libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Debian Bug report logs - #644169
libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Mon, 03 Oct 2011 17:08:52 +0200

Package: libapache2-mod-perl2
Version: 2.0.4-7
Severity: important


I'm unable to disable <Perl> sections, as described here:

http://perl.apache.org/docs/2.0/user/config/config.html#C_Perl_Handler_

Note: all configuration options below and screen output is indented by
two spaces intentionally.  Comments are not indented.

So, according to the documentation, I should be able to simply place
the following in the server configuration.

  PerlOption -Sections

When the option is placed in the server configuration, the following error message is printed to screen when using apache2ctl configtest:

  Syntax error on line 10 of /etc/apache2/conf.d/all_vhosts:
  Invalid per-server PerlOption: Sections
  Action 'configtest' failed.
  The Apache error log may have more information.

The apache error log does not have any information.

This option is not allowed in per-directory configurations, and if I
try to do so, Apache provides the following error message (IP address
and path mangled):

  [Mon Oct 03 16:11:28 2011] [alert] [client aaa.bbb.ccc.ddd] /home/dir/.htaccess: Invalid per-directory PerlOption: Sections (only allowed per-server)

As far as I can tell from the changelog, nothing has changed regarding
this part of mod_perl 2 that would affect this feature between 2.0.4
(the version in Debian squeeze) and 2.0.5 (the current best version).
Updating to 2.0.5 from testing is not an option, because of eager
dependencies to newer versions of other packages.

For my use, this bug is a security problem, as it makes it impossible
to include mod_perl code to manage the Apache API in server
configurations without permitting users to run Perl code in the same
server, unless you also disable per-user configuration in .htaccess,
which breaks other useful functionality.

-- Package-specific info:
-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:

  [DESCRIBE THE PROBLEM HERE]

2. Used Components and their Configuration:

*** mod_perl version 2.000004

*** using /usr/lib/perl5/Apache2/BuildConfig.pm

*** Makefile.PL options:
  MP_APR_LIB     => aprext
  MP_APXS        => /usr/bin/apxs2
  MP_CCOPTS      => -g -Wall
  MP_COMPAT_1X   => 1
  MP_GENERATE_XS => 1
  MP_INCLUDE_DIR => /usr/include/apache2 /usr/include/apr-1.0
  MP_LIBNAME     => mod_perl
  MP_TRACE       => 0
  MP_USE_DSO     => 1
  MP_USE_GTOP    => 1
  MP_USE_STATIC  => 0


*** The httpd binary was not found


*** (apr|apu)-config linking info

 -L/usr/lib -laprutil-1  -ldb     
 -L/usr/lib -lapr-1  



*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
   
  Platform:
    osname=linux, osvers=2.6.32-5-amd64, archname=x86_64-linux-gnu-thread-multi
    uname='linux brahms 2.6.32-5-amd64 #1 smp tue jun 14 09:42:28 utc 2011 x86_64 gnulinux '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1 -Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.5', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
    perllibs=-ldl -lm -lpthread -lc -lcrypt
    libc=/lib/libc-2.11.2.so, so=so, useshrplib=true, libperl=libperl.so.5.10.1
    gnulibc_version='2.11.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector'


Characteristics of this binary (from libperl): 
  Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
                        PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_64_BIT_ALL
                        USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
                        USE_PERLIO USE_REENTRANT_API
  Locally applied patches:
	DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts
	DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable.
	DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
	DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
	DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
	DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
	DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
	DEBPKG:debian/extutils_hacks - Various debian-specific ExtUtils changes
	DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
	DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
	DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
	DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
	DEBPKG:debian/m68k_thread_stress - http://bugs.debian.org/495826 Disable some threads tests on m68k for now due to missing TLS.
	DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
	DEBPKG:debian/module_build_man_extensions - http://bugs.debian.org/479460 Adjust Module::Build manual page extensions for the Debian Perl policy
	DEBPKG:debian/perl_synopsis - http://bugs.debian.org/278323 Rearrange perl.pod
	DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
	DEBPKG:debian/use_gdbm - Explicitly link against -lgdbm_compat in ODBM_File/NDBM_File. 
	DEBPKG:fixes/assorted_docs - http://bugs.debian.org/443733 [384f06a] Math::BigInt::CalcEmu documentation grammar fix
	DEBPKG:fixes/net_smtp_docs - http://bugs.debian.org/100195 [rt.cpan.org #36038] Document the Net::SMTP 'Port' option
	DEBPKG:fixes/processPL - http://bugs.debian.org/357264 [rt.cpan.org #17224] Always use PERLRUNINST when building perl modules.
	DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
	DEBPKG:fixes/pod2man-index-backslash - http://bugs.debian.org/521256 Escape backslashes in .IX entries
	DEBPKG:debian/disable-zlib-bundling - Disable zlib bundling in Compress::Raw::Zlib
	DEBPKG:fixes/kfreebsd_cppsymbols - http://bugs.debian.org/533098 [3b910a0] Add gcc predefined macros to $Config{cppsymbols} on GNU/kFreeBSD.
	DEBPKG:debian/cpanplus_definstalldirs - http://bugs.debian.org/533707 Configure CPANPLUS to use the site directories by default.
	DEBPKG:debian/cpanplus_config_path - Save local versions of CPANPLUS::Config::System into /etc/perl.
	DEBPKG:fixes/kfreebsd-filecopy-pipes - http://bugs.debian.org/537555 [16f708c] Fix File::Copy::copy with pipes on GNU/kFreeBSD
	DEBPKG:fixes/anon-tmpfile-dir - http://bugs.debian.org/528544 [perl #66452] Honor TMPDIR when open()ing an anonymous temporary file
	DEBPKG:fixes/abstract-sockets - http://bugs.debian.org/329291 [89904c0] Add support for Abstract namespace sockets.
	DEBPKG:fixes/hurd_cppsymbols - http://bugs.debian.org/544307 [eeb92b7] Add gcc predefined macros to $Config{cppsymbols} on GNU/Hurd.
	DEBPKG:fixes/autodie-flock - http://bugs.debian.org/543731 Allow for flock returning EAGAIN instead of EWOULDBLOCK on linux/parisc
	DEBPKG:fixes/archive-tar-instance-error - http://bugs.debian.org/539355 [rt.cpan.org #48879] Separate Archive::Tar instance error strings from each other
	DEBPKG:fixes/positive-gpos - http://bugs.debian.org/545234 [perl #69056] [c584a96] Fix \G crash on first match
	DEBPKG:debian/devel-ppport-ia64-optim - http://bugs.debian.org/548943 Work around an ICE on ia64
	DEBPKG:fixes/trie-logic-match - http://bugs.debian.org/552291 [perl #69973] [0abd0d7] Fix a DoS in Unicode processing [CVE-2009-3626]
	DEBPKG:fixes/hppa-thread-eagain - http://bugs.debian.org/554218 make the threads-shared test suite more robust, fixing failures on hppa
	DEBPKG:fixes/crash-on-undefined-destroy - http://bugs.debian.org/564074 [perl #71952] [1f15e67] Fix a NULL pointer dereference when looking for a DESTROY method
	DEBPKG:fixes/tainted-errno - http://bugs.debian.org/574129 [perl #61976] [be1cf43] fix an errno stringification bug in taint mode
	DEBPKG:fixes/safe-upgrade - http://bugs.debian.org/582978 Upgrade Safe.pm to 2.25, fixing CVE-2010-1974
	DEBPKG:fixes/tell-crash - http://bugs.debian.org/578577 [f4817f3] Fix a tell() crash on bad arguments.
	DEBPKG:fixes/format-write-crash - http://bugs.debian.org/579537 [perl #22977] [421f30e] Fix a crash in format/write
	DEBPKG:fixes/arm-alignment - http://bugs.debian.org/289884 [f1c7503] Prevent gcc from optimizing the alignment test away on armel
	DEBPKG:fixes/fcgi-test - Fix a failure in CGI/t/fast.t when FCGI is installed
	DEBPKG:fixes/hurd-ccflags - http://bugs.debian.org/587901 Make hints/gnu.sh append to $ccflags rather than overriding them
	DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
	DEBPKG:fixes/lc-numeric-docs - http://bugs.debian.org/379329 [perl #78452] [903eb63] LC_NUMERIC documentation fixes
	DEBPKG:fixes/lc-numeric-sprintf - http://bugs.debian.org/601549 [perl #78632] [b3fd614] Fix sprintf not to ignore LC_NUMERIC with constants
	DEBPKG:fixes/concat-stack-corruption - http://bugs.debian.org/596105 [perl #78674] [e3393f5] Fix stack pointer corruption in pp_concat() with 'use encoding'
	DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
	DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al.
	DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval
	DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h
  Built under linux
  Compiled at Jun 30 2011 22:28:00
  %ENV:
    PERL_LWP_USE_HTTP_10="1"
  @INC:
    /etc/perl
    /usr/local/lib/perl/5.10.1
    /usr/local/share/perl/5.10.1
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.10
    /usr/share/perl/5.10
    /usr/local/lib/site_perl
    .

*** Packages of interest status:

Apache2            : -
Apache2::Request   : -
CGI                : 3.43, 3.49
ExtUtils::MakeMaker: 6.55_02
LWP                : 5.836
mod_perl           : -
mod_perl2          : 2.000004


3. This is the core dump trace: (if you get a core dump):

  [CORE TRACE COMES HERE]

This report was generated by /usr/share/libapache2-mod-perl2/mp2bug on Mon Oct  3 14:55:40 2011 GMT.

-------------8<---------- End Bug Report --------------8<----------




-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-perl2 depends on:
ii  apache2                2.2.16-6+squeeze3 Apache HTTP Server metapackage
ii  apache2-mpm-worker [ap 2.2.16-6+squeeze3 Apache HTTP Server - high speed th
ii  apache2.2-common       2.2.16-6+squeeze3 Apache HTTP Server common files
ii  libapr1                1.4.2-6+squeeze3  The Apache Portable Runtime Librar
ii  libaprutil1            1.3.9+dfsg-5      The Apache Portable Runtime Utilit
ii  libc6                  2.11.2-10         Embedded GNU C Library: Shared lib
ii  libdb4.8               4.8.30-2          Berkeley v4.8 Database Libraries [
ii  libdevel-symdump-perl  2.08-3            Perl module for inspecting perl's 
ii  libperl5.10            5.10.1-17squeeze2 shared Perl library
ii  liburi-perl            1.54-2            module to manipulate and access UR
ii  libwww-perl            5.836-1           Perl HTTP/WWW client/server librar
ii  netbase                4.45              Basic TCP/IP networking system
ii  perl [libmime-base64-p 5.10.1-17squeeze2 Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.1 5.10.1-17squeeze2 minimal Perl system

Versions of packages libapache2-mod-perl2 recommends:
ii  libapache2-reload-perl        0.10-2     Reload Perl modules when changed o
ii  libbsd-resource-perl          1.2904-1   BSD process resource limit and pri

libapache2-mod-perl2 suggests no packages.

-- no debconf information

Message #8 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>, 644169@bugs.debian.org

Subject: Re: Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Tue, 4 Oct 2011 10:36:01 +0300

[Message part 1 (text/plain, inline)]

tags 644169 confirmed
found 644169 2.0.5-2
thanks

-=| Jan Ingvoldstad, 03.10.2011 17:08:52 +0200 |=-
> I'm unable to disable <Perl> sections, as described here:
> 
> http://perl.apache.org/docs/2.0/user/config/config.html#C_Perl_Handler_
> 
> So, according to the documentation, I should be able to simply place
> the following in the server configuration.
> 
>   PerlOption -Sections
> 
> When the option is placed in the server configuration, the following error message is printed to screen when using apache2ctl configtest:
> 
>   Syntax error on line 10 of /etc/apache2/conf.d/all_vhosts:
>   Invalid per-server PerlOption: Sections

Same here.

I tried a patch that seems to accept 'PerlOptions -Sections' (tested 
within <VirtualHost>), but the <Perl> sections are still run :(

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>

To: 644169@bugs.debian.org

Subject: Re: Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Wed, 05 Oct 2011 11:38:37 +0200

Here is a patch that ensures that <Perl> (and Pod) sections are only
allowed in the server configuration and not per directory, which
incidentally matches the specification table here:

http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location

The patch has been tested on the same system where I identified the
problem.

The patch solves the issue for me, and leaves only the following
issues, as far as I can tell:

 - Should there be fine-grained control as "PerlOptions -Sections"
   implies or not?

 - The mod_perl documentation (online and in the module) probably
   needs to be changed to reflect that PerlOptions -Sections does not
   work.

Description: allow Perl and Pod sections only in server config
Author: Jan Ingvoldstad <jani+debian-mod-perl-2011+@ifi.uio.no>
Last-Update: 2011-10-05
--- a/src/modules/perl/mod_perl.c	2011-02-02 21:23:45.000000000 +0100
+++ b/src/modules/perl/mod_perl.c	2011-10-05 11:05:52.977576861 +0200
@@ -913,18 +913,18 @@
     MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
     MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
     MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
-    MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
-    MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
+    MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
+    MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"),
 
     MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter,
                      "filter[;filter]"),
     MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter,
                      "filter[;filter]"),
 
-    MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
-    MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
-    MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
-    MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
+    MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
+    MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
+    MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
+    MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
 
     MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"),
 #ifdef MP_TRACE

Message #24 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>

To: 644169@bugs.debian.org

Subject: Re: Bug#644169: Info received (Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be)

Date: Wed, 05 Oct 2011 12:04:18 +0200

One more thing:

Disallowing POD sections per-directory breaks some of the tests, that
is, those tests that use <Location.

The security risk in allowing POD sections is perhaps low enough that
this part of the patch can be skipped, but I didn't see any sense in
permitting POD sections when other parts of mod_perl are invisible to
the users.

Message #33 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>, 644169@bugs.debian.org

Cc: team@security.debian.org, ntyni@debian.org

Subject: Re: Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Sun, 26 Aug 2018 16:26:09 +0200

Hi

Back in 2011 after this bug was reported, for the security implication
mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
for <Perl> sections, and users allowed to write to .htaccess files can
run code as the user running the web server, leading to privilege
escalation.

This can be demonstrated in situations were both mod_perl and userdir
support would be enabled, or other setups potentially leading to full
root privilege escalation.

Jan, want to outline your finding in more detail? I just have
submitted the CVE itself to MITRE, as it was back then assigned from
the Debian pool.

Regards,
Salvatore

Message #38 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 644169@bugs.debian.org

Cc: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>, team@security.debian.org, ntyni@debian.org

Subject: Re: Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Sun, 26 Aug 2018 21:43:02 +0200

Hi

The MITRE CVE entry for CVE-2011-2767 is now populated:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767

Regards,
Salvatore

Message #45 received at 644169@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Salvatore Bonaccorso <carnil@debian.org>, 644169@bugs.debian.org

Cc: Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>, team@security.debian.org, ntyni@debian.org

Subject: Re: Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

Date: Wed, 14 Nov 2018 09:25:58 +0000

On Sun, Aug 26, 2018 at 04:26:09PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> Back in 2011 after this bug was reported, for the security implication
> mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
> for <Perl> sections, and users allowed to write to .htaccess files can
> run code as the user running the web server, leading to privilege
> escalation.
> 
> This can be demonstrated in situations were both mod_perl and userdir
> support would be enabled, or other setups potentially leading to full
> root privilege escalation.
> 
> Jan, want to outline your finding in more detail? I just have
> submitted the CVE itself to MITRE, as it was back then assigned from
> the Debian pool.

This was apparently already fixed in jessie (LTS) - I've now updated the
bug metadata and I'll look at applying the fix in unstable and stable.

Dominic.

Message #50 received at 644169-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 644169-close@bugs.debian.org

Subject: Bug#644169: fixed in libapache2-mod-perl2 2.0.10-3

Date: Thu, 15 Nov 2018 20:40:57 +0000

Source: libapache2-mod-perl2
Source-Version: 2.0.10-3

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 644169@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 Nov 2018 19:25:41 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source
Version: 2.0.10-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 644169
Changes:
 libapache2-mod-perl2 (2.0.10-3) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-* headers for switch to salsa.debian.org
 .
   [ Xavier Guimard ]
   * Patches:
     - update format of 0001-Skip-* and 370_http_syntax.patch
     - use short link for bugs.d.o in honour-env-LDFLAGS.patch
     - update offset in avoid-db-linkage.patch
     - add new spelling errors in 200_fix-pod-spelling-errors.patch
   * Apache2 license:
     - update Apache2 license link
     - add required NOTICE file in docs
   * dependencies:
     - remove useless dependency version to apache2-dev
     - remove dh-apache2 from dependencies (alias to apache2-dev)
   * Add myself to uploaders
   * Declare compliance with policy 4.1.5
   * Bump debhelper compatibility to 10
   * Add debian/upstream/metadata
   * Remove useless --parallel option in debian/rules
   * Remove useless Testsuite entry
   * Email change: Xavier Guimard -> yadd@debian.org
 .
   [ Dominic Hargreaves ]
   * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
     user controlled configuration (Closes: #644169)
Checksums-Sha1:
 8dc4708fa441700689e26ef4bbb0ae0ca129e3ee 2694 libapache2-mod-perl2_2.0.10-3.dsc
 55d0e88a6a62b455d5615f1e78f1dce2a20b43cc 28576 libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 aa270701ac8565657f1d510eb500ed7272cef14e 7589 libapache2-mod-perl2_2.0.10-3_source.buildinfo
Checksums-Sha256:
 c99e9aa6c45953e97909f05e12c0c23c15eb154d2bef17a103b06fde0077549b 2694 libapache2-mod-perl2_2.0.10-3.dsc
 8c4058d2028ecbf9e675a9df856a251055da83ffeb9a0742d7452810db7bc254 28576 libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 dab6c0c1a0c938ad0b11cd7ffc90f2e23dad1dfd34dafdb3a56923de90723631 7589 libapache2-mod-perl2_2.0.10-3_source.buildinfo
Files:
 dea913c8f362b7dc8667f5988af1c7e5 2694 httpd optional libapache2-mod-perl2_2.0.10-3.dsc
 072290aebb624474e18e41a440c73268 28576 httpd optional libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 528c65bac897affc10d6cd6e7647cd1e 7589 httpd optional libapache2-mod-perl2_2.0.10-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlvtzxcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsr7hEAC94d46HQxjzEyBi8TsAZwGAGtxKeBT7a+uMCK2
FQpeNxf8KRUPLmJ0WB5ixnPqfnD4+9SnEp5TX89il8Rfvvd2EfG5mMOhBCVA4z2A
C2loMyFRaKCj3wK76z73Kl3MjGsLFdX/qTUSoUzh8JBSLO7nKdNFC7yfiITgwtRo
SBD8HDoxPJZ4cChTjQhT+rGokJ/jrAqsvP9Q+bAkNcYBkCEnD1nqFipABbLHumPF
wEatrq1WrFan38dR4KC3qT9D6YONF05XqFO/bgdpXGjHevVrIgBamOTFjBMMFl2B
XmpdGj3G12JLMXCPqBEXgdxOGH6nYteCTswBJz4pAh7mu4StxBG41C34rOWIuyMJ
WVz03v7wXqEZeNMatUSuZ5YFspKYL2vkI1I8j/9s5IedbAqnjfWoZ7aMEhc4YSrw
hhQsa4R6DiEHFhUEzIEjlGChi3m0DoVh4dfH096K9EakvKqcBFTL+HbwsgXt2Pd5
B8nQ4DHqXtYNLPcgFY15uqODdnvLRJMoP1n6f+3VaGV2Hir7A5tK5YJ1r+PiVbcM
rI9pWEv9NDwjRfumlvVTKfLmv9ZuP1e4QlksDHN/zaVxDKi1B5U2BQQiUs9A6Rnw
ZwX/9gVBY+8NQnai85dtaMfcq9TYhp4Iaoq7gSJfx8yIcciUM43NbsCDsQ7h4e5u
RBAqrA==
=bUys
-----END PGP SIGNATURE-----

Message #55 received at 644169-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 644169-close@bugs.debian.org

Subject: Bug#644169: fixed in libapache2-mod-perl2 2.0.10-2+deb9u1

Date: Thu, 03 Jan 2019 21:47:10 +0000

Source: libapache2-mod-perl2
Source-Version: 2.0.10-2+deb9u1

We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 644169@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Jan 2019 14:04:06 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: all amd64 source
Version: 2.0.10-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 644169
Description: 
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
Changes:
 libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium
 .
   * [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
     user controlled configuration (Closes: #644169)
Checksums-Sha1: 
 00ee0f20cb54a5f7e5a472937af4be65eb56c49e 2717 libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 61b5b0fe4449440258ad45dee6efa0e2264a9701 3846211 libapache2-mod-perl2_2.0.10.orig.tar.gz
 80de12bb4fc36551aae9d44ff679bc5dabe8c93e 27516 libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 fa383a06e1698eb635f563d00b14bd4cb5b8d78f 8059 libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 84faae68dd154b0736901b931bc509817789eb4c 3119632 libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 fe5a00d03942fabc8db59df07723f005fde747c1 86374 libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 326324061ee395911951b28b9ade6b9871bb004e 1304296 libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 860c8cb24c62366631a2fb761411ba71ee40563b 7921 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 54f9a9734dffa01ab35bae7b96d6d7511acf6de4 885802 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Checksums-Sha256: 
 78440c051fad9a998d789d2a2644d320b5873ff4875ea550edff50634d33a0d1 2717 libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 d1cf83ed4ea3a9dfceaa6d9662ff645177090749881093051020bf42f9872b64 3846211 libapache2-mod-perl2_2.0.10.orig.tar.gz
 e7f2d51d90cbd4ff6de1c5d9331723da2147e19a1e56f8e4b9325b80664e5986 27516 libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 80466d60fe58466d96af266448224401646dc36911e1a4831a6ffccf85c285d8 8059 libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 0e100ab9df2da4bd8da6bf9b00a4f7c5f5a9eb1c6cfc4a3675900309457ace2a 3119632 libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 9c3689064b7b1fe85110431e03c1375f055a295ccd46aac1a55e20168306f3ee 86374 libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 28797267616b9e4c41bef0828b9c7165544d00d014ed50b6aeef4ddb40d18446 1304296 libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 9dec16ef00f606026edf818b960faaeaf460d80ce3cd1b96c3c1e72a26bcd436 7921 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 d8ddc25ce48cc96b29527b062a5a7fc0ff151830ad0252dacda61d75add9544c 885802 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Files: 
 b22774142e3ddbe063f022d951ba11fa 2717 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 cef55e715b5770a63b3becbe9d271121 3846211 httpd optional libapache2-mod-perl2_2.0.10.orig.tar.gz
 5c52b9b5924933b711cbe5dcde310a2c 27516 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 cdeb2c2f135104758b0042aa55a81fd2 8059 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 7de6029f67208a0bd14aed97b5bf6b7b 3119632 debug extra libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 ddeca5e0b0de2f56838a30ee4de557bf 86374 libdevel optional libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 20a85255335183ae80d685002969fca3 1304296 doc optional libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 20122c3aaa6fdb51360b25640da37dce 7921 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 3bf34aa871a33e28254b31bd92c4c8d1 885802 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlwrdkUNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuvFD/oCux2Da06IHfq1sSygUYQeU0mYIN7oD1dg5uEc
ZZ6KCjGkfpjDE9S4rQyAMeyo+GABBWO9T+qo/39qNlG3UAfJf3RNdpF0N5doTUV1
kcAdCAm85HvKCd08NqCb+icRqaNZQCV72fBlgOUua0fu/vWzG20IZTqm016Eio5/
wOvCfNXj8hZmusz4RmSZHW1/dZ4eyatCv8bpBnM7m31VRkPegL5ZMFE/MFx1dKgz
LPLyQi/s3R4ajj50vHNk1nQiZSgBynDu4bNW6fJR8S3cWX8IHaBCpFkIVU6DUAb+
DQ8az5N2YhRMeq8FayO00Wa7J40fn9Norn4yyMPNl6+uhK9mPNkktho8uL/b6wS4
MhOanLNVC8VEqHXbl7uxAvHHGVHJHCTmuLtcFPNJvuwLxQXeN6Dq2vz9kFFkyyWZ
yd8NiTqsKF6ClDRSRmUBQnr6gUmzqesMlxd4iSiYXIuDQ+eORRW3LXJQVs3PHZwB
g8UBVL5AxMrDhJVD4TCpPOk8vl3NUPuDM5Hj7TPh0FZDCtzlZ/ozky9pjLIM+iN9
rK90WyuuHIFLimq7RTDFb8hgZ8vchCnR8tz7aE9G8zQ4SN3hdfgpaFeJnST81Akv
iJuwSgu0tbUdfdQgar671pS3EFb35+fyDL4SHprJAKgUBrsP4SAnLyCFM4tSFXkE
KsQCHA==
=n/f5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.