The following flaw has been fixed in the Apache HTTP Server: "A buffer overflow was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a heap buffer overflow." Patch for trunk: http://svn.apache.org/viewvc?view=revision&revision=1638818 External References: http://httpd.apache.org/security/vulnerabilities_24.html
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1163556]
Statement: Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6 and 7, Red Hat Software Collections 1, Red Hat JBoss Web Server 1 and 2, and Red Hat JBoss Enterprise Application Platform 6.
The affected mod_proxy_fcgi module was first introduced upstream in version 2.4 (or development version 2.3). The httpd version 2.4 is currently only available in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1. Other Red Hat products that include httpd use older upstream versions (2.2 or 2.0) that do not include the mod_proxy_fcgi module.
This is a buffer over read issue in the handle_headers() function in mod_proxy_fcgi. The function iterates over the input string buffer until it finds end of headers (delimited using \n\n or \r\n\r\n, or until \0 if found to indicate end of string). Before the fix, the function did not get the length of the buffer, or pointer to its end, so it could not detect end of buffer and prevent read past the end of buffer. In httpd 2.4.10, the buffer passed to the handle_headers() can either be stack or heap based. Only stack based buffer is used in earlier versions. This issue can be triggered by a malicious FastCGI server that httpd is configured to connect to. It may also be triggered if non-malicious FastCGI server is made to generate a response with unexpectedly large headers. Considering that over read stops when the first \0 byte is encountered, this seems unlikely to lead to easily reproducible crash. Additionally, crash would be limited to a specific httpd child process handling the request.
This flaw was introduced via the following commit: http://svn.apache.org/viewvc?view=revision&revision=1594537 Prior to the change, the code ensured that the buffer passed to the handle_headers() function was always properly NUL terminated, as was expected by the function. The change was added in the httpd upstream version 2.4.10, which is the only version affected by this flaw. The upstream vulnerabilities page is now updated to no longer list 2.4.1 - 2.4.9 as affected by this issue. The httpd packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream version 2.4.6 and were not affected by this issue.
(In reply to Tomas Hoger from comment #5) > In httpd 2.4.10, the buffer passed to the handle_headers() can either be > stack or heap based. Only stack based buffer is used in earlier versions. Relevant upstream commit is: http://svn.apache.org/viewvc?view=revision&revision=1601749
httpd-2.4.10-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
httpd-2.4.10-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
mod_proxy_fcgi-2.4.10-1.20150415gitd45a11f.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Common for RHEL 6 Via RHSA-2015:1855 https://rhn.redhat.com/errata/RHSA-2015-1855.html
This issue has been addressed in the following products: Red Hat Ceph Storage 1.2 for CentOS 6 Via RHSA-2015:1858 https://access.redhat.com/errata/RHSA-2015:1858