Bug 504390 - (CVE-2009-1956) CVE-2009-1956 apr-util single NULL byte buffer overflow
CVE-2009-1956 apr-util single NULL byte buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=internet,publi...
: Security
Depends On: 595829 504558 504559 504560 504561 504562 591930
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-05 20:12 EDT by Josh Bressers
Modified: 2012-06-20 13:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 13:10:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2009-06-05 20:12:12 EDT
A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.

First let's assume the worst case and an attacker can control exactly what
is being sent to apr_brigade_vprintf and can trigger this issue by filling
the buckets just right so you end up with one that is perfectly full as
per the explanation at
http://www.mail-archive.com/dev@apr.apache.org/msg21592.html

     632 APU_DECLARE(apr_status_t) apr_brigade_vprintf(apr_bucket_brigade *b,
...
     638     struct brigade_vprintf_data_t vd;
     639     char buf[APR_BUCKET_BUFF_SIZE];
     640     apr_size_t written;
...
     656     *(vd.vbuff.curpos) = '\0';
...
     659     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos -
buf);

If we get to line 656 with vd.vbuff.curpos pointing to one past the end of
buf we write a single NULL to the next thing on the stack after buf.  And
on the Linux x86 and x86_64 builds we looked at this is actually the first
byte of the vd structure, which is in fact the LSB of vd.vbuff.curpos
itself.

So the only use of this after the overwrite is on line 659 where
vd.vbuff.curpos gets used to calculate how much to write.  Before the
overwrite vd.vbuff.curpos was buf+APR_BUCKET_BUFF_SIZE (8000), but now it
could be between 0 and 255 bytes less.  So apr_brigade_write will end up
writing out between 0 and 255 bytes less than it ought to, causing the
truncation seen in the original bug report.

So for little endian systems it doesn't seem to have any security
consequence.  Of course for a big endian system apr_brigade_write could
end up dumping large amounts of memory (so an info disclosure leak or
crash).
Comment 1 Josh Bressers 2009-06-05 20:20:29 EDT
The upstream patch can be found here:
http://svn.apache.org/viewvc?view=rev&revision=768417
Comment 2 Mark J. Cox (Product Security) 2009-06-08 04:09:00 EDT
For s390 and ppc, big-endian systems for Red Hat Enterprise Linux, this could be a information disclosure leak:
          cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N

For all other architectures of Red Hat Enterprise Linux this has no security impact:
          cvss2=0
Comment 5 errata-xmlrpc 2009-06-16 18:05:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1108 https://rhn.redhat.com/errata/RHSA-2009-1108.html
Comment 6 errata-xmlrpc 2009-06-16 18:05:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4

Via RHSA-2009:1107 https://rhn.redhat.com/errata/RHSA-2009-1107.html
Comment 7 Fedora Update System 2009-06-24 15:32:40 EDT
apr-util-1.2.12-7.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-06-24 15:36:31 EDT
apr-util-1.3.7-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-06-24 15:40:16 EDT
apr-util-1.3.7-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Bojan Smojver 2009-11-13 15:51:44 EST
Can this be closed?
Comment 11 Tomas Hoger 2009-11-18 04:30:46 EST
We don't want to close it yet, feel free to un-CC yourself now that all current Fedora versions are fixed.  Thank you!
Comment 12 Bojan Smojver 2009-11-18 04:37:33 EST
I just saw RHEL and Fedora having fixes, so I thought it was not needed any more. I don't mind the e-mails.
Comment 14 errata-xmlrpc 2010-08-04 17:31:00 EDT
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Note You need to log in before you can comment on or make changes to this bug.