Bug 703390 (CVE-2011-0419) - CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
Summary: CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0419
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,source=researcher,rep...
Depends On: 703517 703518 703519 703520 703521 703526 795917
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-10 08:44 UTC by Tomas Hoger
Modified: 2019-06-08 18:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-24 15:17:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0507 normal SHIPPED_LIVE Moderate: apr security update 2011-05-11 22:28:26 UTC
Red Hat Product Errata RHSA-2011:0896 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 23:16:28 UTC
Red Hat Product Errata RHSA-2011:0897 normal SHIPPED_LIVE Moderate: JBoss Enterprise Web Server 1.0.2 update 2011-06-22 23:38:13 UTC

Description Tomas Hoger 2011-05-10 08:44:02 UTC
It was discovered that apr's implementation of the fnmatch function - apr_fnmatch - did not limit number of recursive calls used when matching input string against the pattern.  Sufficiently complex pattern and sufficient long input could cause apr_fnmatch to consume a lot of CPU time while processing such input.

It was reported that httpd exposes this problem via at least mod_autoindex module, which allows remote users to specify pattern via P=pattern request query argument:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

It seems this issue was already corrected in upstream SVN via a complete fnmatch implementation re-write including following commits:

http://svn.apache.org/viewvc?view=revision&revision=1098188
http://svn.apache.org/viewvc?view=revision&revision=1098289
http://svn.apache.org/viewvc?view=revision&revision=1098799
http://svn.apache.org/viewvc?view=revision&revision=1098902

Acknowledgement:

Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue.

Comment 2 Joe Orton 2011-05-10 12:20:27 UTC
The rewrite as a single patch is here:

http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902

Comment 7 Tomas Hoger 2011-05-11 07:21:40 UTC
(In reply to comment #0)
> It was reported that httpd exposes this problem via at least mod_autoindex
> module, which allows remote users to specify pattern via P=pattern request
> query argument:
> 
> http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

Mitigation:

mod_autoindex can be configured to ignore request query arguments provided by the client by adding IgnoreClient option to the IndexOptions directive:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexoptions.ignoreclient

Comment 8 Tomas Hoger 2011-05-11 07:25:56 UTC
Fixed upstream in APR 1.4.4 and public now via:

  http://www.mail-archive.com/dev@apr.apache.org/msg23961.html
  http://www.apache.org/dist/apr/Announcement1.x.html

  Note especially a security fix to APR 1.4.4, stack overflow was possible
  due to unconstrained, recursive invocation of apr_fnmatch, as apr_fnmatch
  processed '*' wildcards.

    * Security: CVE-2011-0419 (http://cve.mitre.org)
      Reimplement apr_fnmatch() from scratch using a non-recursive algorithm;
      now has improved compliance with the fnmatch() spec. [William Rowe]

  The APR Project thanks Maksymilian Arciemowicz of SecurityReason for his
  research and reporting of this issue.

Comment 9 errata-xmlrpc 2011-05-11 22:28:36 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4

Via RHSA-2011:0507 https://rhn.redhat.com/errata/RHSA-2011-0507.html

Comment 10 errata-xmlrpc 2011-06-22 23:17:13 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html

Comment 11 errata-xmlrpc 2011-06-22 23:38:49 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html


Note You need to log in before you can comment on or make changes to this bug.