SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Apache mod_rewrite Vendors:   Apache Software Foundation
(Immunix Issues Fix) Apache mod_rewrite Contains a Buffer Overflow
SecurityTracker Alert ID:  1008043
SecurityTracker URL:  http://securitytracker.com/id/1008043
CVE Reference:   CAN-2003-0542   (Links to External Site)
Date:  Oct 30 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.47 and prior versions
Description:   A vulnerability was reported in the Apache mod_rewrite component. A remote user may be able to trigger a buffer overflow.

It is reported that both mod_alias and mod_rewrite contain a buffer overflow. If the administrator has configured a regular expression with more than 9 captures, the overflow can be triggered.

[Editor's note: The Apache notice did not indicate the impact of the buffer overflow.]
Impact:   [Editor's note: The Apache notice did not indicate the impact of the buffer overflow.]
Solution:   Immunix has released a fix.

Precompiled binary packages for Immunix 7+ are available at:

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-1.3.27-1.7.1_imnx_2.i386.rpm

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-devel-1.3.27-1.7.1_imnx_2.i386.rpm

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-manual-1.3.27-1.7.1_imnx_2.i386.rpm

A source package for Immunix 7+ is available at:

http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/apache-1.3.27-1.7.1_imnx_2.src.rpm

Immunix OS 7+ md5sums:

d0f0fa84c2cb84d23f6110faf86e99c9 RPMS/apache-1.3.27-1.7.1_imnx_2.i386.rpm
52e95aaa3c6acf2f464a0342ba63c360 RPMS/apache-devel-1.3.27-1.7.1_imnx_2.i386.rpm
3d09e9758813e3b96550ffeba8013c47 RPMS/apache-manual-1.3.27-1.7.1_imnx_2.i386.rpm
0cd20af663c6f22ee6127ea241269ef5 SRPMS/apache-1.3.27-1.7.1_imnx_2.src.rpm
Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Immunix)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 29 2003 Apache mod_rewrite Contains a Buffer Overflow


 Source Message Contents
Date:  Wed, 29 Oct 2003 14:14:14 -0800
Subject:  [Immunix-announce] Immunix Secured OS 7+ apache update



--===============79952908544471257==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="jy6Sn24JjFx/iggw"
Content-Disposition: inline


--jy6Sn24JjFx/iggw
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	apache
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0542
Date:			Tue Oct 28 2003
Advisory ID:		IMNX-2003-7+-025-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  Andr=E9 Malo discovered two stack-based overflows in the Apache web
  server; one in mod_alias, the other in mod_rewrite. Quoting from the
  OpenPKG adivsory: "These occurred if a regular expression with more
  than 9 capturing parenthesis was configured. To exploit this, an
  attacker would need to be able to locally create a carefully crafted
  configuration file (.htaccess or httpd.conf)."

  The Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2003-0542 to the problem.

  The vulnerability is in an apache wrapper function around the regex(3)
  interface; the affected uses of ap_regexec() are called with string
  inputs, so it would be difficult to construct the StackGuard canary
  value 0x000aff0d when attempting to overwrite the stack-stored
  regmatch_t structure arrays; thus, we expect StackGuard should prevent
  exploitation of this vulnerability. However, an exhaustive analysis
  has not been performed.

  In the event StackGuard prevents exploitation of this vulnerability,
  the apache process handling the request would still be killed; thus,
  Immunix recommends all users upgrade when convenient.

  References: http://www.securityfocus.com/archive/1/342674
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0542
  http://marc.theaimsgroup.com/?l=3Dapache-cvs&m=3D106701190026083

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-1.3.27-1.7.1=
_imnx_2.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-devel-1.3.27=
-1.7.1_imnx_2.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/apache-manual-1.3.2=
7-1.7.1_imnx_2.i386.rpm

  A source package for Immunix 7+ is available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/apache-1.3.27-1.7.=
1_imnx_2.src.rpm

Immunix OS 7+ md5sums:
  d0f0fa84c2cb84d23f6110faf86e99c9  RPMS/apache-1.3.27-1.7.1_imnx_2.i386.rpm
  52e95aaa3c6acf2f464a0342ba63c360  RPMS/apache-devel-1.3.27-1.7.1_imnx_2.i=
386.rpm
  3d09e9758813e3b96550ffeba8013c47  RPMS/apache-manual-1.3.27-1.7.1_imnx_2.=
i386.rpm
  0cd20af663c6f22ee6127ea241269ef5  SRPMS/apache-1.3.27-1.7.1_imnx_2.src.rpm


GPG verification:                                                          =
    =20
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

--jy6Sn24JjFx/iggw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/oDu2n5I6Lxt0VtoRAl2wAKDP1EhK6Ur3B5B8+/yDnmHa4kPMtwCfQH2C
X61+qNTT7F8Cag3L0XVcnfQ=
=5ZNd
-----END PGP SIGNATURE-----

--jy6Sn24JjFx/iggw--

--===============79952908544471257==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce

--===============79952908544471257==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC