Bug#247926: marked as done (apache: Apache - htdigest local buffer overflow attack.)
Your message dated Tue, 25 May 2004 14:47:06 -0400
with message-id <E1BSgx8-00051p-00@newraff.debian.org>
and subject line Bug#247926: fixed in apache 1.3.31-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 8 May 2004 00:25:39 +0000
>From skx@steve.org.uk Fri May 07 17:25:39 2004
Return-path: <skx@steve.org.uk>
Received: from smtp-out3.blueyonder.co.uk [195.188.213.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BMFet-00036E-00; Fri, 07 May 2004 17:25:39 -0700
Received: from undecided.my.flat ([82.41.51.227]) by smtp-out3.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600);
Sat, 8 May 2004 01:25:36 +0100
Received: from skx by undecided.my.flat with local (Exim 3.36 #1 (Debian))
id 1BMFi4-0000Eb-00; Sat, 08 May 2004 01:28:56 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Steve Kemp <skx@undecided>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: Apache - htdigest local buffer overflow attack.
X-Mailer: reportbug 2.58
Date: Sat, 08 May 2004 01:28:55 +0100
Message-Id: <[🔎] E1BMFi4-0000Eb-00@undecided.my.flat>
Sender: Steve Kemp <skx@steve.org.uk>
X-OriginalArrivalTime: 08 May 2004 00:25:36.0418 (UTC) FILETIME=[FB98C820:01C43492]
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.3 required=4.0 tests=BAYES_00,HAS_PACKAGE,
NO_DNS_FOR_FROM autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Package: apache
Version: 1.3.29.0.2-7
Severity: normal
Whilst looking over the source to Apache I noticed that the helper
program 'htdigest' doesn't sanity test it's arguments.
This allows a local buffer overflow attack.
In itself this is nothing interesting as the binary isn't setuid/setgid,
however I could imagine it being used this way in a CGI script, allowing
badness to happen.
(Yes this would be a flaw in the CGI script, not Apache, but it is
a trivial preventable bug regardless).
I see this issue was made public in Oct 2002, so I'm going to report it
here for a possible fix upstream. The mention I found is on bugtraq
here:
http://www.securityfocus.com/bid/5993/info/
Here's a demo of the flaw:
skx@undecided:~$ htdigest -c s `perl -e 'print "k"x3333'` x
Adding password for x in realm kkkkkkkkkkkkkkkkkkkkkkkkk.. snip
New password:
Re-type new password:
Segmentation fault (core dumped)
skx@undecided:~$
skx@undecided:~$ gdb htdigest core
(gdb) info registers
eax 0xa 10
...
eip 0x6b6b6b6b 0x6b6b6b6b
...
The patch below fixes this issue.
Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/
--- htdigest.c-orig 2004-05-08 01:12:14.000000000 +0100
+++ htdigest.c 2004-05-08 01:14:29.000000000 +0100
@@ -166,7 +166,8 @@
fprintf(f, "%s:%s:", user, realm);
/* Do MD5 stuff */
- sprintf(string, "%s:%s:%s", user, realm, pw);
+ memset(string, '\0',sizeof(string));
+ snprintf(string, sizeof(string)-1, "%s:%s:%s", user, realm, pw);
ap_MD5Init(&context);
ap_MD5Update(&context, (unsigned char *) string, strlen(string));
@@ -283,11 +284,13 @@
}
fclose(f);
fclose(tfp);
+
+ memset(command,'\0', sizeof(command));
#ifndef NETWARE
#if defined(OS2) || defined(WIN32)
- sprintf(command, "copy \"%s\" \"%s\"", tn, argv[1]);
+ snprintf(command, sizeof(command)-1, "copy \"%s\" \"%s\"", tn, argv[1]);
#else
- sprintf(command, "cp %s %s", tn, argv[1]);
+ snprintf(command, sizeof(command)-1, "cp %s %s", tn, argv[1]);
#endif
system(command);
#else
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21-4-k7
Locale: LANG=C, LC_CTYPE=en_US.UTF-8
Versions of packages apache depends on:
ii apache-common 1.3.29.0.2-7 Support files for all Apache webse
ii debconf 1.4.25 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
pi libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
pi libdb4.2 4.2.52-16 Berkeley v4.2 Database Libraries [
pi libexpat1 1.95.6-8 XML parsing C library - runtime li
ii libmagic1 4.07-2ssp File type determination library us
ii libpam0g 0.76-21 Pluggable Authentication Modules l
ii logrotate 3.6.5-2 Log rotation utility
ii mime-support 3.26-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.4-1 Larry Wall's Practical Extraction
-- debconf information:
apache/server-name: localhost
apache/document-root: /var/www
apache/server-port: 80
* apache/enable-suexec: false
apache/init: true
apache/server-admin: you@your.address
---------------------------------------
Received: (at 247926-close) by bugs.debian.org; 25 May 2004 18:53:43 +0000
>From katie@ftp-master.debian.org Tue May 25 11:53:43 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BSh3X-0000qy-00; Tue, 25 May 2004 11:53:43 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BSgx8-00051p-00; Tue, 25 May 2004 14:47:06 -0400
From: fabbione@fabbione.net (Fabio M. Di Nitto)
To: 247926-close@bugs.debian.org
X-Katie: $Revision: 1.49 $
Subject: Bug#247926: fixed in apache 1.3.31-1
Message-Id: <E1BSgx8-00051p-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 25 May 2004 14:47:06 -0400
Delivered-To: 247926-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 4
Source: apache
Source-Version: 1.3.31-1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.31-1_i386.deb
to pool/main/a/apache/apache-common_1.3.31-1_i386.deb
apache-dbg_1.3.31-1_i386.deb
to pool/main/a/apache/apache-dbg_1.3.31-1_i386.deb
apache-dev_1.3.31-1_all.deb
to pool/main/a/apache/apache-dev_1.3.31-1_all.deb
apache-doc_1.3.31-1_all.deb
to pool/main/a/apache/apache-doc_1.3.31-1_all.deb
apache-perl_1.3.31-1_i386.deb
to pool/main/a/apache/apache-perl_1.3.31-1_i386.deb
apache-ssl_1.3.31-1_i386.deb
to pool/main/a/apache/apache-ssl_1.3.31-1_i386.deb
apache-utils_1.3.31-1_i386.deb
to pool/main/a/apache/apache-utils_1.3.31-1_i386.deb
apache_1.3.31-1.diff.gz
to pool/main/a/apache/apache_1.3.31-1.diff.gz
apache_1.3.31-1.dsc
to pool/main/a/apache/apache_1.3.31-1.dsc
apache_1.3.31-1_i386.deb
to pool/main/a/apache/apache_1.3.31-1_i386.deb
apache_1.3.31.orig.tar.gz
to pool/main/a/apache/apache_1.3.31.orig.tar.gz
libapache-mod-perl_1.29.0.2-8_i386.deb
to pool/main/a/apache/libapache-mod-perl_1.29.0.2-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 247926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <fabbione@fabbione.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 08 May 2004 06:50:52 +0200
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.31-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <fabbione@fabbione.net>
Description:
apache - Versatile, high-performance HTTP server
apache-common - Support files for all Apache webservers
apache-dbg - Apache webservers (debugging versions)
apache-dev - Apache webserver development kit
apache-doc - Apache webserver docs
apache-perl - Versatile, high-performance HTTP server with Perl support
apache-ssl - Versatile, high-performance HTTP server with SSL support
apache-utils - Utility programs for webservers
libapache-mod-perl - Integration of perl with the Apache web server
Closes: 165155 227491 235425 247926 248730 249632
Changes:
apache (1.3.31-1) unstable; urgency=low
.
* (Fabio M. Di Nitto)
- New apache upstream release:
+ Removed all patches stolen from CVS HEAD
+ Removed 004_custom_response_segfaults patch (accepted by upstream)
+ Rediffed 500_configure_hashbang, 507_usr_bin_perl_owns_you
+ Updated licence from Apache 1.1 to Apache 2.0
+ Upstream fixes also two bugs tracked in Debian BTS
(Closes: #235425, #165155)
- Enabled mod_log_forensic
+ Added check_forensic to apache-utils and manpage written by us
+ Added 035mod_log_firensic.info
+ Modified 511_log_files_permission
+ Added 513_GNU_xargs to fix check_forensic use of xargs
+ Updated default configs to support forensic in new installations
(Note this might break tools that parse log files blindly)
- Enabled EXPERIMENTAL modules: mod_backtrace and mod_whatkilledus
+ Updated default configs with proper notes
+ Added extra notes in README.Debian
- Build against new perl (Closes: #248730, #249632) and possibly for
the last time.
- Relaxed dependencies on perl. Everything should be working on perl
side now.
- Applied patch to htdigest from Steve Kemp (Closes: #247926)
- Lintian cleanup:
+ apache-doc now reccomends w3m | www-browser
- Added note in README.Debian for the init.d scripts chicken/egg problem
that affect restart functionality. (Closes: #227491)
Files:
9006711d53a06abce29b2001e5d4d78f 1073 web optional apache_1.3.31-1.dsc
ca475fbb40087eb157ec51334f260d1b 3104170 web optional apache_1.3.31.orig.tar.gz
890b44f5622101228f046ca627ee436c 393401 web optional apache_1.3.31-1.diff.gz
892bae2bfa0bc743ea5a1ed8ce897624 1184860 doc optional apache-doc_1.3.31-1_all.deb
875683eecfd3473d6ac9d6d129246b67 327984 devel extra apache-dev_1.3.31-1_all.deb
9321a95534b6217d539d47b80e352b8c 379598 web optional apache_1.3.31-1_i386.deb
19765b2c2fc0f8cd65efb139a5dc1a94 491364 web optional apache-ssl_1.3.31-1_i386.deb
0af77fa4815d546f64c05aec7f52ca78 498304 web optional apache-perl_1.3.31-1_i386.deb
a593af6269712ffbaf3ee2415313c565 9101862 devel extra apache-dbg_1.3.31-1_i386.deb
2626db97446629213a28e9d4dda141cd 836666 web optional apache-common_1.3.31-1_i386.deb
33254ffc89afdb21ca90bba7133e0c8d 264178 web optional apache-utils_1.3.31-1_i386.deb
810846378ada5208adc56eea6091ecbf 483348 web optional libapache-mod-perl_1.29.0.2-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAs40MhCzbekR3nhgRAr/hAJ9h0qz/eXyJ7BYsjUxmFeFRYCnuWwCdGa/l
umn9FEx8mz9Ncm6432XpC68=
=8XAn
-----END PGP SIGNATURE-----
Reply to: