httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] ap_pregsub_ex and somewhat-limited ap_pregsub() to 2.2.x branch
Date Mon, 24 Jun 2013 17:13:04 GMT
On Mon, 24 Jun 2013 10:47:17 -0500
"William A. Rowe Jr." <wrowe@rowe-clan.net> wrote:

> On Sat, 22 Jun 2013 10:09:35 -0400
> Jeff Trawick <trawick@gmail.com> wrote:
> 
> > On Fri, Jun 21, 2013 at 2:43 PM, William A. Rowe Jr.
> > <wrowe@rowe-clan.net>wrote:
> > 
> > > On Fri, 21 Jun 2013 13:19:36 -0400
> > > Jeff Trawick <trawick@gmail.com> wrote:
> > >
> > > > Even with the CVE-2011-3607 it is still possible to DOS the
> > > > server by consuming huge amounts of memory with mod_setenvif
> > > > using a specially crafted configuration.
> > > >
> > > > Here's a backport of an existing fix in 2.4.x which resolves the
> > > > issue I reproduced.  Note that unlike in 2.4.x we need
> > > > ap_pregsub to handle somewhat arbitrary string lengths.  I
> > > > picked 64MB, which can be overridden at compile time.
> > > >
> > > > http://people.apache.org/~trawick/ap_pregsub_ex_22x.txt
> > > >
> > > > This is essentially a grab of ap_pregsub/ap_pregsub_ex from
> > > > 2.4.x HEAD with the minimal required changes plus
> > > > http://svn.apache.org/viewvc?view=revision&revision=1198966
> > > >
> > > > See the XXX notes in the patch for apparent semantic changes
> > > > which I probably need to back out.  (I haven't researched that
> > > > yet.)
> > > >
> > > > Normally we use STATUS to track this but I don't think it is as
> > > > polished as we normally expect.  Still to do (tomorrow?):
> > > > Investigate the XXX's, run the regression suite.
> > > >
> > > > Concerns with the patch?
> > > >
> > > > Interested in any of this in the final 2.0.x release?
> > >
> > > I am happy to hold up a short while to adopt this patch.  I'm
> > > neutral on adding it to 2.0.x but will certainly pause for it to
> > > be committed if others agree and will review the 2.0.x backport.
> > >
> > >
> > I'm not motivated to put it in 2.0.x either, but if anyone has time
> > to play I will assist if I can.
> 
> Then is it still appropriate to claim this in 2.0.65 CHANGES without 
> the pcre change?

Perhaps we amend the CHANGES entry to indicate;

>   *) SECURITY: CVE-2011-3607 (cve.mitre.org)
>      Fix integer overflow in ap_pregsub() which, when the
>      mod_setenvif module is enabled, could allow local users to gain
>      privileges via a .htaccess file. [Stefan Fritsch, Greg Ames]

       NOTE: it remains possible to exhaust all memory using a carefully
       crafted .htaccess rule, which will not be addressed;  enabling 
       .htaccess processing for untrusted directories is the root of
       such security risks.  Upgrade to httpd 2.2.25 or later to limit
       this specific risk.

Is this clear enough for 2.0.65 CHANGES?


Mime
View raw message