Bug 559371 (CVE-2010-0010)

Summary: CVE-2010-0010 rhn-apache: buffer overflow via integer overflow vulnerability on 64bit platforms
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 1.3.42 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:56:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 561512, 561513, 561514, 561515, 561516, 561517, 561518, 561519, 561520, 561521, 561522, 561523    
Bug Blocks:    

Description Vincent Danen 2010-01-27 21:53:20 UTC 
It was reported [1] that mod_proxy in apache 1.3.x is vulnerable to a buffer overflow on the heap via an integer overflow vulnerability.  In the ap_proxy_send_fb() function (in src/modules/proxy/proxy_util.c), the server will convert received data to a long type, and if there is a positive chunk size, will convert the long to an int type, resulting in an integer overflow on 64bit platforms.

[1] http://marc.info/?l=full-disclosure&m=126461496425954&w=2
Comment 2 Josh Bressers 2010-01-28 02:29:25 UTC 
This shouldn't affect Apache 2. The code in question isn't there, and the reproducer does nothing, Apache 2 appears to gracefully handle the large body.
Comment 3 Josh Bressers 2010-01-28 16:31:31 UTC 
I'm marking the severity of this flaw to low. It only affects rhn satellite and proxy. The mod_proxy bits are not used, so a user would have to enable them, which is unsupported and very unwise.

We can disable building that module next time we release an update.
Comment 4 Jan Lieskovsky 2010-02-03 14:56:33 UTC 
MITRE's CVE-2010-0010 entry:

Integer overflow in the ap_proxy_send_fb function in
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
1.3.42 on 64-bit platforms allows remote origin servers to cause a
denial of service (daemon crash) or possibly execute arbitrary code
via a large chunk size that triggers a heap-based buffer overflow.

--

Upstream patch:
  http://svn.apache.org/viewvc?view=revision&revision=896842
Comment 5 Jan Lieskovsky 2010-02-03 14:57:07 UTC 
This issue did not affect the versions of the httpd package, 
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

For complete list of vulnerable Apache httpd server versions
proceed to upstream security dedicated page:

  http://httpd.apache.org/security/vulnerabilities_13.html
Comment 6 Jan Lieskovsky 2010-02-03 14:58:50 UTC 
*** Bug 561358 has been marked as a duplicate of this bug. ***