Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 177326

Summary: CVE-2005-3656 mod_auth_pgsql format string issue
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: mod_auth_pgsqlAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical, LEGACY, 1, 2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-28 00:53:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed Test Update Notification none

Description David Eisenstein 2006-01-09 17:25:54 UTC
Note that the Red Hat Security Response Team has rated this issue as having
critical security impact.

+++ This bug was initially created as a clone of Bug #177042 +++

iDEFENSE has reported a format string flaw in mod_auth_pgsql.  This could allow
a remote unauthenticated attacker to execute arbitrary code as the httpd process.

-- Additional comment from bressers on 2006-01-05 13:12 EST --
This issue should also affect RHEL2.1 and RHEL3

-- Additional comment from mjc on 2006-01-05 13:34 EST --
RHEL2.1 uses version 0.9.9 of mod_auth_pgsql which uses different a different
mechanism for logging of failures and is not affected by this vulnerability.

-- Additional comment from bressers on 2006-01-05 21:38 EST --
This issue is public:
http://www.giuseppetanzilli.it/mod%5Fauth%5Fpgsql2/

-- Additional comment from bugzilla on 2006-01-05 21:46 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0164.html

Comment 1 David Eisenstein 2006-01-09 17:38:21 UTC
This *may* not affect RHL 7.3 and RHL 9, as both of those use
mod_auth_pgsql-0.9.12-x versions.  RHEL 2.1 uses version 0.9.9 of 
mod_auth_pgsql, which RedHat says (above) is not vulnerable to this issue.  We
will need to look into this.

From RHSA-2006-0164:

"Several format string flaws were found in the way mod_auth_pgsql logs
information.  It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-3656 to this issue.

"Please note that this issue only affects servers which have mod_auth_pgsql
installed and configured to perform user authentication against a
PostgreSQL database.

"All users of mod_auth_pgsql should upgrade to these updated packages, which
contain a backported patch to resolve this issue.

"This issue does not affect the mod_auth_pgsql package supplied with Red Hat
Enterprise Linux 2.1."

Comment 2 Pekka Savola 2006-01-10 06:52:57 UTC
I checked 0.9.9 and a diff against 0.9.12.  0.9.* use ap_log_reason function for
logging these messages
(http://httpd.apache.org/dev/apidoc/apidoc_ap_log_reason.html), instead of
ap_log_rerror.  The latter expects a format string argument, the former doesn't.
I saw no significant changes between 0.9.9 and 0.9.12 in this respect.

Therefore I'm fairly confident that if 0.9.9 is unaffected, 0.9.12 also is.

FC1 and FC2 work is needed, though, but the patch should be trivial.

Comment 3 David Eisenstein 2006-01-15 22:42:16 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Here are some packages for source-level QA for FC1 & FC2:

	      SHA1SUM					  Package
FC1:
165db24eb898c00fae9e2e4a449d3b1589bac185__mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
b613699394847af0c754e50a19b25ce9c71eb5cf__mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

FC2:
e7c4aa02fd9594b7e62fce0d828b39485e0b5a25__mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm

Available at:
FC1:
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-3.1.legacy.i386.rpm

FC2:
http://fedoralegacy.org/contrib/mod_auth_pgsql/mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm


Changelogs:
- -----------
FC1:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-3.1.legacy
- - The following fixes lifted wholesale from FC3's .src.rpm, (Legacy Bug
  #177326).  Changes by Joe Orton of RedHat:
  * add security fix for CVE-2005-3656
  * don't strip .so file so debuginfo works
  * fix r->user handling (Mirko Streckenbach, #150087)
  * merge from Taroon (RHEL 3):
    - don't re-use database connections (#115496)
    - make functions static
    - downgrade "not configured" log message from warning to debug

FC2:
* Sun Jan 15 2006 David Eisenstein <deisenst at gtw.net> 2.0.1-4.2.legacy
- - Rebuilt for FC2
(rest the same as FC1 changelog)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDys8Xxou1V/j9XZwRAsMoAJsH1bJ1GfdHZaZksKTN5LQ8xUHMFACg4QAj
P7C8M6J5kGDh9xEdT3CJDQQ=
=Goo0
-----END PGP SIGNATURE-----


Comment 4 Pekka Savola 2006-01-16 07:29:31 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes rather small, changes identical to RHEL
 - patches verified to come from RHEL3
 
+PUBLISH FC1, FC2
 
165db24eb898c00fae9e2e4a449d3b1589bac185  mod_auth_pgsql-2.0.1-3.1.legacy.src.rpm
e7c4aa02fd9594b7e62fce0d828b39485e0b5a25  mod_auth_pgsql-2.0.1-4.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDy0xGGHbTkzxSL7QRAvNVAKDJDJK/BVB+FSkauDe/o05+oA5a5wCgomJn
Z+D6auX6AkNJVU3fa47ctfI=
=f1si
-----END PGP SIGNATURE-----


Comment 5 David Eisenstein 2006-01-19 08:42:49 UTC
Created attachment 123415 [details]
Proposed Test Update Notification

I have built on jane:
  * mod_auth_pgsql-2.0.1-3.1.legacy for FC1
     (/var/tmp/mach/fedora-1-i386-updates/mod_auth_pgsql-2.0.1-3.1.legacy)
  * mod_auth_pgsql-2.0.1-4.2.legacy for FC2
     (/var/tmp/mach/fedora-2-i386-updates/mod_auth_pgsql-2.0.1-4.2.legacy)

Enclosed is a proposed Test Update Notification text.  Please let me know if
there is anything wrong with it.  Thanks.

Comment 6 Marc Deslauriers 2006-01-19 23:40:47 UTC
Packages were pushed to updates-testing

Comment 7 Pekka Savola 2006-02-14 06:29:48 UTC
New policy: automatic accept after two weeks if no negative feedback.

Comment 8 Pekka Savola 2006-02-27 06:41:22 UTC
Timeout over.

Comment 9 Marc Deslauriers 2006-02-28 00:53:09 UTC
Packages were released.