Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631308 (CVE-2017-9798) - <www-servers/apache-{2.2.34,2.4.27-r1}: Optionsbleed
Summary: <www-servers/apache-{2.2.34,2.4.27-r1}: Optionsbleed
Status: RESOLVED FIXED
Alias: CVE-2017-9798
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blog.fuzzing-project.org/60-O...
Whiteboard: A4 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679 CVE-2017-9788, CVE-2017-9789
  Show dependency tree
 
Reported: 2017-09-18 09:00 UTC by Thomas Deutschmann
Modified: 2017-10-29 23:17 UTC (History)
2 users (show)

See Also:
Package list:
www-servers/apache-2.2.34 www-servers/apache-2.4.27-r1 app-admin/apache-tools-2.4.27 app-admin/apache-tools-2.2.34
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-09-18 09:00:33 UTC
Incoming Details.
Comment 1 Hanno Böck gentoo-dev 2017-09-18 09:24:01 UTC
Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

The bug appears if a webmaster tries to use the "Limit" directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>

Patch:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

There won't be an apache release, unfortunately the apache team was unable to come up with a coordinated disclosure / release date.

I cannot reproduce it with apache 2.2, but this bug tends to be not reliably reproducible, so this is no assurance that there is no bug.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-09-18 13:06:31 UTC
Arches,

please test and mark stable:

 - =www-servers/apache-2.2.34
 - =www-servers/apache-tools-2.2.34
 - =www-servers/apache-2.4.27-r1
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-09-18 13:07:07 UTC
amd64/x86 stable
Comment 4 Sergei Trofimovich gentoo-dev 2017-09-19 07:38:38 UTC
stable for sparc (thanks to Rolf Eike Beer)
Comment 5 Sergei Trofimovich gentoo-dev 2017-09-19 19:38:22 UTC
ia64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2017-09-20 20:37:37 UTC
hppa stable
Comment 7 Sergei Trofimovich gentoo-dev 2017-09-23 12:36:54 UTC
ppc stable
Comment 8 Sergei Trofimovich gentoo-dev 2017-09-23 12:43:04 UTC
ppc64 stable
Comment 9 Markus Meier gentoo-dev 2017-10-16 18:12:37 UTC
arm stable
Comment 10 Tobias Klausmann gentoo-dev 2017-10-22 21:46:37 UTC
Stable on alpha.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-23 00:22:39 UTC
@maintainers, please clean the vulnerable versions.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-25 00:55:07 UTC
GLSA Vote: Yes.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-10-29 23:05:26 UTC
This issue was resolved and addressed in
 GLSA 201710-32 at https://security.gentoo.org/glsa/201710-32
by GLSA coordinator Aaron Bauman (b-man).
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-29 23:06:01 UTC
re-opened for cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2017-10-29 23:16:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=760bcf48e497d770435030c1b82246e56665fcdd

commit 760bcf48e497d770435030c1b82246e56665fcdd
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-10-29 23:14:37 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-10-29 23:16:15 +0000

    www-servers/apache: Security cleanup
    
    Bug: https://bugs.gentoo.org/631308
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 www-servers/apache/apache-2.4.27.ebuild | 238 --------------------------------
 1 file changed, 238 deletions(-)}
Comment 16 Thomas Deutschmann gentoo-dev Security 2017-10-29 23:17:58 UTC
Repository is clean, all done.