Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] SuSE Apache patch sufficient?
  • From: "Alan Rouse" <ARouse@xxxxxxxx>
  • Date: Thu, 20 Jun 2002 16:43:02 -0400
  • Message-id: <382BC0C28F397F4785E7414B8279F527AA731F@xxxxxxxxxxxxxxxxxxxxxxx>
Jeremy wrote:

> The DoS is caused by a buffer overflow that kills the child process,
> forcing the parent httpd process to spawn a new child. This spawing
> requires resources, which is your DoS. According to what I've read,
> that buffer overflow is the same one that some are now using to gain
> root access. So if the overflow is fixed, the DoS and remote root are

> fixed.

That is my understanding as well. I'm just trying to resolve that "if".

The two exerpts below are taken from posts by Cliff Woolley on Yahoo
Groups new-httpd. He appears to be directly involved in creating the
Apache fixes... Both posts imply that it is risky to try to migrate the
patch from 1.3.26 to the earlier versions. The second post indicates
that ISS only addressed the erroneous code in one place, leaving
multiple instances of the problem unaddressed. Given that SuSE had an
incomplete picture of the problem when they were (apparently)
backporting the Apache fixes for the SuSE 7.x patches, I wonder whether
they have also left some instances unpatched. A simple statement on
this subject from SuSE might go a long way toward easing my concerns....

========================================================================
Exerpt from first post
========================================================================
> As far as I understand, the changes included backporting chunked
> encoding handling (http_protocol.c: 1.316 -> 1.317), and using
> ap_strtol() instead of strtol(). Is that all? I need this because I
> would just like to apply this fix to my local apache source tree,
which
> is version 1.3.20.

No, there's much more to it than that. Several patches went in to
several
files, including http_protocol.c and several files in the proxy,
possibly
others. Anyway, it's much safer just to upgrade to 1.3.26.

--Cliff
========================================================================
=
Exerpt from second post
========================================================================
=

> 1) My first question is why patch wrote by ISS doesn't correct this
bug ?

Because they only casted the value in one place, but type conversions
happen on that value in other places as well.

> 2) My second : how could I correct my proxy apache, is there a patch
to
> correct this bug ? Or have I to re-install apache with the 1.3.26
> distribution.

The safest thing by far is to upgrade to 1.3.26, which includes a patch
for the proxy as well as for the core for this issue.

--Cliff

< Previous Next >