[users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[Luke Lozier <lu...@bibliopolis.com>]

One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues described in this CVE:
Changes with Apache 2.2.23

  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
     current working directory to be searched for DSOs. [Stefan Fritsch]
Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2

Apologies if this is the wrong list for this.

Best,

Luke Lozier

---

Bibliopolis, LLC
Berkeley | Pittsburgh

http://www.bibliopolis.com

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[Jeff Trawick <tr...@gmail.com>]

On Thu, May 24, 2012 at 3:30 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> On 5/24/2012 12:05 PM, Luke Lozier wrote:
>> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues
>> described in this CVE:
>>
>> Changes with Apache 2.2.23
>>
>>   *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
>>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
>>      current working directory to be searched for DSOs. [Stefan Fritsch]
>>
>> Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2
>
> Modify your installed envvars (and envvars-std) script and apachectl (or equivilant
> script provided by your application vendor) to ensure that this code is changed;
>
>
> @@ -18,6 +18,10 @@
>  #
>  # This file is generated from envvars-std.in
>  #
> -LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
> +if test "x$LD_LIBRARY_PATH" != "x" ; then
> +  LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
> +else
> +  LD_LIBRARY_PATH="/path/to/httpd/lib"
> +fi
>  export LD_LIBRARY_PATH
>  #
>
> On oddball platforms this may be LIBPATH or SHLIB_PATH instead of LD_LIBRARY_PATH.
> If your platform's apachectl script invokes envvars, you are done.  If it doesn't,
> there may be an insecure LD_LIBRARY_PATH assignment, just use the example above.
>
> Upgrading for this defect is frankly silly, although effective.  There is no planned
> date yet for 2.2.23 although it will come along sometime in the not too distant
> future.

Actually, upgrading for this defect is not effective if the user
simply runs "make install" to update an existing installation.

They must manually edit/recreate envvars if an existing installation
directory is used.  I think that CHANGES entries and security doc
(http://httpd.apache.org/security/vulnerabilities_24.html) need to be
updated to cover this issue.  Alternate thoughts?


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 5/24/2012 12:05 PM, Luke Lozier wrote:
> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to the issues
> described in this CVE:
> 
> Changes with Apache 2.2.23
> 
>   *) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
>      current working directory to be searched for DSOs. [Stefan Fritsch]
> 
> Is there any idea when 2.2.23 will be released? I'd rather not upgrade to 2.4.2

Modify your installed envvars (and envvars-std) script and apachectl (or equivilant
script provided by your application vendor) to ensure that this code is changed;


@@ -18,6 +18,10 @@
 #
 # This file is generated from envvars-std.in
 #
-LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
+if test "x$LD_LIBRARY_PATH" != "x" ; then
+  LD_LIBRARY_PATH="/path/to/httpd/lib:$LD_LIBRARY_PATH"
+else
+  LD_LIBRARY_PATH="/path/to/httpd/lib"
+fi
 export LD_LIBRARY_PATH
 #

On oddball platforms this may be LIBPATH or SHLIB_PATH instead of LD_LIBRARY_PATH.
If your platform's apachectl script invokes envvars, you are done.  If it doesn't,
there may be an insecure LD_LIBRARY_PATH assignment, just use the example above.

Upgrading for this defect is frankly silly, although effective.  There is no planned
date yet for 2.2.23 although it will come along sometime in the not too distant
future.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[Mark Montague <ma...@catseye.org>]

On May 24, 2012 13:05 , Luke Lozier <lu...@bibliopolis.com> wrote:
> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due 
> to the issues described in this CVE:
> Changes with Apache 2.2.23
>
>    *) SECURITY: CVE-2012-0883 (cve.mitre.org  <http://cve.mitre.org>)
>       envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
>       current working directory to be searched for DSOs. [Stefan Fritsch]
> Is there any idea when 2.2.23 will be released? I'd rather not upgrade 
> to 2.4.2

The actual text is, "envvars (aka envvars-std) in the Apache HTTP Server 
before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, 
which allows local users to gain privileges via a Trojan horse DSO in 
the current working directory during execution of apachectl."

And envvars-std (envvars) appears to only be used by apachectl.  So, 
instead of upgrading, what about changing the owner of apachectl to root 
and the permissions to 700?  Then tell your auditor that you have 
implemented a compensating control for CVE-2012-0883 such that apachectl 
can only be run by the trusted root user.

Am I misunderstanding the vulnerability?

Or, alternatively, edit /usr/sbin/envvars and/or apachectl to fix 
LD_LIBRARY_PATH, if it is in fact being handled insecurely on your 
system (it appeared to be fine on the two older systems where I checked 
for this vulnerability).


--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[Luke Lozier <lu...@bibliopolis.com>]

The upgrade to 2.4.2 is non-trivial in my environment (particularly due to the config changes) and if 2.2.23 is going to patch it, I'd just as soon wait. Thus the request for some guess at release date.

But that's likely not forthcoming, so I'll reconsider the upgrade.

---

Bibliopolis, LLC
Berkeley | Pittsburgh

http://www.bibliopolis.com




On May 24, 2012, at 1:17 PM, John Iliffe wrote:

> I got caught the same way in March (re PCI scanning).  Guess my guy is more 
> up to date than yours!
> 
> There should be no reason that I found not to update to 2.4.2 BUT BE 
> CAREFUL OF THE CONFIG FILE CHANGES!  For example the "order deny allow" 
> format directives no longer work in 2.4.*.  There are a few other changes.
> 
> Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults 
> in all the child processes for reasons that escape me completely.  Use a 
> 5.3.x version.  This may be my problem but someone on this list was able to 
> confirm the issue and said that it is a PHP issue.  It may be resolved by 
> now.
> 
> Hope that's useful.
> 
> John
> ======================================
> On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:
>> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
>> to the issues described in this CVE: Changes with Apache 2.2.23
>> 
>>  *) SECURITY: CVE-2012-0883 (cve.mitre.org)
>>     envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead
>> to the current working directory to be searched for DSOs. [Stefan
>> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not
>> upgrade to 2.4.2
>> 
>> Apologies if this is the wrong list for this.
>> 
>> Best,
>> 
>> Luke Lozier
>> 
>> ---
>> 
>> Bibliopolis, LLC
>> Berkeley | Pittsburgh
>> 
>> http://www.bibliopolis.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[John Iliffe <jo...@iliffe.ca>]

On Friday 25 May 2012 03:05:20 Hendrik Schmieder wrote:
> John Iliffe schrieb:
> > On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:
> >> One of the PCI scanning companies is demanding an upgrade to 2.4.2
> >> due to the issues described in this CVE: Changes with Apache 2.2.23
> >> 
> >>    *) SECURITY: CVE-2012-0883 (cve.mitre.org)
> >>    
> >>       envvars: Fix insecure handling of LD_LIBRARY_PATH that could
> >>       lead
> >> 
> >> to the current working directory to be searched for DSOs. [Stefan
> >> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather
> >> not upgrade to 2.4.2
> > 
> > I got caught the same way in March (re PCI scanning).  Guess my guy is
> > more up to date than yours!
> > 
> > There should be no reason that I found not to update to 2.4.2 BUT BE
> > CAREFUL OF THE CONFIG FILE CHANGES!  For example the "order deny
> > allow" format directives no longer work in 2.4.*.  There are a few
> > other changes.
> > 
> > Also, do not be tempted to update to PHP 5.4.0 as it will cause
> > segfaults in all the child processes for reasons that escape me
> > completely.  Use a 5.3.x version.  This may be my problem but someone
> > on this list was able to confirm the issue and said that it is a PHP
> > issue.  It may be resolved by now.
> 
> That's a little bit unclear.
> In their release announcement they said it is fixed
> "Fixed bug #61172 (Add Apache 2.4 support)."
> <http://www.php.net/archive/2012.php#id2012-04-26-1>
> 
> But in the changelog #61172 is only listed for 5.3.11,
> but not for 5.4.1.
> 
>    Hendrik
> 
I think this memo is really directed to me and the comment about PHP 5.4.0 
not working with Apache 2.4.1 and 2.4.2.  

If so, what happened (documented in a closed request to this list) was that 
I compiled both these Apache versions in late March against PHP 5.4.0 which 
was the latest version at the time.  Haven't looked since.  Apache worked 
fine but the PHP scripts were displayed in raw form on the client instead of 
the expected result.  These are scripts that have been working properly for 
years.  I finally discovered from the Apache error log that whenever a PHP  
script was processed one of the child processes segfaulted.  I wrote up a 
request to this forum and someone was able to confirm it was a PHP problem 
so I reported it to their help but was unable to figure out how to get the 
documentation that was required (traces and so forth) so the report was 
closed.

What happened beyond that I can't say.   Hope that is useful.

Regards,

John

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[Hendrik Schmieder <he...@jedox.com>]

John Iliffe schrieb:
> On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:

>> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
>> to the issues described in this CVE: Changes with Apache 2.2.23
>>
>>    *) SECURITY: CVE-2012-0883 (cve.mitre.org)
>>       envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead
>> to the current working directory to be searched for DSOs. [Stefan
>> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not
>> upgrade to 2.4.2

> I got caught the same way in March (re PCI scanning).  Guess my guy is more
> up to date than yours!
>
> There should be no reason that I found not to update to 2.4.2 BUT BE
> CAREFUL OF THE CONFIG FILE CHANGES!  For example the "order deny allow"
> format directives no longer work in 2.4.*.  There are a few other changes.
>
> Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults
> in all the child processes for reasons that escape me completely.  Use a
> 5.3.x version.  This may be my problem but someone on this list was able to
> confirm the issue and said that it is a PHP issue.  It may be resolved by
> now.
>


That's a little bit unclear.
In their release announcement they said it is fixed
"Fixed bug #61172 (Add Apache 2.4 support)."
<http://www.php.net/archive/2012.php#id2012-04-26-1>

But in the changelog #61172 is only listed for 5.3.11,
but not for 5.4.1.

   Hendrik

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] LD_LIBRARY_PATH issue in 2.2.22 and earlier

[John Iliffe <jo...@iliffe.ca>]

I got caught the same way in March (re PCI scanning).  Guess my guy is more 
up to date than yours!

There should be no reason that I found not to update to 2.4.2 BUT BE 
CAREFUL OF THE CONFIG FILE CHANGES!  For example the "order deny allow" 
format directives no longer work in 2.4.*.  There are a few other changes.

Also, do not be tempted to update to PHP 5.4.0 as it will cause segfaults 
in all the child processes for reasons that escape me completely.  Use a 
5.3.x version.  This may be my problem but someone on this list was able to 
confirm the issue and said that it is a PHP issue.  It may be resolved by 
now.

Hope that's useful.

John
======================================
On Thursday 24 May 2012 13:05:10 Luke Lozier wrote:
> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
> to the issues described in this CVE: Changes with Apache 2.2.23
> 
>   *) SECURITY: CVE-2012-0883 (cve.mitre.org)
>      envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead
> to the current working directory to be searched for DSOs. [Stefan
> Fritsch] Is there any idea when 2.2.23 will be released? I'd rather not
> upgrade to 2.4.2
> 
> Apologies if this is the wrong list for this.
> 
> Best,
> 
> Luke Lozier
> 
> ---
> 
> Bibliopolis, LLC
> Berkeley | Pittsburgh
> 
> http://www.bibliopolis.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org