Bugzilla – Bug 844935
VUL-0: CVE-2013-4365: apache2-mod_fcgid: heap overflow
Last modified: 2013-11-14 20:19:16 UTC
via rh bugzilla CVE-2013-4365 *) SECURITY: CVE-2013-4365 (cve.mitre.org) Fix possible heap buffer overwrite. Reported and solved by: [Robert Matthews <rob tigertech.com>] References: https://mail-archives.apache.org/mod_mbox/httpd-cvs/201309.mbox/%3C20130929174048.13B962388831@eris.apache.org%3E https://bugs.gentoo.org/show_bug.cgi?id=487314 http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4365 https://bugzilla.redhat.com/show_bug.cgi?id=1017039
The SWAMPID for this issue is 54695. This issue was rated as moderate. Please submit fixed packages until 2013-10-23. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
bugbot adjusting priority
SLES is unaffected by this bug.
ERR, correction: SLE10* is unaffected. Package for SLE11-SP2 submitted.
openSUSE packages submitted; 12.2, 12.3, Apache:Modules with intermediate fix, package linkage from openSUSE:Factory, which is openSUSE:13.1. Also: Evergreen 11.4 and 11.2. Reassigning to security-team@ for further processing. Thank you, Roman.
This is an autogenerated message for OBS integration: This bug (844935) was mentioned in https://build.opensuse.org/request/show/204176 Factory / apache2-mod_fcgid https://build.opensuse.org/request/show/204179 12.2 / apache2-mod_fcgid https://build.opensuse.org/request/show/204180 12.3 / apache2-mod_fcgid https://build.opensuse.org/request/show/204186 Evergreen:11.4 / apache2-mod_fcgid.openSUSE_Evergreen_11.4 https://build.opensuse.org/request/show/204190 Evergreen:11.2:Test / apache2-mod_fcgid
openSUSE-SU-2013:1609-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 844935 CVE References: CVE-2013-4365 Sources used: openSUSE 12.3 (src): apache2-mod_fcgid-2.3.6-11.4.1 openSUSE 12.2 (src): apache2-mod_fcgid-2.3.6-9.4.1
openSUSE-SU-2013:1613-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 844935 CVE References: CVE-2013-4365 Sources used: openSUSE 11.4 (src): apache2-mod_fcgid-2.3.6-6.1
There's a report on the german mailinglist indicating this patch breaks mod_fcgid and lets PHP report "Premature end of script headers" quite often. See http://lists.opensuse.org/opensuse-de/2013-11/msg00050.html for details.
Today i installed the patch at my servers 12.2 and 12.3 which runs with a lot of virtual-hosts with mod_fcgid.so. During the day many customers reported serious problems, with there cms installed at both servers. Server shows only Error 500. After looking at the apache error.log i noticed serverals [Mon Nov 04 16:03:38 2013] [notice] Apache/2.2.22 (Linux/SUSE) mod_ssl/2.2.22 OpenSSL/1.0.1e mod_fcgid/2.3.6 configured -- resuming normal operations [Mon Nov 04 16:03:47 2013] [warn] [client 208.115.x.x] mod_fcgid: error reading data, FastCGI server closed connection [Mon Nov 04 16:03:47 2013] [error] [client 208.115.x.x] Premature end of script headers: index.php [Mon Nov 04 16:05:04 2013] [warn] [client 157.56.x.x] mod_fcgid: error reading data, FastCGI server closed connection [Mon Nov 04 16:05:04 2013] [error] [client 157.56.x.x] Premature end of script headers: index.php [Mon Nov 04 16:05:36 2013] [warn] [client 62.159.x.x] mod_fcgid: error reading data, FastCGI server closed connection [Mon Nov 04 16:05:36 2013] [error] [client 62.159.x.x] Premature end of script headers: index_hans.php [Mon Nov 04 16:06:47 2013] [notice] child pid 23752 exit signal Segmentation fault (11) [Mon Nov 04 16:07:52 2013] [notice] child pid 23753 exit signal Segmentation fault (11) I tested around a little bit and found out that every php error ends in an "Premature end of script headers". No php error was displayed at all. At each installation with the new patch. For example this short program should end with an PHP Fatal error: Call to undefined function test() in /home/admin/public_html/test.php on line 2 <?php test(); ?> But it ends with Server Error 500 "Premature end of script headers" I tested my tests at the unpatched server and everything worked fine. Last chance for me was to replace /usr/lib64/apache/mod_fcgid.so with them from my last unpatched installation. This worked for me, but is not a final solution. Please Help!
back to roman for debugging
I tested arround a lot this morning. I found some new workaround with the new patch.If i set log_errors = Off at php.ini the interpreter dont crash with "mod_fcgid: error reading data, FastCGI server closed connection" Maybe this helps by debugging.
Ingo, thank you very much for your effort. I have found a small glitch in the patch, and will re-submit packages asap. Would you be so kind to quickly pick up a package and test it on your installation? It would make sense, as I couldn't reproduce yet. Thank you, Roman.
This is an autogenerated message for OBS integration: This bug (844935) was mentioned in https://build.opensuse.org/request/show/205909 12.2 / apache2-mod_fcgid https://build.opensuse.org/request/show/205910 12.3 / apache2-mod_fcgid https://build.opensuse.org/request/show/205912 13.1 / apache2-mod_fcgid
This is an autogenerated message for OBS integration: This bug (844935) was mentioned in https://build.opensuse.org/request/show/205906 Maintenance / https://build.opensuse.org/request/show/205907 Maintenance /
(In reply to comment #14) > Ingo, thank you very much for your effort. > I have found a small glitch in the patch, and will re-submit packages asap. > > Would you be so kind to quickly pick up a package and test it on your > installation? It would make sense, as I couldn't reproduce yet. > > Thank you, > Roman. Hi Roman, yes how can i get the package? And how to install? regards Ingo
Created attachment 566194 [details] apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm for 12.2 Hi Ingo, the project from which the packages are already submitted against the update projects of 12.2 and 12.3 is: Source: https://build.opensuse.org/package/show/home:draht:branches:OBS_Maintained:apache2-mod_fcgid/apache2-mod_fcgid.openSUSE_12.2_Update The 12.2 x86_64 package is attached, for convenience. Thank you!
Hi Roman, i decrunched your packages with web5:~/test> rpm2cpio bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm |cpio -idv dont know how to install with rpm -i, because rpm shows me some dependecy errors :-) I replace the /usr/lib64/apache/mod_fcgid.so with the file from your packages and put on log_errors in my php.ini. Restarted aoache2 and finaly it works, i think you did it. Thank you very much!
hmm. What is the dependency error? Shouldn't happen, the package should install seamlessly... Thank you for checking! This is very valuable. Roman.
ah, btw, the command for installation should be rpm -Uhv bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm with the optional --oldpackage commandline arg, if it bitches about being older than the version installed.
web5:~ # rpm -Uhv bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm warning: bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID a48e5240: NOKEY Preparing... ################################# [100%] package apache2-mod_fcgid-2.3.6-11.4.1.x86_64 (which is newer than apache2-mod_fcgid-2.3.6-9.8.1.x86_64) is already installed web5:~ # rpm -Uhv --oldpackage bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm warning: bug-844935_apache2-mod_fcgid-2.3.6-9.8.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID a48e5240: NOKEY Preparing... ################################# [100%] Updating / installing... 1:apache2-mod_fcgid-2.3.6-9.8.1 ################################# [ 50%] Cleaning up / removing... 2:apache2-mod_fcgid-2.3.6-11.4.1 ################################# [100%] it works..
Dankeschön! :)
Adding Sascha+Coolo. Package update to version 2.3.9 is now in Apache:Modules, and submitted from there against openSUSE:Factory to be included in 13.1.
This is an autogenerated message for OBS integration: This bug (844935) was mentioned in https://build.opensuse.org/request/show/205966 Factory / apache2-mod_fcgid
This is an autogenerated message for OBS integration: This bug (844935) was mentioned in https://build.opensuse.org/request/show/205965 Factory / apache2-mod_fcgid
package submission from obs Apache:Modules to openSUSE:13.1 was accepted - in time before goldmaster of 13.1 (thanks to coolo).
@Roman: Could you also push the new version to 12.2 and 12.3? I can confirm that it fixes the internal server error Ingo reports.
Update released for: apache2-mod_fcgid, apache2-mod_fcgid-debuginfo, apache2-mod_fcgid-debugsource Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SUSE-CLOUD 2.0 (x86_64)
Update released for: apache2-mod_fcgid, apache2-mod_fcgid-debuginfo, apache2-mod_fcgid-debugsource Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SUSE-CLOUD 1.0 (x86_64)
openSUSE-SU-2013:1664-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 844935 CVE References: CVE-2013-4365 Sources used: openSUSE 12.3 (src): apache2-mod_fcgid-2.3.6-11.8.1 openSUSE 12.2 (src): apache2-mod_fcgid-2.3.6-9.8.1
released