Bug 177326 - CVE-2005-3656 mod_auth_pgsql format string issue
CVE-2005-3656 mod_auth_pgsql format string issue
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mod_auth_pgsql (Show other bugs)
unspecified
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=critical, LEGACY, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-09 12:25 EST by David Eisenstein
Modified: 2007-04-18 13:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-27 19:53:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed Test Update Notification (3.06 KB, text/plain)
2006-01-19 03:42 EST, David Eisenstein
no flags Details

  None (edit)
Description David Eisenstein 2006-01-09 12:25:54 EST
Note that the Red Hat Security Response Team has rated this issue as having
critical security impact.

+++ This bug was initially created as a clone of Bug #177042 +++

iDEFENSE has reported a format string flaw in mod_auth_pgsql.  This could allow
a remote unauthenticated attacker to execute arbitrary code as the httpd process.

-- Additional comment from bressers@redhat.com on 2006-01-05 13:12 EST --
This issue should also affect RHEL2.1 and RHEL3

-- Additional comment from mjc@redhat.com on 2006-01-05 13:34 EST --
RHEL2.1 uses version 0.9.9 of mod_auth_pgsql which uses different a different
mechanism for logging of failures and is not affected by this vulnerability.

-- Additional comment from bressers@redhat.com on 2006-01-05 21:38 EST --
This issue is public:
http://www.giuseppetanzilli.it/mod%5Fauth%5Fpgsql2/

-- Additional comment from bugzilla@redhat.com on 2006-01-05 21:46 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0164.html
Comment 1 David Eisenstein 2006-01-09 12:38:21 EST
This *may* not affect RHL 7.3 and RHL 9, as both of those use
mod_auth_pgsql-0.9.12-x versions.  RHEL 2.1 uses version 0.9.9 of 
mod_auth_pgsql, which RedHat says (above) is not vulnerable to this issue.  We
will need to look into this.

From RHSA-2006-0164:

"Several format string flaws were found in the way mod_auth_pgsql logs
information.  It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-3656 to this issue.

"Please note that this issue only affects servers which have mod_auth_pgsql
installed and configured to perform user authentication against a
PostgreSQL database.

"All users of mod_auth_pgsql should upgrade to these updated packages, which
contain a backported patch to resolve this issue.

"This issue does not affect the mod_auth_pgsql package supplied with Red Hat
Enterprise Linux 2.1."
Comment 2 Pekka Savola 2006-01-10 01:52:57 EST
I checked 0.9.9 and a diff against 0.9.12.  0.9.* use ap_log_reason function for
logging these messages
(http://httpd.apache.org/dev/apidoc/apidoc_ap_log_reason.html), instead of
ap_log_rerror.  The latter expects a format string argument, the former doesn't.
I saw no significant changes between 0.9.9 and 0.9.12 in this respect.

Therefore I'm fairly confident that if 0.9.9 is unaffected, 0.9.12 also is.

FC1 and FC2 work is needed, though, but the patch should be trivial.
Comment 3 David Eisenstein 2006-01-15 17:42:16 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Here are some packages for source-level QA for FC1 & FC2:

	      SHA1SUM					  Package
FC1:
165db24eb898c00fae9e2e4a449d3b1589bac185__mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
b613699394847af0c754e50a19b25ce9c71eb5cf__mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

FC2:
e7c4aa02fd9594b7e62fce0d828b39485e0b5a25__mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

Available at:
FC1:
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

FC2:
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm


Changelogs:
- -----------
FC1:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-3.1.legacy
- - The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r->user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
    - don't re-use database connections (#115496)
    - make functions static
    - downgrade "not configured" log message from warning to debug

FC2:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-4.2.legacy
- - Rebuilt for FC2
(rest the same as FC1 changelog)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDys8Xxou1V/j9XZwRAsMoAJsH1bJ1GfdHZaZksKTN5LQ8xUHMFACg4QAj
P7C8M6J5kGDh9xEdT3CJDQQ=
=Goo0
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2006-01-16 02:29:31 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes rather small, changes identical to RHEL
 - patches verified to come from RHEL3
 
+PUBLISH FC1, FC2
 
165db24eb898c00fae9e2e4a449d3b1589bac185  mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
e7c4aa02fd9594b7e62fce0d828b39485e0b5a25  mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDy0xGGHbTkzxSL7QRAvNVAKDJDJK/BVB+FSkauDe/o05+oA5a5wCgomJn
Z+D6auX6AkNJVU3fa47ctfI=
=f1si
-----END PGP SIGNATURE-----
Comment 5 David Eisenstein 2006-01-19 03:42:49 EST
Created attachment 123415 [details]
Proposed Test Update Notification

I have built on jane:
  * mod_auth_pgsql-2.0.1-3.1.legacy for FC1
     (/var/tmp/mach/fedora-1-i386-updates/mod_auth_pgsql-2.0.1-3.1.legacy)
  * mod_auth_pgsql-2.0.1-4.2.legacy for FC2
     (/var/tmp/mach/fedora-2-i386-updates/mod_auth_pgsql-2.0.1-4.2.legacy)

Enclosed is a proposed Test Update Notification text.  Please let me know if
there is anything wrong with it.  Thanks.
Comment 6 Marc Deslauriers 2006-01-19 18:40:47 EST
Packages were pushed to updates-testing
Comment 7 Pekka Savola 2006-02-14 01:29:48 EST
New policy: automatic accept after two weeks if no negative feedback.
Comment 8 Pekka Savola 2006-02-27 01:41:22 EST
Timeout over.
Comment 9 Marc Deslauriers 2006-02-27 19:53:09 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.