Bug#939937: marked as done (Remotely exploitable null pointer dereference bug)

Sun, 15 Sep 2019 10:09:39 -0700 

Your message dated Sun, 15 Sep 2019 17:04:36 +0000
with message-id <e1i9xwy-000gfv...@fasolo.debian.org>
and subject line Bug#939937: fixed in libapreq2 2.13-6
has caused the Debian Bug report #939937,
regarding Remotely exploitable null pointer dereference bug
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
939937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libapreq2-3
Version: 2.13-5+b3
Severity: grave

libapreq's multipart parser can be made dereference the null pointer
by issuing a simple CURL command:

 curl http://a/b -F 'foo=bar;type=multipart/dummy'

This POSTs a "multipart/form-data" body where one part has the
Content-Type "multipart/dummy" (i.e. a nested "multipart"), which
enables this branch:

 if (ct != NULL && strncmp(ct, "multipart/", 10) == 0) {

 https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L401

Later, this calls create_multipart_context() and dereferences the
returned pointer (without checking it):

 next_ctx = create_multipart_context(...
 next_ctx->param_name = "";

 https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L409-L414

The function create_multipart_context() however can return NULL if
there is no "boundary" attribute.  And omitting "boundary" is what my
CURL command does.

With this simple exploit, I can remotely crash any process which uses
libapreq2 only by issuing an invalid nested "multipart" body.  Since
this bug is remotely exploitable, I decided to set "grave" severity.

This bug affects all libapreq2 versions ever shipped in Debian, and
was introduced by SVN commit 227276 in 2005.  Prior to this commit,
there was a NULL check, but the commit removed it:

 
http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276

The attached patch fixes the bug by re-adding the NULL check.

commit f27d15e47000b0442e8071ab0fd76b82df9f2d2f
Author: Max Kellermann <max.kellerm...@gmail.com>
Date:   Tue Sep 10 12:15:07 2019 +0200

    parser_multipart: fix NULL pointer dereference in nested multipart
    
    create_multipart_context() can return NULL if the given Content-Type
    was not recognized (if there is no "boundary" attribute).  This
    crashes libapreq2.
    
    This bug was introduced by SVN commit 227276.  Prior to this commit,
    there was a NULL check, but the commit removed it:
    
     http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276

diff --git a/library/parser_multipart.c b/library/parser_multipart.c
index 60b5bad..4242b7e 100644
--- a/library/parser_multipart.c
+++ b/library/parser_multipart.c
@@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
                                                     parser->brigade_limit,
                                                     parser->temp_dir,
                                                     ctx->level + 1);
+                if (next_ctx == NULL) {
+                    ctx->status = MFD_ERROR;
+                    goto mfd_parse_brigade;
+                }
 
                 next_ctx->param_name = "";

--- End Message ---
--- Begin Message --- 
Source: libapreq2
Source-Version: 2.13-6

We believe that the bug you reported is fixed in the latest version of
libapreq2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steinar H. Gunderson <se...@debian.org> (supplier of updated libapreq2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 15 Sep 2019 18:26:40 +0200
Source: libapreq2
Binary: libapache2-mod-apreq2 libapache2-mod-apreq2-dbgsym 
libapache2-request-perl libapache2-request-perl-dbgsym libapreq2-3 
libapreq2-3-dbgsym libapreq2-dev libapreq2-doc
Architecture: source amd64 all
Version: 2.13-6
Distribution: unstable
Urgency: high
Maintainer: Steinar H. Gunderson <se...@debian.org>
Changed-By: Steinar H. Gunderson <se...@debian.org>
Description:
 libapache2-mod-apreq2 - generic Apache request library - Apache module
 libapache2-request-perl - generic Apache request library - Perl modules
 libapreq2-3 - generic Apache request library
 libapreq2-dev - generic Apache request library - development files
 libapreq2-doc - generic Apache request library - documentation
Closes: 939937
Changes:
 libapreq2 (2.13-6) unstable; urgency=high
 .
   * 05-nested-multipart-null-dereference.patch: New patch by
     Max Kellermann, fixes a NULL pointer dereference bug with nested
     multipart form submission. (Closes: #939937)
Checksums-Sha1:
 36d1ac87dacf867c4277776b2ee108a23485870e 2144 libapreq2_2.13-6.dsc
 b0801caba43ebbed669fd13ad4e9ef7b41f990d7 8920 libapreq2_2.13-6.debian.tar.xz
 df6bea9420ae4dd9d312a23ce79b190dc2e9eae5 31268 
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
 5d238d45a467fc14fd65467c3a81614f40208f42 56336 
libapache2-mod-apreq2_2.13-6_amd64.deb
 cb9f97a753dc496b09a6d3dcc7a39f45dc350f0b 350128 
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
 8bd91f384edcaebbc0d9a8c433619ee646d3d8dc 69136 
libapache2-request-perl_2.13-6_amd64.deb
 149fc2892cb888f231624936c026e572cf602802 84532 
libapreq2-3-dbgsym_2.13-6_amd64.deb
 3bd7950dbc1dc3a17a16ab519ab34d4e1bac89e7 41192 libapreq2-3_2.13-6_amd64.deb
 305167fa7622fd2b376dea1d7eb4a48aad216b63 60432 libapreq2-dev_2.13-6_amd64.deb
 fe508ad63bc6a2316c70ba8f1ccf2970affe9da2 147712 libapreq2-doc_2.13-6_all.deb
 43e940fb5148afba3cc5c71c25b3469be5ebbb40 9620 libapreq2_2.13-6_amd64.buildinfo
Checksums-Sha256:
 9c9acc1751f14401c39bd279e6df268ce0999c45c4c3738359a0debbcc1a2e73 2144 
libapreq2_2.13-6.dsc
 c45c882393b4f3989a449d7ed57b446f4e8d6b7015fc481d45f0d46368b8292d 8920 
libapreq2_2.13-6.debian.tar.xz
 b2773e9f1fc589528943697be881e2c48b0ceb3b7df4607a45fc3add31c54f01 31268 
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
 a1bcb19e5c2e1a37e54bcb51ce85744e85f2e23a2aaf8fe7f4a64766df11faee 56336 
libapache2-mod-apreq2_2.13-6_amd64.deb
 224e766de6002a639d26852ebd83ae027d8273f92782409f1259f42d08832b60 350128 
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
 1200fd39b0cfc1770a5ad8b0c2e519e63b1ac93cef754bd3ae3bc9116520308e 69136 
libapache2-request-perl_2.13-6_amd64.deb
 3fad854a32bacc26b7765140e9e1a859abd888eecfe513a36d0e4cfa0ee4503a 84532 
libapreq2-3-dbgsym_2.13-6_amd64.deb
 71fd4702e2d0eb7af643fa6bda33fd6202ab41ebd6f72cce287c3c96153dc32f 41192 
libapreq2-3_2.13-6_amd64.deb
 96701985596a0066e63444e3604868365338f9315aab9e79c6ab877b21c9e7a2 60432 
libapreq2-dev_2.13-6_amd64.deb
 0c9c745e0a0db149bc23b703936ed364b7d2a9d3fbfac0bba46c29543d0e7265 147712 
libapreq2-doc_2.13-6_all.deb
 672e2fed00ce49c9bbc9fed77c9112163bc3f2e0ec6377d1357f9024e1ee1ed9 9620 
libapreq2_2.13-6_amd64.buildinfo
Files:
 59a36bfd879a768906c37fbc63f6e23f 2144 perl optional libapreq2_2.13-6.dsc
 7a3263d561c1c6bae73729f0b07fc346 8920 perl optional 
libapreq2_2.13-6.debian.tar.xz
 69517dd6f82b24b6a7b5c5e6c0d64b46 31268 debug optional 
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
 a24aff6e189a3c331c5b838be0a10bd2 56336 web optional 
libapache2-mod-apreq2_2.13-6_amd64.deb
 9e51dd678f7dd305fad87981550ce38a 350128 debug optional 
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
 560b7f28273d014a4bc69c10d7aab4c6 69136 perl optional 
libapache2-request-perl_2.13-6_amd64.deb
 41ff57956fb9d9e61bb6b774c923b8a6 84532 debug optional 
libapreq2-3-dbgsym_2.13-6_amd64.deb
 1c88b102977699d1fce8658ee4fe0742 41192 libs optional 
libapreq2-3_2.13-6_amd64.deb
 13f0e6f30987a9903757ce2c64909f13 60432 libdevel optional 
libapreq2-dev_2.13-6_amd64.deb
 85e0b15adab155f267208697fadcbdc5 147712 doc optional 
libapreq2-doc_2.13-6_all.deb
 6466c223b4eaebaa7c8a3ae6e9ef6e63 9620 perl optional 
libapreq2_2.13-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwukAT/AowY5OrduDf2F1YXeXj3YFAl1+aUMACgkQf2F1YXeX
j3YSUhAAq5c6s8MPnBc0AFmmK0z/DLuoz0S3P6E50tqY4c45QAGoS6hUwPz3oEmM
7NYQoP9BuH1By7GCaSVVQgR9j7IP7JnhO+2Npe+meqvz4z5oj5mglu0djA1I8HZV
8Yt8EMPwZH8Wg1SGxp/epR4r7l1kZBcuTdB6TKLXss+TfR5sencIfCMsw58jTpuZ
KxLaX12kPKu6lApbZAIYtA2wn3RB1zbPwrsHPyj7GCe5lakMhpDgKBFGwmnwXp5F
2AdI3bxq/I/2doRTVtwf2U8OnmraNZJN1fjcQivyZhVLBG3rsA1pNPp115E8CbaK
ojBpxFjVpSjov2kh1jHlNqgx0d6zw6EWqQN2WX+ZXFGcMbsi6p5+y2k2SL5I7sGA
cYwDq4i2T1nM8QcnAlr0wYifxXVYBtqdvajuITIE0MtvxxKlAnPKATrf5iJhqpoY
7gbwzUi7mgsU6KHqRFSmkiLH/T5iYNMxadqwt9bFgRfRweX/qEZiQxGxKDTJbNre
wq27q29GenusSoErCmPfFznx0ps9RbBejEzTFx4sY6mdoCm+kOn+FOQFoQ3CAWBJ
tIZ18eQZmqUlPEmtE8aH7vakGkliXn5+AEdPR1qR8zLyFBd6WRnz0+4gXmP1zen3
yR8hdHDzIhYeJkwef5FDVvN9RnE8I4Lp20dNn+mczTxmzvqg1VY=
=Seid
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to