Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 559371 - (CVE-2010-0010) CVE-2010-0010 rhn-apache: buffer overflow via integer overflow vulnerability on 64bit platforms
CVE-2010-0010 rhn-apache: buffer overflow via integer overflow vulnerability ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100127,reported=20100127,sou...
: Security
: 561358 (view as bug list)
Depends On: 561512 561513 561514 561515 561516 561517 561518 561519 561520 561521 561522 561523
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-27 16:53 EST by Vincent Danen
Modified: 2018-01-29 20:00 EST (History)
2 users (show)

See Also:
Fixed In Version: httpd 1.3.42
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2010-01-27 16:53:20 EST 
It was reported [1] that mod_proxy in apache 1.3.x is vulnerable to a buffer overflow on the heap via an integer overflow vulnerability.  In the ap_proxy_send_fb() function (in src/modules/proxy/proxy_util.c), the server will convert received data to a long type, and if there is a positive chunk size, will convert the long to an int type, resulting in an integer overflow on 64bit platforms.

[1] http://marc.info/?l=full-disclosure&m=126461496425954&w=2
Comment 2 Josh Bressers 2010-01-27 21:29:25 EST 
This shouldn't affect Apache 2. The code in question isn't there, and the reproducer does nothing, Apache 2 appears to gracefully handle the large body.
Comment 3 Josh Bressers 2010-01-28 11:31:31 EST 
I'm marking the severity of this flaw to low. It only affects rhn satellite and proxy. The mod_proxy bits are not used, so a user would have to enable them, which is unsupported and very unwise.

We can disable building that module next time we release an update.
Comment 4 Jan Lieskovsky 2010-02-03 09:56:33 EST 
MITRE's CVE-2010-0010 entry:

Integer overflow in the ap_proxy_send_fb function in
proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before
1.3.42 on 64-bit platforms allows remote origin servers to cause a
denial of service (daemon crash) or possibly execute arbitrary code
via a large chunk size that triggers a heap-based buffer overflow.

--

Upstream patch:
  http://svn.apache.org/viewvc?view=revision&revision=896842
Comment 5 Jan Lieskovsky 2010-02-03 09:57:07 EST 
This issue did not affect the versions of the httpd package, 
as shipped with Red Hat Enterprise Linux 3, 4, and 5.

For complete list of vulnerable Apache httpd server versions
proceed to upstream security dedicated page:

  http://httpd.apache.org/security/vulnerabilities_13.html
Comment 6 Jan Lieskovsky 2010-02-03 09:58:50 EST 
*** Bug 561358 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.