It was discovered that apr's implementation of the fnmatch function - apr_fnmatch - did not limit number of recursive calls used when matching input string against the pattern. Sufficiently complex pattern and sufficient long input could cause apr_fnmatch to consume a lot of CPU time while processing such input. It was reported that httpd exposes this problem via at least mod_autoindex module, which allows remote users to specify pattern via P=pattern request query argument: http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query It seems this issue was already corrected in upstream SVN via a complete fnmatch implementation re-write including following commits: http://svn.apache.org/viewvc?view=revision&revision=1098188 http://svn.apache.org/viewvc?view=revision&revision=1098289 http://svn.apache.org/viewvc?view=revision&revision=1098799 http://svn.apache.org/viewvc?view=revision&revision=1098902 Acknowledgement: Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue.
The rewrite as a single patch is here: http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902
(In reply to comment #0) > It was reported that httpd exposes this problem via at least mod_autoindex > module, which allows remote users to specify pattern via P=pattern request > query argument: > > http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query Mitigation: mod_autoindex can be configured to ignore request query arguments provided by the client by adding IgnoreClient option to the IndexOptions directive: http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexoptions.ignoreclient
Fixed upstream in APR 1.4.4 and public now via: http://www.mail-archive.com/dev@apr.apache.org/msg23961.html http://www.apache.org/dist/apr/Announcement1.x.html Note especially a security fix to APR 1.4.4, stack overflow was possible due to unconstrained, recursive invocation of apr_fnmatch, as apr_fnmatch processed '*' wildcards. * Security: CVE-2011-0419 (http://cve.mitre.org) Reimplement apr_fnmatch() from scratch using a non-recursive algorithm; now has improved compliance with the fnmatch() spec. [William Rowe] The APR Project thanks Maksymilian Arciemowicz of SecurityReason for his research and reporting of this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Via RHSA-2011:0507 https://rhn.redhat.com/errata/RHSA-2011-0507.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 JBEWS 1 for RHEL 6 Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html