Debian Bug report logs -
#605484
libapache2-mod-fcgid: stack overwrite vulnerability
Reported by: John Goerzen <jgoerzen@complete.org>
Date: Tue, 30 Nov 2010 14:42:02 UTC
Severity: grave
Tags: lenny, security
Found in version libapache2-mod-fcgid/1:2.2-1
Fixed in versions 1:2.3.6-1, libapache2-mod-fcgid/1:2.2-1+lenny1
Done: Tatsuki Sugiura <sugi@nemui.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tatsuki Sugiura <sugi@nemui.org>
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Tue, 30 Nov 2010 14:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to John Goerzen <jgoerzen@complete.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tatsuki Sugiura <sugi@nemui.org>
.
(Tue, 30 Nov 2010 14:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-fcgid
Version: 1:2.2-1
Severity: grave
Tags: security
Justification: user security hole
This was reported in CVE-2010-3872. Information at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872
https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
Of particular note, the code in question appears at line 86 in the
lenny version, and is:
memcpy(&header + hasread, buffer, putsize);
Our versions in lenny and lenny-backports are both vulnerable.
squeeze and sid are running new enough versions that they aren't.
-- System Information:
Debian Release: 5.0.7
APT prefers stable
APT policy: (500, 'stable'), (99, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-fcgid depends on:
ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files
ii libc6 2.7-18lenny6 GNU C Library: Shared libraries
libapache2-mod-fcgid recommends no packages.
libapache2-mod-fcgid suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Tue, 30 Nov 2010 14:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to John Goerzen <jgoerzen@complete.org>
:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>
.
(Tue, 30 Nov 2010 14:48:06 GMT) (full text, mbox, link).
Message #10 received at 605484@bugs.debian.org (full text, mbox, reply):
Please note:
stable and lenny-backports both appear to be vulnerable to this -- they
contain the offending code.
I have filed bug #605484 on this.
- John
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Wed, 01 Dec 2010 09:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tatsuki Sugiura <sugi@nemui.org>
:
Extra info received and forwarded to list.
(Wed, 01 Dec 2010 09:57:05 GMT) (full text, mbox, link).
Message #15 received at 605484@bugs.debian.org (full text, mbox, reply):
Hello,
Thank you for noticing me.
I'll check tomorrow.
BTW, do you know about how to update backports archive?
Is it OK to request on debian-backports ML?
>>> In Message "Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability"
>>> <20101130144044.13636.41836.reportbug@glockenspiel.complete.org>,
>>> John Goerzen <jgoerzen@complete.org> said;
> Package: libapache2-mod-fcgid
> Version: 1:2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
> This was reported in CVE-2010-3872. Information at:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
> Of particular note, the code in question appears at line 86 in the
> lenny version, and is:
> memcpy(&header + hasread, buffer, putsize);
> Our versions in lenny and lenny-backports are both vulnerable.
> squeeze and sid are running new enough versions that they aren't.
> -- System Information:
> Debian Release: 5.0.7
> APT prefers stable
> APT policy: (500, 'stable'), (99, 'experimental')
> Architecture: i386 (i686)
> Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Versions of packages libapache2-mod-fcgid depends on:
> ii apache2.2-common 2.2.9-10+lenny8 Apache HTTP Server common files
> ii libc6 2.7-18lenny6 GNU C Library: Shared libraries
> libapache2-mod-fcgid recommends no packages.
> libapache2-mod-fcgid suggests no packages.
> -- no debconf information
--
Tatsuki Sugiura mailto:sugi@nemui.org
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Wed, 01 Dec 2010 14:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to John Goerzen <jgoerzen@complete.org>
:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>
.
(Wed, 01 Dec 2010 14:09:03 GMT) (full text, mbox, link).
Message #20 received at 605484@bugs.debian.org (full text, mbox, reply):
On 12/01/2010 03:09 AM, Tatsuki Sugiura wrote:
> Hello,
>
> Thank you for noticing me.
> I'll check tomorrow.
>
> BTW, do you know about how to update backports archive?
> Is it OK to request on debian-backports ML?
I sadly know almost nothing about that, but I'm sure it wouldn't hurt to
ask on the list.
-- John
Added tag(s) lenny.
Request was from Tatsuki Sugiura <sugi@nemui.org>
to control@bugs.debian.org
.
(Thu, 02 Dec 2010 17:57:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Mon, 06 Dec 2010 03:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tatsuki Sugiura <sugi@nemui.org>
:
Extra info received and forwarded to list.
(Mon, 06 Dec 2010 03:03:03 GMT) (full text, mbox, link).
Message #27 received at 605484@bugs.debian.org (full text, mbox, reply):
Hello,
>>> In Message "Re: Bug#605484: libapache2-mod-fcgid: stack overwrite vulnerability"
>>> <4CF65673.5050308@complete.org>,
>>> John Goerzen <jgoerzen@complete.org> said;
> > Thank you for noticing me.
> > I'll check tomorrow.
> >
> > BTW, do you know about how to update backports archive?
> > Is it OK to request on debian-backports ML?
> I sadly know almost nothing about that, but I'm sure it wouldn't hurt to
> ask on the list.
I prepared patched package and sent mail to security team,
and waiting response now.
# Actually I some days because I missed that my first mail has
# been failed...
And I'm sorry about forgot to send backports ML.
I'll send now.
--
Tatsuki Sugiura mailto:sugi@nemui.org
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Wed, 08 Dec 2010 21:03:12 GMT) (full text, mbox, link).
Notification sent
to John Goerzen <jgoerzen@complete.org>
:
Bug acknowledged by developer.
(Wed, 08 Dec 2010 21:03:12 GMT) (full text, mbox, link).
Message #32 received at 605484-done@bugs.debian.org (full text, mbox, reply):
Version: 1:2.3.6-1
On Tue, Nov 30, 2010 at 08:40:44AM -0600, John Goerzen wrote:
> Package: libapache2-mod-fcgid
> Version: 1:2.2-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was reported in CVE-2010-3872. Information at:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3872
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
>
> Of particular note, the code in question appears at line 86 in the
> lenny version, and is:
>
> memcpy(&header + hasread, buffer, putsize);
>
>
> Our versions in lenny and lenny-backports are both vulnerable.
> squeeze and sid are running new enough versions that they aren't.
Marking unstable as fixed.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Tue, 21 Dec 2010 16:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to John Goerzen <jgoerzen@complete.org>
:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>
.
(Tue, 21 Dec 2010 16:12:03 GMT) (full text, mbox, link).
Message #37 received at 605484@bugs.debian.org (full text, mbox, reply):
Hi folks,
I reported bug #605484 regarding a security hole in lenny. I believe
the security team was CC'd.
Prior to my report,
http://security-tracker.debian.org/tracker/CVE-2010-3872 said that
Debian/stable was not vulnerable. I also notified them to correct this
issue.
My question here is: who's got the ball on security issues? It seems
that this issue didn't trigger any bugs being created or any bugs being
filed in Debian when it came out. When I did what I thought was
appropriate, it also didn't trigger much. The maintainer was interested
in it, but AFAICT there are, as yet, no new packages.
This is not an attack on any person/team, just a question about whether
we have an organizational problem we need to correct.
Thanks,
-- John Goerzen
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuki Sugiura <sugi@nemui.org>
:
Bug#605484
; Package libapache2-mod-fcgid
.
(Tue, 21 Dec 2010 21:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Tatsuki Sugiura <sugi@nemui.org>
.
(Tue, 21 Dec 2010 21:24:06 GMT) (full text, mbox, link).
Message #42 received at 605484@bugs.debian.org (full text, mbox, reply):
On Tuesday 21 December 2010, John Goerzen wrote:
> I reported bug #605484 regarding a security hole in lenny. I
> believe the security team was CC'd.
>
> Prior to my report,
> http://security-tracker.debian.org/tracker/CVE-2010-3872 said that
> Debian/stable was not vulnerable. I also notified them to correct
> this issue.
>
> My question here is: who's got the ball on security issues? It
> seems that this issue didn't trigger any bugs being created or any
> bugs being filed in Debian when it came out. When I did what I
> thought was appropriate, it also didn't trigger much. The
> maintainer was interested in it, but AFAICT there are, as yet, no
> new packages.
>
> This is not an attack on any person/team, just a question about
> whether we have an organizational problem we need to correct.
The problem is a combination of several security team members being
inactive because of work/thesis/... and the other members being kept
busy by things which had higher priority. For example fixing the
recent exim remote root vulnerability and sorting out infrastructure
breakage due to the dak upgrade on security-master. The upgrade was
was necessary to support squeeze.
My understanding is that the mod_fcgid issue cannot be triggered by
browsers but only if there is a malicious fcgi app on the server,
which is not a very common setup. Therefore this seemed like a not-so-
high priority issue. I am sorry that nobody found the time to mail
this to you.
FWIW, it seems the infrastructure has been finally fixed today, so I
hope things will improve now. But I do think that there are currently
to few active members in the security team. I am pretty sure we will
send out a request for new volunteers soon.
Cheers,
Stefan
Reply sent
to Tatsuki Sugiura <sugi@nemui.org>
:
You have taken responsibility.
(Thu, 06 Jan 2011 07:57:06 GMT) (full text, mbox, link).
Notification sent
to John Goerzen <jgoerzen@complete.org>
:
Bug acknowledged by developer.
(Thu, 06 Jan 2011 07:57:06 GMT) (full text, mbox, link).
Message #47 received at 605484-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-fcgid
Source-Version: 1:2.2-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-fcgid, which is due to be installed in the Debian FTP archive:
libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
libapache2-mod-fcgid_2.2-1+lenny1.dsc
to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1.dsc
libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
to main/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tatsuki Sugiura <sugi@nemui.org> (supplier of updated libapache2-mod-fcgid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 03 Dec 2010 19:34:59 +0000
Source: libapache2-mod-fcgid
Binary: libapache2-mod-fcgid
Architecture: source i386
Version: 1:2.2-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Tatsuki Sugiura <sugi@nemui.org>
Description:
libapache2-mod-fcgid - an alternative module compat with mod_fastcgi
Closes: 605484
Changes:
libapache2-mod-fcgid (1:2.2-1+lenny1) stable-security; urgency=high
.
* Backport fix for CVE-2010-3872 (Closes: #605484);
FastCGI application can cause heap corruption by long FCGI header.
Checksums-Sha1:
fcccb4a52f5ad9069aeca7a7f933357e6e776fa0 1179 libapache2-mod-fcgid_2.2-1+lenny1.dsc
c5a3c3eeaac394305472251fe5b310bdf9918088 6960 libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
dc817a20ad6528480a441e4b7ad6920ec11c55e0 56954 libapache2-mod-fcgid_2.2.orig.tar.gz
ddf279312b84d9d447a6d8b1bbdb9ded0a737655 42624 libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Checksums-Sha256:
0036df69fb419303cacdbcd6b269a5dbdb5369572e548260bf4408d9bb64f873 1179 libapache2-mod-fcgid_2.2-1+lenny1.dsc
a8288fa153a91aa3b84c66e88fdebdc8cfaad269480d828aed7fa0550a6ea300 6960 libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
7a0985a120dceb4c6974e8bf216752b0b763ae949f5dfbbf93cc350510e4c80e 56954 libapache2-mod-fcgid_2.2.orig.tar.gz
4d2c432b04e4568c7309a561cbd2a10554c000bf633e6da13847351b5c09478e 42624 libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
Files:
c4a3c2bd93b99ec085abe53d3e88042b 1179 net optional libapache2-mod-fcgid_2.2-1+lenny1.dsc
bb791249528687a45ea0b9ef220e284b 6960 net optional libapache2-mod-fcgid_2.2-1+lenny1.diff.gz
ce7d7b16e69643dbd549d43d85025983 56954 net optional libapache2-mod-fcgid_2.2.orig.tar.gz
0c795cf33563e6a7a3bfdfceb4848074 42624 net optional libapache2-mod-fcgid_2.2-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0H4OwACgkQYy49rUbZzlrxGwCfVO+5n3OzdY6ZNNFmWHe71sVk
KcEAn2fkgBr8Kv72cDACHXnpje7/RSp2
=PyZQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 04 Feb 2011 07:34:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:08:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.