Bugzilla – Bug 822664
VUL-0: CVE-2013-2765: apache2-mod_security2: Remote Null Pointer Dereference
Last modified: 2013-12-04 16:58:33 UTC
via bugtraq Date: Tue, 28 May 2013 21:02:13 GMT From: yjaaidi@shookalabs.com To: bugtraq@securityfocus.com Subject: [SECURITY][CVE-2013-2765][ModSecurity] Remote Null Pointer Dereference CVE Number: CVE-2013-2765 / ModSecurity Remote Null Pointer Dereference When ModSecurity receives a request body with a size bigger than the value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type" that has no request body processor mapped to it, ModSecurity will systematically crash on every call to "forceRequestBodyVariable" (in phase 1). In addition to the segfault that occurs here, ModSecurity will not remove the temporary request body file and the temporary directory (set by the "SecTmpDir" directive) will keep growing until saturation. Details : http://www.shookalabs.com/#advisory-cve-2013-2765 Exploit : https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py Solution : Upgrade to 2.7.4 https://www.modsecurity.org
hard to say how common the scenario abovec might be
bugbot adjusting priority
WIP Only present in SLE11.
The SWAMPID for this issue is 53771. This issue was rated as moderate. Please submit fixed packages until 2013-08-08. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
found in the code, while preparing a fix: apache2/msc_unicode.c:122 if (processing == 1 && (strchr(p,':') == NULL)) { free(buf); buf = NULL; break; } and further down: free(buf); buf = NULL; fixing under the same bugzilla ID. This change is also contained in the upstream version 2.7.5, appearing today.
packages submitted for sle11, openSUSE-12.{2,3}, plus evergreen as a low hanging fruit with identical packages. Note that the openSUSE packages contain a version upgrade to 2.7.5, latest version dated 20130730. Reassigning to security-team@ for further processing. Thank you, Roman.
This is an autogenerated message for OBS integration: This bug (822664) was mentioned in https://build.opensuse.org/request/show/185600 Maintenance / https://build.opensuse.org/request/show/185602 Maintenance / https://build.opensuse.org/request/show/185603 Maintenance / https://build.opensuse.org/request/show/185604 Evergreen:11.2 / apache2-mod_security2
openSUSE-SU-2013:1331-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 768293,789393,813190,822664 CVE References: CVE-2009-5031,CVE-2012-2751,CVE-2012-4528,CVE-2013-1915,CVE-2013-2765 Sources used: openSUSE 12.3 (src): apache2-mod_security2-2.7.5-2.4.1
openSUSE-SU-2013:1336-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 768293,789393,813190,822664 CVE References: CVE-2009-5031,CVE-2012-2751,CVE-2012-4528,CVE-2013-1915,CVE-2013-2765 Sources used: openSUSE 12.2 (src): apache2-mod_security2-2.7.5-14.4.1
openSUSE-SU-2013:1342-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 768293,789393,813190,822664 CVE References: CVE-2009-5031,CVE-2012-2751,CVE-2012-4528,CVE-2013-1915,CVE-2013-2765 Sources used: openSUSE 11.4 (src): apache2-mod_security2-2.7.5-12.1
Update released for: apache2-mod_security2, apache2-mod_security2-debuginfo, apache2-mod_security2-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
Update released for: apache2-mod_security2, apache2-mod_security2-debuginfo, apache2-mod_security2-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
This is an autogenerated message for OBS integration: This bug (822664) was mentioned in https://build.opensuse.org/request/show/206043 Factory / apache2-mod_security2
released I think