Bug 703390 (CVE-2011-0419)

Summary: CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, pcheung, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,source=researcher,reported=20110510,public=20110510,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,rhel-4/apr=affected,rhel-5/apr=affected,rhel-6/apr=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-24 15:17:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 703517, 703518, 703519, 703520, 703521, 703526, 795917    
Bug Blocks:    

Description Tomas Hoger 2011-05-10 08:44:02 UTC
It was discovered that apr's implementation of the fnmatch function - apr_fnmatch - did not limit number of recursive calls used when matching input string against the pattern.  Sufficiently complex pattern and sufficient long input could cause apr_fnmatch to consume a lot of CPU time while processing such input.

It was reported that httpd exposes this problem via at least mod_autoindex module, which allows remote users to specify pattern via P=pattern request query argument:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

It seems this issue was already corrected in upstream SVN via a complete fnmatch implementation re-write including following commits:

http://svn.apache.org/viewvc?view=revision&revision=1098188
http://svn.apache.org/viewvc?view=revision&revision=1098289
http://svn.apache.org/viewvc?view=revision&revision=1098799
http://svn.apache.org/viewvc?view=revision&revision=1098902

Acknowledgement:

Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue.

Comment 2 Joe Orton 2011-05-10 12:20:27 UTC
The rewrite as a single patch is here:

http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902

Comment 7 Tomas Hoger 2011-05-11 07:21:40 UTC
(In reply to comment #0)
> It was reported that httpd exposes this problem via at least mod_autoindex
> module, which allows remote users to specify pattern via P=pattern request
> query argument:
> 
> http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

Mitigation:

mod_autoindex can be configured to ignore request query arguments provided by the client by adding IgnoreClient option to the IndexOptions directive:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexoptions.ignoreclient

Comment 8 Tomas Hoger 2011-05-11 07:25:56 UTC
Fixed upstream in APR 1.4.4 and public now via:

  http://www.mail-archive.com/dev@apr.apache.org/msg23961.html
  http://www.apache.org/dist/apr/Announcement1.x.html

  Note especially a security fix to APR 1.4.4, stack overflow was possible
  due to unconstrained, recursive invocation of apr_fnmatch, as apr_fnmatch
  processed '*' wildcards.

    * Security: CVE-2011-0419 (http://cve.mitre.org)
      Reimplement apr_fnmatch() from scratch using a non-recursive algorithm;
      now has improved compliance with the fnmatch() spec. [William Rowe]

  The APR Project thanks Maksymilian Arciemowicz of SecurityReason for his
  research and reporting of this issue.

Comment 9 errata-xmlrpc 2011-05-11 22:28:36 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4

Via RHSA-2011:0507 https://rhn.redhat.com/errata/RHSA-2011-0507.html

Comment 10 errata-xmlrpc 2011-06-22 23:17:13 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html

Comment 11 errata-xmlrpc 2011-06-22 23:38:49 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html