Bug 504390 (CVE-2009-1956)

Summary: CVE-2009-1956 apr-util single NULL byte buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bojan, jorton, kreilly, mjc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 17:10:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 504558, 504559, 504560, 504561, 504562, 591930, 595829    
Bug Blocks:    

Description Josh Bressers 2009-06-06 00:12:12 UTC 
A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.

First let's assume the worst case and an attacker can control exactly what
is being sent to apr_brigade_vprintf and can trigger this issue by filling
the buckets just right so you end up with one that is perfectly full as
per the explanation at
http://www.mail-archive.com/dev@apr.apache.org/msg21592.html

     632 APU_DECLARE(apr_status_t) apr_brigade_vprintf(apr_bucket_brigade *b,
...
     638     struct brigade_vprintf_data_t vd;
     639     char buf[APR_BUCKET_BUFF_SIZE];
     640     apr_size_t written;
...
     656     *(vd.vbuff.curpos) = '\0';
...
     659     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos -
buf);

If we get to line 656 with vd.vbuff.curpos pointing to one past the end of
buf we write a single NULL to the next thing on the stack after buf.  And
on the Linux x86 and x86_64 builds we looked at this is actually the first
byte of the vd structure, which is in fact the LSB of vd.vbuff.curpos
itself.

So the only use of this after the overwrite is on line 659 where
vd.vbuff.curpos gets used to calculate how much to write.  Before the
overwrite vd.vbuff.curpos was buf+APR_BUCKET_BUFF_SIZE (8000), but now it
could be between 0 and 255 bytes less.  So apr_brigade_write will end up
writing out between 0 and 255 bytes less than it ought to, causing the
truncation seen in the original bug report.

So for little endian systems it doesn't seem to have any security
consequence.  Of course for a big endian system apr_brigade_write could
end up dumping large amounts of memory (so an info disclosure leak or
crash).
Comment 1 Josh Bressers 2009-06-06 00:20:29 UTC 
The upstream patch can be found here:
http://svn.apache.org/viewvc?view=rev&revision=768417
Comment 2 Mark J. Cox 2009-06-08 08:09:00 UTC 
For s390 and ppc, big-endian systems for Red Hat Enterprise Linux, this could be a information disclosure leak:
          cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N

For all other architectures of Red Hat Enterprise Linux this has no security impact:
          cvss2=0
Comment 5 errata-xmlrpc 2009-06-16 22:05:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1108 https://rhn.redhat.com/errata/RHSA-2009-1108.html
Comment 6 errata-xmlrpc 2009-06-16 22:05:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1107 https://rhn.redhat.com/errata/RHSA-2009-1107.html
Comment 7 Fedora Update System 2009-06-24 19:32:40 UTC 
apr-util-1.2.12-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-06-24 19:36:31 UTC 
apr-util-1.3.7-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-06-24 19:40:16 UTC 
apr-util-1.3.7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Bojan Smojver 2009-11-13 20:51:44 UTC 
Can this be closed?
Comment 11 Tomas Hoger 2009-11-18 09:30:46 UTC 
We don't want to close it yet, feel free to un-CC yourself now that all current Fedora versions are fixed.  Thank you!
Comment 12 Bojan Smojver 2009-11-18 09:37:33 UTC 
I just saw RHEL and Fedora having fixes, so I thought it was not needed any more. I don't mind the e-mails.
Comment 14 errata-xmlrpc 2010-08-04 21:31:00 UTC 
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html