Bug 706203 (CVE-2011-1928) - CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419
Summary: CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1928
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110519,reported=20110519,sou...
Depends On: 703519 703521 706350 706351 706352 795917
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-19 18:24 UTC by Vincent Danen
Modified: 2019-06-08 18:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-04-10 09:45:26 UTC


Attachments (Terms of Use)
upstream patch (968 bytes, patch)
2011-05-19 18:25 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0844 normal SHIPPED_LIVE Low: apr security update 2011-05-31 15:45:39 UTC

Description Vincent Danen 2011-05-19 18:24:16 UTC
A flaw was discovered in the apr_fnmatch() function in the Apache Portable Runtime (APR) library 1.4.4 (or any backported versions that contained the upstream fix for CVE-2011-0419).  This could cause httpd workers to enter a hung state (100% CPU utilization).

Comment 1 Vincent Danen 2011-05-19 18:25:42 UTC
Created attachment 499921 [details]
upstream patch

Patch provided by upstream to correct this issue.

Comment 2 Vincent Danen 2011-05-19 18:33:47 UTC
This is actually public already:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201105.mbox/%3C4DD55092.3030403@apache.org%3E

Comment 4 Vincent Danen 2011-05-19 19:24:11 UTC
This is CVE-2011-1928.

Comment 9 Tomas Hoger 2011-05-20 12:28:27 UTC
This problem is triggered when using APR_FNM_PATHNAME flag.  This is not used by mod_autoindex, so this problem is not triggered in the same way as the original problem CVE-2011-0419 (bug #703390).

In certain configurations, this can be triggered by an HTTP request that does not need to be purposefully malicious.  Upstream bug mentions following example:

  <Location "/*/WEB-INF/">

This problem can be mitigated by wildcards ('*' or '(dir1|dir2|dir3)' alternatives specifications) in the <Location> URL specifications, or using regular expression specifications instead (using <Location ~ > or <LocationMatch>).

If you're temporarily downgrading to older apr version, consider applying CVE-2011-0419 mitigation as mentioned in bug #703390, comment #7.

Comment 10 errata-xmlrpc 2011-05-31 15:45:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 6

Via RHSA-2011:0844 https://rhn.redhat.com/errata/RHSA-2011-0844.html

Comment 11 Tom 2011-07-19 13:40:43 UTC
I added some details at the related Fedora page at https://bugzilla.redhat.com/show_bug.cgi?id=714182 But the general idea is that nist.gov says that version 2.2.17 and 2.2.18 is affected by combining these CVE:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1928
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0419

So even if the exploit doesn't exist in a patched 2.2.17 or 2.2.18 at least one vulnerably scanner company is being a pain about it.

Sorry, I don't know if it is possible for you to get NIST to change the text.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0419
https://bugzilla.redhat.com/show_bug.cgi?id=714182
https://bugzilla.redhat.com/show_bug.cgi?id=703390

It seems to me the only resolution is to move to 2.2.19


Note You need to log in before you can comment on or make changes to this bug.