You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Taveras <d3...@gmail.com> on 2009/09/11 03:05:51 UTC
Re: [users@httpd] About apache2 vulnerability with apr and apr-utils.
How bad is it?
Hello William.
You mentioned as far as APR causing a DoS, how about the execution of
arbitrary code through apache as the CVE says..?
Thank you
Daniel
On Thu, Sep 10, 2009 at 6:54 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net>wrote:
> David Taveras wrote:
> >
> > I run apache 2.2.9 & apache 2.2.11 both with apr-1.2.11p2 &
> > apr-util-1.2.10p2
> >
> > According to the CVE at
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412 only 0.9.x
> > and 1.3.x are affected . Could anybody confirm that this is so? If
> > not.. how bad is this vulnerability to a user? Would mod_security help
> > for this?
>
> [cc'ing dev@ to point out this error]
>
> The description of the CVE is wildly wrong.
>
> There is no known exploit of these flaws relative to Apache httpd itself.
> The version numbers you reference refer to APR, so this is applicable to
> all distributions of httpd 2.x (2.0 included 0.9, 2.2 included 1.3).
>
> Third party modules might be affected; Other projects or products using APR
> may be affected; one project is known to be affected.
>
> However, any code which is affected remains vulnerable, in that these
> bugs would only be triggered by using untainted/untrusted input as the
> memory allocation size. Any affected application would be subject to
> memory exhaustion DoS vectors until the code properly detaints the input
> which determines the size of memory allocations.
>
> This was granted a CVE strictly on the basis that the effects of the flaw
> may unexpectedly be worse than expected; the affected code may unexpectedly
> continue, rather than failing or segfaulting as expected, based on design.
>
> Finally, mod_security is very unlikely to have any effect whatsoever on
> this group of issues. Input into httpd is already constrained in terms
> of size before these calls to APR occur, so this is unlikely to affect
> typical httpd modules. Non-HTTP protocols, or HTTP implementations other
> than httpd are more likely to be affected, again depending upon the code
> used and caution exercised by the developer.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] About apache2 vulnerability with apr and apr-utils.
How bad is it?
Posted by David Taveras <d3...@gmail.com>.
Greetings William,
On Thu, Sep 10, 2009 at 8:18 PM, William A. Rowe, Jr.
<wr...@rowe-clan.net>wrote:
>
>
> No, you misinterpreted; the application developer must expose a DoS/memory
> exhaustion vector; where that exists, and the affected version of APR
> is used, and the information written to the never-allocated buffer just
> happens to overlap some predictable, current allocations, then the external
> user may trigger a segfault but possibly worse, depending ENTIRELY on
> the code in the application.
>
>
It is to my understanding this is all based on the amount of input and how
it is sanitized. We appreciate if for the sake of the users that cannot
upgrade at this moment you could kindly provide a source or example of what
would constitute an open "DoS/memory
exhaustion vector" so that we may evaluate our code at the instances it
recieves user input. Thank you
David
Re: [users@httpd] About apache2 vulnerability with apr and apr-utils.
How bad is it?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
David Taveras wrote:
>
> You mentioned as far as APR causing a DoS, how about the execution of
> arbitrary code through apache as the CVE says..?
No, you misinterpreted; the application developer must expose a DoS/memory
exhaustion vector; where that exists, and the affected version of APR
is used, and the information written to the never-allocated buffer just
happens to overlap some predictable, current allocations, then the external
user may trigger a segfault but possibly worse, depending ENTIRELY on
the code in the application.
An example is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2411
svn's libsvn_delta library, but there may be other applications in the
wild which suffer similar, lesser or worse side effects from trusting
untained user input.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org