Bug 750935 (CVE-2011-4415)
| Summary: | CVE-2011-4415 httpd: SetEnvIf resource exhaustion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jkaluza, jlieskov, jorton, mjc, pahan, pcheung, prc, rcvalle, wnefal+redhatbugzilla |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-22 14:44:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 750936 | ||
|
Description
Vincent Danen
2011-11-02 21:14:55 UTC
Created httpd tracking bugs for this issue Affects: fedora-all [bug 750937] MITRE has assigned an additional CVE to this issue (CVE-2011-4415), the description of both CVEs are as follows: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3607 to the following vulnerability: Name: CVE-2011-3607 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 Assigned: 20110921 Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-11/0023.html Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html Reference: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=750935 Reference: http://www.securityfocus.com/bid/50494 Reference: http://www.osvdb.org/76744 Reference: http://securitytracker.com/id?1026267 Reference: http://secunia.com/advisories/45793 Reference: http://xforce.iss.net/xforce/xfdb/71093 Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4415 to the following vulnerability: Name: CVE-2011-4415 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415 Assigned: 20111108 Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html Reference: http://www.gossamer-threads.com/lists/apache/dev/403775 The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. Upstream fix adding check for integer overflow: http://svn.apache.org/viewvc?view=revision&revision=1198940 It does not add any protection against memory consumption / CVE-2011-4415 issue. (In reply to comment #4) > Upstream fix adding check for integer overflow: > http://svn.apache.org/viewvc?view=revision&revision=1198940 This fix is only for trunk and is not applicable to 2.2.x and older httpd versions without further changes. It's currently unclear if the fix is going to be backported to older httpd branches: http://thread.gmane.org/gmane.comp.apache.devel/46260 > It does not add any protection against memory consumption / CVE-2011-4415 > issue. Upstream discussion on whether resource consumption issues triggered by bad .htaccess configuration should (or can) be handled as security or not: http://thread.gmane.org/gmane.comp.apache.devel/46339 (In reply to comment #6) > > It does not add any protection against memory consumption / CVE-2011-4415 > > issue. > > Upstream discussion on whether resource consumption issues triggered by bad > .htaccess configuration should (or can) be handled as security or not: > http://thread.gmane.org/gmane.comp.apache.devel/46339 Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768 CVE-2011-3607 was split to a separate bug #769844. The upstream security team does not consider this to be a flaw: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783 Statement: The ASF Security Team does not consider resource exhaustion caused by .htaccess files to be a security defect. The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw. |