Bug 703390 - (CVE-2011-0419) CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=researcher,rep...
: Security
Depends On: 703517 703518 703519 703520 703521 703526 795917
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-10 04:44 EDT by Tomas Hoger
Modified: 2015-11-24 09:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-24 11:17:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2011-05-10 04:44:02 EDT
It was discovered that apr's implementation of the fnmatch function - apr_fnmatch - did not limit number of recursive calls used when matching input string against the pattern.  Sufficiently complex pattern and sufficient long input could cause apr_fnmatch to consume a lot of CPU time while processing such input.

It was reported that httpd exposes this problem via at least mod_autoindex module, which allows remote users to specify pattern via P=pattern request query argument:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

It seems this issue was already corrected in upstream SVN via a complete fnmatch implementation re-write including following commits:

http://svn.apache.org/viewvc?view=revision&revision=1098188
http://svn.apache.org/viewvc?view=revision&revision=1098289
http://svn.apache.org/viewvc?view=revision&revision=1098799
http://svn.apache.org/viewvc?view=revision&revision=1098902

Acknowledgement:

Red Hat would like to thank Maksymilian Arciemowicz for reporting this issue.
Comment 2 Joe Orton 2011-05-10 08:20:27 EDT
The rewrite as a single patch is here:

http://svn.apache.org/viewvc/apr/apr/branches/1.4.x/strings/apr_fnmatch.c?r1=731029&r2=1098902
Comment 7 Tomas Hoger 2011-05-11 03:21:40 EDT
(In reply to comment #0)
> It was reported that httpd exposes this problem via at least mod_autoindex
> module, which allows remote users to specify pattern via P=pattern request
> query argument:
> 
> http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#query

Mitigation:

mod_autoindex can be configured to ignore request query arguments provided by the client by adding IgnoreClient option to the IndexOptions directive:

http://httpd.apache.org/docs/2.2/mod/mod_autoindex.html#indexoptions.ignoreclient
Comment 8 Tomas Hoger 2011-05-11 03:25:56 EDT
Fixed upstream in APR 1.4.4 and public now via:

  http://www.mail-archive.com/dev@apr.apache.org/msg23961.html
  http://www.apache.org/dist/apr/Announcement1.x.html

  Note especially a security fix to APR 1.4.4, stack overflow was possible
  due to unconstrained, recursive invocation of apr_fnmatch, as apr_fnmatch
  processed '*' wildcards.

    * Security: CVE-2011-0419 (http://cve.mitre.org)
      Reimplement apr_fnmatch() from scratch using a non-recursive algorithm;
      now has improved compliance with the fnmatch() spec. [William Rowe]

  The APR Project thanks Maksymilian Arciemowicz of SecurityReason for his
  research and reporting of this issue.
Comment 9 errata-xmlrpc 2011-05-11 18:28:36 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4

Via RHSA-2011:0507 https://rhn.redhat.com/errata/RHSA-2011-0507.html
Comment 10 errata-xmlrpc 2011-06-22 19:17:13 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html
Comment 11 errata-xmlrpc 2011-06-22 19:38:49 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4
  JBEWS 1 for RHEL 6

Via RHSA-2011:0897 https://rhn.redhat.com/errata/RHSA-2011-0897.html

Note You need to log in before you can comment on or make changes to this bug.