Your message dated Sun, 16 Jun 2013 03:18:11 +0000 with message-id <[email protected]> and subject line Bug#578035: fixed in boa 0.94.14rc21-4 has caused the Debian Bug report #578035, regarding CVE-2009-4496: Nonprintable characters not sanitized in boa's error logs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 578035: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578035 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: boa Version: 0.94.14rc21-0.2 Severity: important Tags: security CVE-2009-4496 describes a multi-step vulnerability whereby Boa does not escape nonprintable characters from the request when writing to its error log. While not a vulnerability in itself, this provides a vector for an attacker seeking to exploit weaknesses in terminal emulators used by site administrators who may display the log. The particular attacker-controllable data being logged is in the local path translation of the request URL. A sample exploit and further details are available here: http://www.ush.it/team/ush/hack_httpd_escape/adv.txt The Debian security team regards this class of vulnerabiliy as primarily a security issue in the vulnerable terminals, rather than the webservers writing the logs. We do not plan to release security updates to the webservers. Nonetheless, we do suggest patching the affected webservers so as to mitigate this particular vector against possible future emulator weaknesses. I'm attaching a patch which corrects the problem in Boa by applying C-style escaping of nonprintable characters to strings before logging. Please apply it, or an equivalent fix. Devin -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2diff -aruN boa-0.94.14rc21.orig/src/log.c boa-0.94.14rc21.fixed/src/log.c --- boa-0.94.14rc21.orig/src/log.c 2005-02-22 06:11:29.000000000 -0800 +++ boa-0.94.14rc21.fixed/src/log.c 2009-12-31 01:27:01.000000000 -0800 @@ -156,6 +156,29 @@ (req->header_user_agent ? req->header_user_agent : "-")); } +static char *escape_pathname(const char *inp) +{ + char *escaped, *c; + + if (!inp) { + return NULL; + } + escaped = (char *)malloc(1 + strlen(inp) * 4); + if (escaped == NULL) { + perror("malloc"); + return NULL; + } + for (c = escaped; *inp; inp++) { + if (needs_escape((unsigned int)*inp)) { + c += sprintf(c, "\\x%02x", (unsigned int)*inp); + } else { + *(c++) = *inp; + } + } + *(c++) = '\0'; + return escaped; +} + /* * Name: log_error_doc * @@ -173,26 +196,29 @@ void log_error_doc(request * req) { int errno_save = errno; + char *escaped_pathname; if (virtualhost) { fprintf(stderr, "%s ", req->local_ip_addr); } else if (vhost_root) { fprintf(stderr, "%s ", (req->host ? req->host : "(null)")); } + escaped_pathname = escape_pathname(req->pathname); if (vhost_root) { fprintf(stderr, "%s - - %srequest [%s] \"%s\" (\"%s\"): ", req->remote_ip_addr, get_commonlog_time(), (req->header_host ? req->header_host : "(null)"), (req->logline ? req->logline : "(null)"), - (req->pathname ? req->pathname : "(null)")); + (escaped_pathname ? escaped_pathname : "(null)")); } else { fprintf(stderr, "%s - - %srequest \"%s\" (\"%s\"): ", req->remote_ip_addr, get_commonlog_time(), (req->logline ? req->logline : "(null)"), - (req->pathname ? req->pathname : "(null)")); + (escaped_pathname ? escaped_pathname : "(null)")); } + free(escaped_pathname); errno = errno_save; }
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: boa Source-Version: 0.94.14rc21-4 We believe that the bug you reported is fixed in the latest version of boa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Axel Beckert <[email protected]> (supplier of updated boa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 16 Jun 2013 04:13:51 +0200 Source: boa Binary: boa Architecture: source i386 Version: 0.94.14rc21-4 Distribution: unstable Urgency: low Maintainer: Debian QA Group <[email protected]> Changed-By: Axel Beckert <[email protected]> Description: boa - Lightweight and high performance web server Closes: 509121 537754 578035 Changes: boa (0.94.14rc21-4) unstable; urgency=low . * QA upload * Set maintainer to Debian QA Group (c.f. #711481) * Switch to source format "3.0 (quilt)" + Drop quilt traces from debian/rules and build-dependency on quilt * Fix CVE-2009-4496 (Closes: #578035; missing sanitization of non-printable characters in boa's error log) Thanks to Devin Carraway for the patch. * Bump debhelper compatibility to 9 + Update versioned debhelper build-dependency * Use dh_autotools-dev_{update,restore}config (Closes: #537754) + Build-depend on autotools-dev * Revamp debian/rules: + Use dh_auto_{configure,build,clean} + Use dh_prep instead of dh_clean -k + No more manually clean stamp files, done by dh_clean now + Use debian/{docs,manpages,info} instead of dh_install{docs,man,info} parameters + Remove redundant dh_installchangelogs parameter + Use dh_install and debian/install instead of calling install + Use debian/clean instead of calling rm + Don't ignore "make clean" failures + Finally switch to a dh7 style debian/rules file * Fix the following lintian warnings: + maintainer-script-ignores-errors + no-homepage-field + readme-debian-mentions-usr-doc + copyright-refers-to-versionless-license-file + debian-watch-file-is-missing + copyright-without-copyright-notice + init.d-script-does-not-implement-required-option + init.d-script-missing-lsb-description + package-contains-empty-directory (2x) * Change section to httpd * Bump Standards-Version to 3.9.4 (no further changes) * Add Vcs-* headers * Enable --enable-access-control (Closes: #509121) * Apply wrap-and-sort * Remove trailing blank line in debian/boa.conf * Remove config.log in clean target Checksums-Sha1: 6c60b04183955080d4938fafe4525049f98807dc 1261 boa_0.94.14rc21-4.dsc 56f10c2f6c60218f0afeb5a1856926c822cf8b31 21137 boa_0.94.14rc21-4.debian.tar.gz 3e56128bced07557e96498f21e8983f0f17cd90a 125392 boa_0.94.14rc21-4_i386.deb Checksums-Sha256: 6a330e10e81f4e8bc3e8347444741b4454b410432c092319c026233565a11c93 1261 boa_0.94.14rc21-4.dsc fa253b03a5a26de5080f506c37e3cd7abf1b409215bdd8a61b3f0acf3b32bd39 21137 boa_0.94.14rc21-4.debian.tar.gz 159ba6051ed093aac74f54536e771f0bd630c885fea045e40c17ed6fe6dc8402 125392 boa_0.94.14rc21-4_i386.deb Files: 58d1c9f895a4ea37b497108b9c29a9da 1261 httpd optional boa_0.94.14rc21-4.dsc b2aa58be517ebcd936002528bff5e1e2 21137 httpd optional boa_0.94.14rc21-4.debian.tar.gz 4d43ed12635f2a3735b8434a3229bcec 125392 httpd optional boa_0.94.14rc21-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlG9IlUACgkQwJ4diZWTDt5aBACfXn+IryNos2e1iduxcpA8UYNe rrkAn37VyCPDRhe9F+pgsOtJlca98GvP =5ilQ -----END PGP SIGNATURE-----
--- End Message ---

