Bug 177326
| Summary: | CVE-2005-3656 mod_auth_pgsql format string issue | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | David Eisenstein <deisenst> | ||||
| Component: | mod_auth_pgsql | Assignee: | Fedora Legacy Bugs <bugs> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | pekkas | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | impact=critical, LEGACY, 1, 2 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-02-28 00:53:09 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
David Eisenstein
2006-01-09 17:25:54 UTC
This *may* not affect RHL 7.3 and RHL 9, as both of those use mod_auth_pgsql-0.9.12-x versions. RHEL 2.1 uses version 0.9.9 of mod_auth_pgsql, which RedHat says (above) is not vulnerable to this issue. We will need to look into this. From RHSA-2006-0164: "Several format string flaws were found in the way mod_auth_pgsql logs information. It may be possible for a remote attacker to execute arbitrary code as the 'apache' user if mod_auth_pgsql is used for user authentication. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3656 to this issue. "Please note that this issue only affects servers which have mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database. "All users of mod_auth_pgsql should upgrade to these updated packages, which contain a backported patch to resolve this issue. "This issue does not affect the mod_auth_pgsql package supplied with Red Hat Enterprise Linux 2.1." I checked 0.9.9 and a diff against 0.9.12. 0.9.* use ap_log_reason function for logging these messages (http://httpd.apache.org/dev/apidoc/apidoc_ap_log_reason.html), instead of ap_log_rerror. The latter expects a format string argument, the former doesn't. I saw no significant changes between 0.9.9 and 0.9.12 in this respect. Therefore I'm fairly confident that if 0.9.9 is unaffected, 0.9.12 also is. FC1 and FC2 work is needed, though, but the patch should be trivial. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are some packages for source-level QA for FC1 & FC2: SHA1SUM Package FC1: 165db24eb898c00fae9e2e4a449d3b1589bac185__mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm b613699394847af0c754e50a19b25ce9c71eb5cf__mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm FC2: e7c4aa02fd9594b7e62fce0d828b39485e0b5a25__mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm Available at: FC1: http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm FC2: http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm Changelogs: - ----------- FC1: * Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-3.1.legacy - - The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug #177326). Changes by Joe Orton of RedHat: * add security fix for CVE-2005-3656 * don't strip .so file so debuginfo works * fix r->user handling (Mirko Streckenbach, #150087) * merge from Taroon (RHEL 3): - don't re-use database connections (#115496) - make functions static - downgrade "not configured" log message from warning to debug FC2: * Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-4.2.legacy - - Rebuilt for FC2 (rest the same as FC1 changelog) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDys8Xxou1V/j9XZwRAsMoAJsH1bJ1GfdHZaZksKTN5LQ8xUHMFACg4QAj P7C8M6J5kGDh9xEdT3CJDQQ= =Goo0 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes rather small, changes identical to RHEL - patches verified to come from RHEL3 +PUBLISH FC1, FC2 165db24eb898c00fae9e2e4a449d3b1589bac185 mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm e7c4aa02fd9594b7e62fce0d828b39485e0b5a25 mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDy0xGGHbTkzxSL7QRAvNVAKDJDJK/BVB+FSkauDe/o05+oA5a5wCgomJn Z+D6auX6AkNJVU3fa47ctfI= =f1si -----END PGP SIGNATURE----- Created attachment 123415 [details]
Proposed Test Update Notification
I have built on jane:
* mod_auth_pgsql-2.0.1-3.1.legacy for FC1
(/var/tmp/mach/fedora-1-i386-updates/mod_auth_pgsql-2.0.1-3.1.legacy)
* mod_auth_pgsql-2.0.1-4.2.legacy for FC2
(/var/tmp/mach/fedora-2-i386-updates/mod_auth_pgsql-2.0.1-4.2.legacy)
Enclosed is a proposed Test Update Notification text. Please let me know if
there is anything wrong with it. Thanks.
Packages were pushed to updates-testing New policy: automatic accept after two weeks if no negative feedback. Timeout over. Packages were released. |