Bug 1886967 (CVE-2001-0131)

Summary: CVE-2001-0131 httpd: allows local users to overwrite arbitrary files via a symlink attack
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anon.amish, csutherl, gzaronik, hhorak, jclere, jdoyle, jkaluza, jorton, jwon, krathod, lgao, luhliari, mbabacek, mturk, myarboro, pahan, pjindal, pslavice, rsvoboda, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache httpd. Both htpasswd and htdigest allow local users to overwrite arbitrary files via a symlink attack. The highest threat from this vulnerability is to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-14 06:26:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1886968    

Description Guilherme de Almeida Suckevicz 2020-10-09 20:30:25 UTC 
htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.

Reference:
http://www.securityfocus.com/bid/2182
Comment 1 Ted Jongseok Won 2020-10-12 01:09:51 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 2 Joe Orton 2020-10-12 08:35:08 UTC 
It's hard to see from the description, but I'm guessing this is about unsafe temp file creation in e.g.:

https://github.com/apache/httpd/blob/1.3.x/src/support/htpasswd.c#L525

this will not affect any httpd 2.x release, which uses APR's safe temp file creation based off mkstemp().
Comment 3 Joe Orton 2020-10-12 10:54:15 UTC 
Here is the equivalent code in 2.2:

https://github.com/apache/httpd/blob/2.2.x/support/htdigest.c#L239
https://github.com/apache/httpd/blob/2.2.x/support/htpasswd.c#L565
Comment 5 Huzaifa S. Sidhpurwala 2020-10-14 06:25:08 UTC 
Statement:

All versions of httpd package shipped with Red Hat Products, uses APR's safe temp file creation and therefore they are not affected by this flaw