanted to incorporate in a new patchset. So please wait for apache-2.4.10-r1.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-07-27 19:16:10 UTC
Please advise or call for stabilization when ready.
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2014-07-31 11:41:24 UTC
+*apache-2.4.10-r1 (31 Jul 2014)
+*apache-2.2.27-r4 (31 Jul 2014)
+
+  31 Jul 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r3.ebuild,
+  +apache-2.2.27-r4.ebuild, -apache-2.4.10.ebuild, +apache-2.4.10-r1.ebuild:
+  Revbumps to fix security bugs (see #517298). Removed old.
+

I've added apache-2.2.27-r4 which fixes the following security bugs:
CVE-2014-0118, CVE-2014-0226 and CVE-2014-0231
apache-2.4.x still isn't stable and I prefer to not stbilize it yet.


Arches please test and mark stable =www-server/apache-2.2.27-r4 with target KEYWORDS:
alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 9 Tobias Klausmann gentoo-dev 2014-07-31 15:07:03 UTC
Stabilized www-servers/apache-2.2.27-r4 on alpha.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2014-07-31 17:48:34 UTC
Stabilizing only:
apache-2.2.27-r4

Please do not close bug at the end, we will wait for apache-2.4.x to stabilize.
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-02 13:44:31 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-02 13:48:10 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2014-08-03 18:28:54 UTC
arm stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-06 09:20:51 UTC
Stable for HPPA.
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-08 21:42:35 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:36 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-08-10 09:14:27 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-08-10 17:27:22 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 19 Lars Wendler (Polynomial-C) gentoo-dev 2014-08-16 11:53:25 UTC
+  16 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27.ebuild,
+  -apache-2.4.9-r3.ebuild, -files/00_systemd.conf,
+  -files/httpd-2.4.3-mod_systemd.patch, -files/2.2.22-envvars-std.in,
+  -files/apache2.4.service, -files/gentoo-apache-2.2.23-initd_fixups.patch:
+  Removed vulnerable versions.
+
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2014-08-16 17:54:38 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:18:37 UTC
This issue was resolved and addressed in
 GLSA 201408-12 at http://security.gentoo.org/glsa/glsa-201408-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).