Bug 152728 - CAN-2004-0488 - remote attack in mod_ssl
Summary: CAN-2004-0488 - remote attack in mod_ssl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: Package request
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: LEGACY, rh90
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-02 14:59 UTC by Michal Jaegermann
Modified: 2014-01-21 22:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:25:25 UTC
This is a quote from Mandrake advisory MDKSA-2004:054 dated June 1st, 2004:

 A stack-based buffer overflow exists in the ssl_util_uuencode_binary
 function in ssl_engine_kernel.c in mod_ssl for Apache 1.3.x.  When
 mod_ssl is configured to trust the issuing CA, a remote attacker may be
 able to execute arbitrary code via a client certificate with a long
 subject DN.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

I am attaching a patch rediffed from a fix provided by Mandrake.
SSL on a patched server which I happen to use works just fine.

RH7.2 note: 7.3 binaries are no good for 7.2 due to differences in shared
libraries (libcrypt) but the same source rpm can be used to rebuild working
mod_ssl without any changes or problems.



------- Additional Comments From michal 2004-06-02 11:00:06 ----

Created an attachment (id=705)
patch for CAN-2004-0488




------- Additional Comments From michal 2004-06-02 11:00:49 ----

Created an attachment (id=706)
proposed patch for mod_ssl spec file




------- Additional Comments From jkeating 2004-06-02 11:03:47 ----

*** Bug 1702 has been marked as a duplicate of this bug. ***



------- Additional Comments From jkeating 2004-06-02 11:04:43 ----

Please see comments in 1702, they seem to think that this cannot make code
execute on x86 hardware platforms.  I'm assuming this is the same vuln?



------- Additional Comments From michal 2004-06-02 11:15:22 ----

Hm, why bug #1702 does not show up on "Bug List"?

It sounds like possibly the same issue but in 1702 there are no references
so it is hard to tell for sure.  OTOH Mandrake did issue fixes and that patch
seems to be not really intrusive and working.  How stack overflow "cannot be
exploited" is not that clear to me.



------- Additional Comments From jkeating 2004-06-02 11:20:51 ----

1702 did not have the LEGACY keyword set in it.  http://www.fedora.us/LEGACY
will only find tickets that have the LEGACY keyword set.  Sometimes there is a
lag if the bug filer doesn't set the keyword to the time I realize this and add
the correct keyword.

Perhaps the filer of 1702 can offer up some reference information about that
mod_ssl bug so that we can make sure we're talking about the same issue.



------- Additional Comments From jkeating 2004-06-02 11:22:07 ----

Also to note, the 1702 information states that apache 2.x is vuln as well....



------- Additional Comments From marcdeslauriers 2004-06-02 15:36:42 ----

Patch looks good...the same one is in Apache CVS:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106

I'll build rh9 packages tonight.



------- Additional Comments From marcdeslauriers 2004-06-02 18:27:16 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Wed Jun 02 2004 Marc Deslauriers <marcdeslauriers>
2.0.40-21.12.legacy
 
- - add security fix for CVE CAN-2004-0448

06fb7e4587f8a9bb3de4614d31020bdb230f427e  httpd-2.0.40-21.12.legacy.i386.rpm
ecb6e3593dd252c8eb088c0d023fd7ff137d2875  httpd-2.0.40-21.12.legacy.src.rpm
b90e44c758c07da6a64e57d43af24c545ce55da8  httpd-devel-2.0.40-21.12.legacy.i386.rpm
da3375f1f3dbc00c760467580a3f86c737cdf575  httpd-manual-2.0.40-21.12.legacy.i386.rpm
22a0e9fe68cbb7a595e0fbf660a962fe6415b8a9  mod_ssl-2.0.40-21.12.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.12.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-devel-2.0.40-21.12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-manual-2.0.40-21.12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mod_ssl-2.0.40-21.12.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAvqiCLMAs/0C4zNoRAqvEAJsH7FTi4HNyBX/R1JImZ5x3j8jm+wCgmkYf
bQBq8TKJ01Tn6R2JMAdSEk8=
=GHz/
-----END PGP SIGNATURE-----



------- Additional Comments From lihai 2004-06-03 02:13:28 ----

Marc Deslauriers, your 9's package works on my system.
No problems yet, I'll make a feedback if anything breaks.



------- Additional Comments From jpdalbec 2004-06-03 02:35:10 ----

Reference information...did anyone look at the URL I supplied?  I think it is
the same issue.



------- Additional Comments From marcdeslauriers 2004-06-04 13:58:27 ----

The same issue as what?



------- Additional Comments From jonny.strom 2004-06-05 02:21:20 ----

I did a QA on the rh9 pacakges.

Installs ok.
http and https works ok.

I don't see any functionallity problems with them.

I wote for publish.



------- Additional Comments From jpdalbec 2004-06-07 02:10:17 ----

Re: comment 12
The same issue as bug 1702.  Comment 11 was in reply to comment 6.



------- Additional Comments From marcdeslauriers 2004-06-08 12:41:43 ----

I just double-checked, this _is_ the same issue as bug 1702.



------- Additional Comments From marcdeslauriers 2004-06-10 12:47:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages to QA for 7.3 built using Michal's proposed patches:

Changelog:
* Wed Jun 02 2004 Michal Jaegermann <michal> 2.8.12-4.legacy
- - security fix for CAN-2004-0488; rediffed from a patch for
  2.8.12-8.1.91mdk by Vincent Danen <vdanen>

5cb53f8cc4de406a02b1ce48d79c0173d00ff809  mod_ssl-2.8.12-4.legacy.i386.rpm
439175a7f423a1173472fb877412a97b5da894f4  mod_ssl-2.8.12-4.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mod_ssl-2.8.12-4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mod_ssl-2.8.12-4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAyOTlLMAs/0C4zNoRAmRyAJ48WygZ/UkSTHr47050LzXgAEWgCwCgrR+V
4km8y/2sCyJq2ngrz91lpaU=
=lNHh
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-06-29 06:35:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Build from the following srpm:

 sha1sum -b mod_ssl-2.8.12-4.legacy.src.rpm 
 439175a7f423a1173472fb877412a97b5da894f4 *mod_ssl-2.8.12-4.legacy.src.rpm


 Looks like patch applied.

 mod_ssl seems to functiion properly for doing normal ssl/tls web pages.

 Vote: PUBLISH

 -DWB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA4ZpJSY7s7uPf/IURArc1AKDcIwkG6Dof/+aGZVL8Uq7gbsW//QCg4cFb
051Pk4OMCO1wMxdA+7QqUOk=
=PEpu
-----END PGP SIGNATURE-----




------- Additional Comments From cra 2004-07-01 10:58:24 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Second review Marc Deslauriers' package for 7.3:

439175a7f423a1173472fb877412a97b5da894f4  mod_ssl-2.8.12-4.legacy.src.rpm

* Only difference from previous release is the patch for CAN-2004-0488
* Builds OK
* Installs OK
* Works OK (basic testing with self-signed testcert)

+ PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA5Hqxw2eg+Um7WIYRAvQiAJ9BfhfPDVSAH/ggvb+7cKjzXXPhowCggCYr
YUMfshhhUEn5cfB5K8s9pzg=
=H90a
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-07-02 12:30:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are newer packages for RH9 that include a fix for CAN-2004-0493
(See FL bug #1805)

Please QA so this can go out.

0866b2d2e94de2841e582bb8549ee2bb3a8a507b  httpd-2.0.40-21.13.legacy.i386.rpm
b1f3e105614e174e47a027b68722ea85c15921f6  httpd-2.0.40-21.13.legacy.src.rpm
30760d42ce1a84bf69ca8f7285ed61b5322540f0  httpd-devel-2.0.40-21.13.legacy.i386.rpm
d74c9e4b29148e438058899e395215a7b1c6cf53  httpd-manual-2.0.40-21.13.legacy.i386.rpm
2ab326dca298f29062ffa36e62d4f2b5865a8c0b  mod_ssl-2.0.40-21.13.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.13.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-devel-2.0.40-21.13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-manual-2.0.40-21.13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mod_ssl-2.0.40-21.13.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA5eIELMAs/0C4zNoRAnIzAKCnhna7B8rsqVEMWxJNoHBxgtO3EACgof+P
22hZZMsip9WcBbIpgzokR2k=
=pj6R
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-07-04 02:33:29 ----

I did a QA on the rh9 pacakges comment #19 .

SHA1 is ok.
Installs ok.
spec file and the patch looks ok.
http and https works ok.


I wote for publish.



------- Additional Comments From michal 2004-07-11 17:13:25 ----

Sources listed in RHSA-2004:245-14 (RH errata to AS 2.1), apart from a patch
for CAN-2004-0448 which is really identical to the one attached to this report,
include also the following fix:

Fix shmcb corruption for small cache sizes (Geoff Thorpe).

--- mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_scache_shmcb.c.shmcb
+++ mod_ssl-2.8.12-1.3.27/pkg.sslmod/ssl_scache_shmcb.c
@@ -897,6 +897,10 @@
     unsigned int dest_offset,
     unsigned char *src, unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (dest_offset + src_len < buf_size)
         /* yes */
@@ -920,6 +924,10 @@
     unsigned int src_offset,
     unsigned int src_len)
 {
+    /* Cover the case that src_len > buf_size */
+    if (src_len > buf_size)
+        src_len = buf_size;
+
     /* Can it be copied all in one go? */
     if (src_offset + src_len < buf_size)
         /* yes */

This clearly recompiles and works without any additional problems.



------- Additional Comments From dom 2004-07-23 03:44:58 ----

For redhat 7.3 the packages above have been superceded by those in bug 1888.



------- Additional Comments From mule 2004-09-15 08:34:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
0866b2d2e94de2841e582bb8549ee2bb3a8a507b  httpd-2.0.40-21.13.legacy.i386.rpm
b1f3e105614e174e47a027b68722ea85c15921f6  httpd-2.0.40-21.13.legacy.src.rpm
30760d42ce1a84bf69ca8f7285ed61b5322540f0  httpd-devel-2.0.40-21.13.legacy.i386.rpm
d74c9e4b29148e438058899e395215a7b1c6cf53  httpd-manual-2.0.40-21.13.legacy.i386.rpm
2ab326dca298f29062ffa36e62d4f2b5865a8c0b  mod_ssl-2.0.40-21.13.legacy.i386.rpm
 
For Red Hat 9:
* Checked spec file - OK
* Checked patches for CAN-2004-0488, CAN-2004-0493 - OK
* Build from source - OK
* Install - OK
* Runs - OK
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBSIsRTsaUa9pp4VIRAk9LAJ4rkk7J3iYaQ6FblXumWmUGh3B2mQCfXzCY
2LNFOHk42wlCJ6fUHDA97nM=
=D/7j
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-15 15:20:09 ----

This bug has been superseded by bug 2068



------- Additional Comments From marcdeslauriers 2004-10-02 14:50:45 ----

Bug 2068 pushed to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:25 -------

This bug previously known as bug 1708 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1708
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for CAN-2004-0488
https://bugzilla.fedora.us/attachment.cgi?action=view&id=705
proposed patch for mod_ssl spec file
https://bugzilla.fedora.us/attachment.cgi?action=view&id=706

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.




Note You need to log in before you can comment on or make changes to this bug.