Your message dated Sun, 15 Sep 2019 17:04:36 +0000
with message-id <e1i9xwy-000gfv...@fasolo.debian.org>
and subject line Bug#939937: fixed in libapreq2 2.13-6
has caused the Debian Bug report #939937,
regarding Remotely exploitable null pointer dereference bug
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
939937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapreq2-3
Version: 2.13-5+b3
Severity: grave
libapreq's multipart parser can be made dereference the null pointer
by issuing a simple CURL command:
curl http://a/b -F 'foo=bar;type=multipart/dummy'
This POSTs a "multipart/form-data" body where one part has the
Content-Type "multipart/dummy" (i.e. a nested "multipart"), which
enables this branch:
if (ct != NULL && strncmp(ct, "multipart/", 10) == 0) {
https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L401
Later, this calls create_multipart_context() and dereferences the
returned pointer (without checking it):
next_ctx = create_multipart_context(...
next_ctx->param_name = "";
https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L409-L414
The function create_multipart_context() however can return NULL if
there is no "boundary" attribute. And omitting "boundary" is what my
CURL command does.
With this simple exploit, I can remotely crash any process which uses
libapreq2 only by issuing an invalid nested "multipart" body. Since
this bug is remotely exploitable, I decided to set "grave" severity.
This bug affects all libapreq2 versions ever shipped in Debian, and
was introduced by SVN commit 227276 in 2005. Prior to this commit,
there was a NULL check, but the commit removed it:
http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276
The attached patch fixes the bug by re-adding the NULL check.
commit f27d15e47000b0442e8071ab0fd76b82df9f2d2f
Author: Max Kellermann <max.kellerm...@gmail.com>
Date: Tue Sep 10 12:15:07 2019 +0200
parser_multipart: fix NULL pointer dereference in nested multipart
create_multipart_context() can return NULL if the given Content-Type
was not recognized (if there is no "boundary" attribute). This
crashes libapreq2.
This bug was introduced by SVN commit 227276. Prior to this commit,
there was a NULL check, but the commit removed it:
http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276
diff --git a/library/parser_multipart.c b/library/parser_multipart.c
index 60b5bad..4242b7e 100644
--- a/library/parser_multipart.c
+++ b/library/parser_multipart.c
@@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
parser->brigade_limit,
parser->temp_dir,
ctx->level + 1);
+ if (next_ctx == NULL) {
+ ctx->status = MFD_ERROR;
+ goto mfd_parse_brigade;
+ }
next_ctx->param_name = "";
--- End Message ---
--- Begin Message ---
Source: libapreq2
Source-Version: 2.13-6
We believe that the bug you reported is fixed in the latest version of
libapreq2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 939...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steinar H. Gunderson <se...@debian.org> (supplier of updated libapreq2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 15 Sep 2019 18:26:40 +0200
Source: libapreq2
Binary: libapache2-mod-apreq2 libapache2-mod-apreq2-dbgsym
libapache2-request-perl libapache2-request-perl-dbgsym libapreq2-3
libapreq2-3-dbgsym libapreq2-dev libapreq2-doc
Architecture: source amd64 all
Version: 2.13-6
Distribution: unstable
Urgency: high
Maintainer: Steinar H. Gunderson <se...@debian.org>
Changed-By: Steinar H. Gunderson <se...@debian.org>
Description:
libapache2-mod-apreq2 - generic Apache request library - Apache module
libapache2-request-perl - generic Apache request library - Perl modules
libapreq2-3 - generic Apache request library
libapreq2-dev - generic Apache request library - development files
libapreq2-doc - generic Apache request library - documentation
Closes: 939937
Changes:
libapreq2 (2.13-6) unstable; urgency=high
.
* 05-nested-multipart-null-dereference.patch: New patch by
Max Kellermann, fixes a NULL pointer dereference bug with nested
multipart form submission. (Closes: #939937)
Checksums-Sha1:
36d1ac87dacf867c4277776b2ee108a23485870e 2144 libapreq2_2.13-6.dsc
b0801caba43ebbed669fd13ad4e9ef7b41f990d7 8920 libapreq2_2.13-6.debian.tar.xz
df6bea9420ae4dd9d312a23ce79b190dc2e9eae5 31268
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
5d238d45a467fc14fd65467c3a81614f40208f42 56336
libapache2-mod-apreq2_2.13-6_amd64.deb
cb9f97a753dc496b09a6d3dcc7a39f45dc350f0b 350128
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
8bd91f384edcaebbc0d9a8c433619ee646d3d8dc 69136
libapache2-request-perl_2.13-6_amd64.deb
149fc2892cb888f231624936c026e572cf602802 84532
libapreq2-3-dbgsym_2.13-6_amd64.deb
3bd7950dbc1dc3a17a16ab519ab34d4e1bac89e7 41192 libapreq2-3_2.13-6_amd64.deb
305167fa7622fd2b376dea1d7eb4a48aad216b63 60432 libapreq2-dev_2.13-6_amd64.deb
fe508ad63bc6a2316c70ba8f1ccf2970affe9da2 147712 libapreq2-doc_2.13-6_all.deb
43e940fb5148afba3cc5c71c25b3469be5ebbb40 9620 libapreq2_2.13-6_amd64.buildinfo
Checksums-Sha256:
9c9acc1751f14401c39bd279e6df268ce0999c45c4c3738359a0debbcc1a2e73 2144
libapreq2_2.13-6.dsc
c45c882393b4f3989a449d7ed57b446f4e8d6b7015fc481d45f0d46368b8292d 8920
libapreq2_2.13-6.debian.tar.xz
b2773e9f1fc589528943697be881e2c48b0ceb3b7df4607a45fc3add31c54f01 31268
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
a1bcb19e5c2e1a37e54bcb51ce85744e85f2e23a2aaf8fe7f4a64766df11faee 56336
libapache2-mod-apreq2_2.13-6_amd64.deb
224e766de6002a639d26852ebd83ae027d8273f92782409f1259f42d08832b60 350128
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
1200fd39b0cfc1770a5ad8b0c2e519e63b1ac93cef754bd3ae3bc9116520308e 69136
libapache2-request-perl_2.13-6_amd64.deb
3fad854a32bacc26b7765140e9e1a859abd888eecfe513a36d0e4cfa0ee4503a 84532
libapreq2-3-dbgsym_2.13-6_amd64.deb
71fd4702e2d0eb7af643fa6bda33fd6202ab41ebd6f72cce287c3c96153dc32f 41192
libapreq2-3_2.13-6_amd64.deb
96701985596a0066e63444e3604868365338f9315aab9e79c6ab877b21c9e7a2 60432
libapreq2-dev_2.13-6_amd64.deb
0c9c745e0a0db149bc23b703936ed364b7d2a9d3fbfac0bba46c29543d0e7265 147712
libapreq2-doc_2.13-6_all.deb
672e2fed00ce49c9bbc9fed77c9112163bc3f2e0ec6377d1357f9024e1ee1ed9 9620
libapreq2_2.13-6_amd64.buildinfo
Files:
59a36bfd879a768906c37fbc63f6e23f 2144 perl optional libapreq2_2.13-6.dsc
7a3263d561c1c6bae73729f0b07fc346 8920 perl optional
libapreq2_2.13-6.debian.tar.xz
69517dd6f82b24b6a7b5c5e6c0d64b46 31268 debug optional
libapache2-mod-apreq2-dbgsym_2.13-6_amd64.deb
a24aff6e189a3c331c5b838be0a10bd2 56336 web optional
libapache2-mod-apreq2_2.13-6_amd64.deb
9e51dd678f7dd305fad87981550ce38a 350128 debug optional
libapache2-request-perl-dbgsym_2.13-6_amd64.deb
560b7f28273d014a4bc69c10d7aab4c6 69136 perl optional
libapache2-request-perl_2.13-6_amd64.deb
41ff57956fb9d9e61bb6b774c923b8a6 84532 debug optional
libapreq2-3-dbgsym_2.13-6_amd64.deb
1c88b102977699d1fce8658ee4fe0742 41192 libs optional
libapreq2-3_2.13-6_amd64.deb
13f0e6f30987a9903757ce2c64909f13 60432 libdevel optional
libapreq2-dev_2.13-6_amd64.deb
85e0b15adab155f267208697fadcbdc5 147712 doc optional
libapreq2-doc_2.13-6_all.deb
6466c223b4eaebaa7c8a3ae6e9ef6e63 9620 perl optional
libapreq2_2.13-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwukAT/AowY5OrduDf2F1YXeXj3YFAl1+aUMACgkQf2F1YXeX
j3YSUhAAq5c6s8MPnBc0AFmmK0z/DLuoz0S3P6E50tqY4c45QAGoS6hUwPz3oEmM
7NYQoP9BuH1By7GCaSVVQgR9j7IP7JnhO+2Npe+meqvz4z5oj5mglu0djA1I8HZV
8Yt8EMPwZH8Wg1SGxp/epR4r7l1kZBcuTdB6TKLXss+TfR5sencIfCMsw58jTpuZ
KxLaX12kPKu6lApbZAIYtA2wn3RB1zbPwrsHPyj7GCe5lakMhpDgKBFGwmnwXp5F
2AdI3bxq/I/2doRTVtwf2U8OnmraNZJN1fjcQivyZhVLBG3rsA1pNPp115E8CbaK
ojBpxFjVpSjov2kh1jHlNqgx0d6zw6EWqQN2WX+ZXFGcMbsi6p5+y2k2SL5I7sGA
cYwDq4i2T1nM8QcnAlr0wYifxXVYBtqdvajuITIE0MtvxxKlAnPKATrf5iJhqpoY
7gbwzUi7mgsU6KHqRFSmkiLH/T5iYNMxadqwt9bFgRfRweX/qEZiQxGxKDTJbNre
wq27q29GenusSoErCmPfFznx0ps9RbBejEzTFx4sY6mdoCm+kOn+FOQFoQ3CAWBJ
tIZ18eQZmqUlPEmtE8aH7vakGkliXn5+AEdPR1qR8zLyFBd6WRnz0+4gXmP1zen3
yR8hdHDzIhYeJkwef5FDVvN9RnE8I4Lp20dNn+mczTxmzvqg1VY=
=Seid
-----END PGP SIGNATURE-----
--- End Message ---