libapache2-mod-fcgid: stack overwrite vulnerability

Debian Bug report logs - #605484
libapache2-mod-fcgid: stack overwrite vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-fcgid: stack overwrite vulnerability

Date: Tue, 30 Nov 2010 08:40:44 -0600

Package: libapache2-mod-fcgid
Version: 1:2.2-1
Severity: grave
Tags: security
Justification: user security hole

This was reported in CVE-2010-3872.  Information at:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872

https://issues.apache.org/bugzilla/show_bug.cgi?id=49406

Of particular note, the code in question appears at line 86 in the
lenny version, and is:

                memcpy(&header + hasread, buffer, putsize);


Our versions in lenny and lenny-backports are both vulnerable.
squeeze and sid are running new enough versions that they aren't.

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (500, 'stable'), (99, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-fcgid depends on:
ii  apache2.2-common         2.2.9-10+lenny8 Apache HTTP Server common files
ii  libc6                    2.7-18lenny6    GNU C Library: Shared libraries

libapache2-mod-fcgid recommends no packages.

libapache2-mod-fcgid suggests no packages.

-- no debconf information

Message #10 received at 605484@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: debian-security-tracker@lists.debian.org

Cc: 605484@bugs.debian.org

Subject: CVE-2010-3872

Date: Tue, 30 Nov 2010 08:44:37 -0600

Please note:

stable and lenny-backports both appear to be vulnerable to this -- they 
contain the offending code.

I have filed bug #605484 on this.

- John

Message #15 received at 605484@bugs.debian.org (full text, mbox, reply):

From: Tatsuki Sugiura <sugi@nemui.org>

To: John Goerzen <jgoerzen@complete.org>, 605484@bugs.debian.org

Subject: Re: Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability

Date: Wed, 01 Dec 2010 18:09:38 +0900

Hello,

Thank you for noticing me.
I'll check tomorrow.

BTW, do you know about how to update backports archive?
Is it OK to request on debian-backports ML?

>>> In Message "Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability"
>>>            <20101130144044.13636.41836.reportbug@glockenspiel.complete.org>,
>>> John Goerzen <jgoerzen@complete.org>  said;
> Package: libapache2-mod-fcgid
> Version: 1:2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole

> This was reported in CVE-2010-3872.  Information at:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872

> https://issues.apache.org/bugzilla/show_bug.cgi?id=49406

> Of particular note, the code in question appears at line 86 in the
> lenny version, and is:

>                 memcpy(&header + hasread, buffer, putsize);


> Our versions in lenny and lenny-backports are both vulnerable.
> squeeze and sid are running new enough versions that they aren't.

> -- System Information:
> Debian Release: 5.0.7
>   APT prefers stable
>   APT policy: (500, 'stable'), (99, 'experimental')
> Architecture: i386 (i686)

> Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash

> Versions of packages libapache2-mod-fcgid depends on:
> ii  apache2.2-common         2.2.9-10+lenny8 Apache HTTP Server common files
> ii  libc6                    2.7-18lenny6    GNU C Library: Shared libraries

> libapache2-mod-fcgid recommends no packages.

> libapache2-mod-fcgid suggests no packages.

> -- no debconf information



-- 
Tatsuki Sugiura   mailto:sugi@nemui.org

Message #20 received at 605484@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: Tatsuki Sugiura <sugi@nemui.org>

Cc: 605484@bugs.debian.org

Subject: Re: Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability

Date: Wed, 01 Dec 2010 08:06:43 -0600

On 12/01/2010 03:09 AM, Tatsuki Sugiura wrote:
> Hello,
>
> Thank you for noticing me.
> I'll check tomorrow.
>
> BTW, do you know about how to update backports archive?
> Is it OK to request on debian-backports ML?

I sadly know almost nothing about that, but I'm sure it wouldn't hurt to 
ask on the list.

-- John

Message #27 received at 605484@bugs.debian.org (full text, mbox, reply):

From: Tatsuki Sugiura <sugi@nemui.org>

To: John Goerzen <jgoerzen@complete.org>

Cc: 605484@bugs.debian.org

Subject: Re: Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability

Date: Mon, 06 Dec 2010 11:59:57 +0900

Hello,

>>> In Message "Re: Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability"
>>>            <4CF65673.5050308@complete.org>,
>>> John Goerzen <jgoerzen@complete.org>  said;
> > Thank you for noticing me.
> > I'll check tomorrow.
> >
> > BTW, do you know about how to update backports archive?
> > Is it OK to request on debian-backports ML?

> I sadly know almost nothing about that, but I'm sure it wouldn't hurt to 
> ask on the list.

I prepared patched package and sent mail to security team,
and waiting response now.
# Actually I some days because I missed that my first mail has
# been failed...

And I'm sorry about forgot to send backports ML.
I'll send now.

-- 
Tatsuki Sugiura   mailto:sugi@nemui.org

Message #32 received at 605484-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: John Goerzen <jgoerzen@complete.org>

Cc: 605484-done@bugs.debian.org

Subject: Re: libapache2-mod-fcgid: stack overwrite vulnerability

Date: Wed, 8 Dec 2010 22:00:26 +0100

Version: 1:2.3.6-1

On Tue, Nov 30, 2010 at 08:40:44AM -0600, John Goerzen wrote:
> Package: libapache2-mod-fcgid
> Version: 1:2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> This was reported in CVE-2010-3872.  Information at:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872
> 
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
> 
> Of particular note, the code in question appears at line 86 in the
> lenny version, and is:
> 
>                 memcpy(&header + hasread, buffer, putsize);
> 
> 
> Our versions in lenny and lenny-backports are both vulnerable.
> squeeze and sid are running new enough versions that they aren't.

Marking unstable as fixed.

Cheers,
        Moritz

Message #37 received at 605484@bugs.debian.org (full text, mbox, reply):

From: John Goerzen <jgoerzen@complete.org>

To: 605484@bugs.debian.org, debian-security@lists.debian.org

Subject: libapache2-mod-fcgid in lenny vulnerable to hole for weeks

Date: Tue, 21 Dec 2010 10:09:45 -0600

Hi folks,

I reported bug #605484 regarding a security hole in lenny.  I believe 
the security team was CC'd.

Prior to my report, 
http://security-tracker.debian.org/tracker/CVE-2010-3872 said that 
Debian/stable was not vulnerable.  I also notified them to correct this 
issue.

My question here is: who's got the ball on security issues?  It seems 
that this issue didn't trigger any bugs being created or any bugs being 
filed in Debian when it came out.  When I did what I thought was 
appropriate, it also didn't trigger much.  The maintainer was interested 
in it, but AFAICT there are, as yet, no new packages.

This is not an attack on any person/team, just a question about whether 
we have an organizational problem we need to correct.

Thanks,

-- John Goerzen

Message #42 received at 605484@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: John Goerzen <jgoerzen@complete.org>

Cc: debian-security@lists.debian.org, 605484@bugs.debian.org

Subject: Re: libapache2-mod-fcgid in lenny vulnerable to hole for weeks

Date: Tue, 21 Dec 2010 22:21:35 +0100

On Tuesday 21 December 2010, John Goerzen wrote:
> I reported bug #605484 regarding a security hole in lenny.  I
> believe the security team was CC'd.
> 
> Prior to my report,
> http://security-tracker.debian.org/tracker/CVE-2010-3872 said that
> Debian/stable was not vulnerable.  I also notified them to correct
> this issue.
> 
> My question here is: who's got the ball on security issues?  It
> seems that this issue didn't trigger any bugs being created or any
> bugs being filed in Debian when it came out.  When I did what I
> thought was appropriate, it also didn't trigger much.  The
> maintainer was interested in it, but AFAICT there are, as yet, no
> new packages.
> 
> This is not an attack on any person/team, just a question about
> whether we have an organizational problem we need to correct.

The problem is a combination of several security team members being 
inactive because of work/thesis/... and the other members being kept 
busy by things which had higher priority. For example fixing the 
recent exim remote root vulnerability and sorting out infrastructure 
breakage due to the dak upgrade on security-master. The upgrade was 
was necessary to support squeeze.

My understanding is that the mod_fcgid issue cannot be triggered by 
browsers but only if there is a malicious fcgi app on the server, 
which is not a very common setup. Therefore this seemed like a not-so-
high priority issue. I am sorry that nobody found the time to mail 
this to you.

FWIW, it seems the infrastructure has been finally fixed today, so I 
hope things will improve now. But I do think that there are currently 
to few active members in the security team. I am pretty sure we will 
send out a request for new volunteers soon.

Cheers,
Stefan

Message #47 received at 605484-close@bugs.debian.org (full text, mbox, reply):

From: Tatsuki Sugiura <sugi@nemui.org>

To: 605484-close@bugs.debian.org

Subject: Bug#605484: fixed in libapache2-mod-fcgid 1:2.2-1+lenny1

Date: Thu, 06 Jan 2011 07:56:20 +0000

Source: libapache2-mod-fcgid
Source-Version: 1:2.2-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-fcgid, which is due to be installed in the Debian FTP archive:

libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
libapache2-mod-fcgid_2.2-1+lenny1.dsc
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.dsc
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
  to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tatsuki Sugiura <sugi@nemui.org> (supplier of updated libapache2-mod-fcgid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Dec 2010 19:34:59 +0000
Source: libapache2-mod-fcgid
Binary: libapache2-mod-fcgid
Architecture: source i386
Version: 1:2.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Tatsuki Sugiura <sugi@nemui.org>
Description: 
 libapache2-mod-fcgid - an alternative module compat with mod_fastcgi
Closes: 605484
Changes: 
 libapache2-mod-fcgid (1:2.2-1+lenny1) stable-security; urgency=high
 .
   * Backport fix for CVE-2010-3872 (Closes: #605484);
     FastCGI application can cause heap corruption by long FCGI header.
Checksums-Sha1: 
 fcccb4a52f5ad9069aeca7a7f933357e6e776fa0 1179 libapache2-mod-fcgid_2.2-1+lenny1.dsc
 c5a3c3eeaac394305472251fe5b310bdf9918088 6960 libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 dc817a20ad6528480a441e4b7ad6920ec11c55e0 56954 libapache2-mod-fcgid_2.2.orig.tar.gz
 ddf279312b84d9d447a6d8b1bbdb9ded0a737655 42624 libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Checksums-Sha256: 
 0036df69fb419303cacdbcd6b269a5dbdb5369572e548260bf4408d9bb64f873 1179 libapache2-mod-fcgid_2.2-1+lenny1.dsc
 a8288fa153a91aa3b84c66e88fdebdc8cfaad269480d828aed7fa0550a6ea300 6960 libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 7a0985a120dceb4c6974e8bf216752b0b763ae949f5dfbbf93cc350510e4c80e 56954 libapache2-mod-fcgid_2.2.orig.tar.gz
 4d2c432b04e4568c7309a561cbd2a10554c000bf633e6da13847351b5c09478e 42624 libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Files: 
 c4a3c2bd93b99ec085abe53d3e88042b 1179 net optional libapache2-mod-fcgid_2.2-1+lenny1.dsc
 bb791249528687a45ea0b9ef220e284b 6960 net optional libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
 ce7d7b16e69643dbd549d43d85025983 56954 net optional libapache2-mod-fcgid_2.2.orig.tar.gz
 0c795cf33563e6a7a3bfdfceb4848074 42624 net optional libapache2-mod-fcgid_2.2-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0H4OwACgkQYy49rUbZzlrxGwCfVO+5n3OzdY6ZNNFmWHe71sVk
KcEAn2fkgBr8Kv72cDACHXnpje7/RSp2
=PyZQ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.