Bug 1463205 – CVE-2017-7668 httpd: ap_find_token() buffer overread

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1463205 - (CVE-2017-7668) CVE-2017-7668 httpd: ap_find_token() buffer overread

Summary:	CVE-2017-7668 httpd: ap_find_token() buffer overread

Status:	NEW

Aliases:	CVE-2017-7668

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170620,repor...
Keywords:	Security

Depends On:	1463208 1464876 1464877 1465916 1466263 1466264 1473691 1473692 1473693 1510060 1510061
Blocks:	1463212 1464082
	Show dependency tree / graph

Reported:	2017-06-20 07:29 EDT by Andrej Nemec
Modified:	2018-10-19 17:41 EDT (History)
CC List:	45 users (show)

See Also:
Fixed In Version:	httpd 2.2.34, httpd 2.4.26
Doc Type:	If docs needed, set a value
Doc Text:	A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2479	normal	SHIPPED_LIVE	Important: httpd security update	2017-08-15 18:23:44 EDT
Red Hat Product Errata	RHSA-2017:2483	normal	SHIPPED_LIVE	Important: httpd24-httpd security update	2017-08-16 23:04:17 EDT
Red Hat Product Errata	RHSA-2017:3193	normal	SHIPPED_LIVE	Important: httpd security update	2017-11-13 17:35:40 EST
Red Hat Product Errata	RHSA-2017:3194	normal	SHIPPED_LIVE	Important: httpd security update	2017-11-13 17:36:28 EST

Groups: None (edit)

Description Andrej Nemec 2017-06-20 07:29:23 EDT

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.

External References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_22.html

Comment 1 Andrej Nemec 2017-06-20 07:38:04 EDT

Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1463208]

Comment 2 Tomas Hoger 2017-06-22 07:56:36 EDT

Upstream commit:

2.4: https://github.com/apache/httpd/commit/a585e36e06a53170be6d2d462ceb5b30b8382988
2.2: https://github.com/apache/httpd/commit/ad581ced12363ce82ffcb16133f236b2e31563e1

Comment 6 Tomas Hoger 2017-06-26 16:45:00 EDT

(In reply to Andrej Nemec from comment #0)
> The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug
> in token list parsing, which allows ap_find_token() to search past the end
> of its input string.

The strict HTTP parsing was a fix for flaw with CVE id CVE-2016-8743 and is tracked via bug 1406822.  The change was already backported to multiple Red Hat products, even if they contain older httpd version.

Comment 15 errata-xmlrpc 2017-08-15 14:26:21 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479

Comment 16 errata-xmlrpc 2017-08-16 19:07:09 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483

Comment 18 errata-xmlrpc 2017-11-13 12:37:11 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193

Comment 19 errata-xmlrpc 2017-11-13 12:41:06 EST

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194

Note You need to log in before you can comment on or make changes to this bug.

aogburn
apintea
apmukher
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
fgavrilo
fnasser
gzaronik
hhorak
jason.greene
jawilson
jboss-set
jclere
jdoyle
jkaluza
jondruse
jorton
jshepherd
kbost
lgao
luhliari
mbabacek
mhatanak
mmiura
mturk
myarboro
pahan
pgier
pjurak
ppalaga
psakar
pslavice
rnetuka
rstancel
rsvoboda
sardella
twalsh
vtunka
weli
yozone