Bug 640281 (CVE-2010-1623)

Summary: CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bojan, jorton, mvadkert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-31 19:13:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 659249, 659250, 659251, 659252, 659253, 659254, 663967, 795923    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-05 13:00:46 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1623 to
the following vulnerability:

The apr_brigade_split_line function in buckets/apr_brigade.c in the
Apache Portable Runtime Utility library (aka APR-util) before 1.3.10,
as used in the mod_reqtimeout module in the Apache HTTP Server and
other software, allows remote attackers to cause a denial of service
(memory consumption) via unspecified vectors.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
[2] http://security-tracker.debian.org/tracker/CVE-2010-1623
[3] http://svn.apache.org/viewvc?view=revision&revision=1003492
[4] http://svn.apache.org/viewvc?view=revision&revision=1003493
[5] http://svn.apache.org/viewvc?view=revision&revision=1003494
[6] http://svn.apache.org/viewvc?view=revision&revision=1003495
[7] http://svn.apache.org/viewvc?view=revision&revision=1003626
[8] http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
[9] http://www.mandriva.com/security/advisories?name=MDVSA-2010:192
[10] http://www.securityfocus.com/bid/43673
[11] http://secunia.com/advisories/41701
[12] http://www.vupen.com/english/advisories/2010/2556
[13] http://www.vupen.com/english/advisories/2010/2557
Comment 1 Jan Lieskovsky 2010-10-05 13:03:59 UTC 
This issue affects the version of the httpd package, as shipped with
Red Hat Enterprise Linux 3.

This issue affects the versions of the apr-util package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the versions of the apr-util package, as shipped
with Fedora release of 12 and 13.
Comment 9 Tomas Hoger 2010-11-26 17:36:04 UTC 
(In reply to comment #0)
> The apr_brigade_split_line function in buckets/apr_brigade.c in the
> Apache Portable Runtime Utility library (aka APR-util) before 1.3.10,
> as used in the mod_reqtimeout module in the Apache HTTP Server

The "as used in" part of the description is not correct.  The confusion is probably caused by upstream using CVE-2010-1623 CVE id in commits fixing apr_brigade_split_line() issue in apr-util as well as similar flaw in the mod_reqtimeout module.  mod_reqtimeout was not using apr_brigade_split_line().

mod_reqtimeout module was introduced in httpd version 2.2.15:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?revision=917876&view=markup#l26

Vulnerable code was never part of released 2.2.x version, the issue only affected development versions:
http://svn.apache.org/viewvc?view=revision&revision=1005957

that corrects previous commit:
http://svn.apache.org/viewvc?view=revision&revision=1005669
Comment 12 errata-xmlrpc 2010-12-08 00:25:19 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2010:0950 https://rhn.redhat.com/errata/RHSA-2010-0950.html
Comment 14 errata-xmlrpc 2011-06-22 23:17:32 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
Comment 15 errata-xmlrpc 2011-06-22 23:39:12 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html