CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack

Bug #1169030 reported by Evan Broder
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libapache-mod-security (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Medium
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
Saucy
Invalid
Undecided
Unassigned
modsecurity-apache (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Invalid
Undecided
Unassigned
Precise
Won't Fix
Medium
Unassigned
Quantal
Won't Fix
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned
Saucy
Fix Released
Medium
Unassigned
Tags: patch
Revision history for this message
Evan Broder (broder) wrote :

Here's a patch which I believe be a correct backport of the upstream patch to Lucid (it didn't apply cleanly due to other additions to modsecurity since Lucid's release). I've verified that it builds but not yet done any testing - I'll be doing so shortly.

tags: added: patch
Revision history for this message
Evan Broder (broder) wrote :

And that, of course, is based off of completely the wrong version. I'm not even sure where I got that from.

Here's a patch that's actually for the Lucid packaging. (Testing still forthcoming)

Changed in libapache-mod-security (Ubuntu):
status: New → In Progress
Changed in modsecurity-apache (Ubuntu):
status: In Progress → Triaged
assignee: Evan Broder (broder) → nobody
Changed in libapache-mod-security (Ubuntu):
assignee: nobody → Evan Broder (broder)
Revision history for this message
Evan Broder (broder) wrote :

Ok, I've installed this on one of my Lucid servers, and it still seems to work at at least a basic level.

Revision history for this message
Evan Broder (broder) wrote :

By the way, feel free to ping me (broder) in #ubuntu-hardened if I can do anything to improve the debdiff.

Changed in libapache-mod-security (Ubuntu):
status: In Progress → Triaged
assignee: Evan Broder (broder) → nobody
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

Thanks for the debdiff.

If you're going to fix that CVE in Lucid, could you also fix the two others that are currently open at the same time?

See:
http://people.canonical.com/~ubuntu-security/cve/pkg/libapache-mod-security.html

Thanks!

I'm unsubscribing ubuntu-security-sponsors now, please re-subscribe the group once you've attached an updated debdiff.

Revision history for this message
Evan Broder (broder) wrote :

I did look at those - the patch for CVE-2009-5031 seems to have been applied already. The link to the patch for CVE-2012-2751 (http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=log&sortdir=down&revision=1918) appears to be dead, so I haven't been able to tell whether that patch has been applied or not.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

You can also get a more complete patch for CVE-2012-2751 in the libapache-mod-security package that's currently in oneiric.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Evan Broder (broder) wrote :

Ok, here's a patch with the fix for CVE-2012-2751 rolled in. I kind of made up the DEP-3 fields, but I think they'll at least satisfy their purpose.

I've tested that the resulting packages with this patch work at at least a basic level, but I still don't have POCs to test with or anything.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

As discussed on irc, the package has no patch system, so they're not being applied at build time. Could you please submit a new debdiff with the patches applied inline? Thanks.

Also, the CVE-2013-1915 patch causes the package to FTBFS, so it's going to need some fixing.

Thanks!

Revision history for this message
Evan Broder (broder) wrote :

Bleh, looks to have been a stupid copy/paste error (missing "/" for the start of a "/*" comment). Builds for me now, and still seems to install/work at a basic level.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libapache-mod-security - 2.5.11-1ubuntu0.1

---------------
libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: bypass multipart filtering using invalid quoting
    (LP: #1016909)
    - debian/patches/CVE-2012-2751: Fix detection of invalid
      quotes. Thanks to Alberto Gonzalez Iniesta for the backported patch
    - Patch taken from Oneiric package
    - CVE-2012-2751
  * SECURITY UPDATE: disclosure of local files or denial of service by
    resource exhaustion via XML External Entity (XEE) attacks
    (LP: #1169030)
    - debian/patches/CVE-2013-1915.patch: Add an option to allow loading
      external entities (disabled by default). Backported from upstream
      patch
    - d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
    - CVE-2013-1915
 -- Evan Broder <email address hidden> Tue, 16 Apr 2013 09:05:37 -0700

Changed in libapache-mod-security (Ubuntu):
status: Triaged → Fix Released
Changed in modsecurity-apache (Ubuntu Precise):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Quantal):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Raring):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Saucy):
importance: Undecided → Medium
status: Triaged → Confirmed
Changed in libapache-mod-security (Ubuntu Precise):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Quantal):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Fix Released
Changed in libapache-mod-security (Ubuntu Raring):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Saucy):
status: Fix Released → Invalid
Changed in modsecurity-apache (Ubuntu Lucid):
status: New → Invalid
Revision history for this message
Jeremy Bícha (jbicha) wrote :
Changed in modsecurity-apache (Ubuntu Raring):
status: Confirmed → Fix Released
Changed in modsecurity-apache (Ubuntu Saucy):
status: Confirmed → Fix Released
Revision history for this message
Maciej Puzio (maciej-puzio) wrote :

I guess this has gone off the radar, having been fixed in Saucy - so here's a reminder:

This vulnerability is still present in Precise, current LTS release. As that release would be most often used in servers where this vulnerability is relevant, may I kindly ask that some attention is paid to this bug.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in libapache-mod-security (Ubuntu):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu):
status: Fix Released → Incomplete
Changed in libapache-mod-security (Ubuntu Lucid):
status: Fix Released → Incomplete
Changed in modsecurity-apache (Ubuntu Lucid):
status: Invalid → Incomplete
Changed in libapache-mod-security (Ubuntu Precise):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Precise):
status: Confirmed → Incomplete
Changed in libapache-mod-security (Ubuntu Quantal):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Quantal):
status: Confirmed → Incomplete
Changed in libapache-mod-security (Ubuntu Raring):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Raring):
status: Fix Released → Incomplete
Changed in libapache-mod-security (Ubuntu Saucy):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Raring):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Quantal):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Precise):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Lucid):
status: Incomplete → Fix Released
Changed in modsecurity-apache (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in modsecurity-apache (Ubuntu Precise):
status: Incomplete → Confirmed
Changed in modsecurity-apache (Ubuntu Quantal):
status: Incomplete → Confirmed
Changed in modsecurity-apache (Ubuntu Raring):
status: Incomplete → Fix Released
Changed in modsecurity-apache (Ubuntu Saucy):
status: Incomplete → Fix Released
Changed in modsecurity-apache (Ubuntu Quantal):
status: Confirmed → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in modsecurity-apache (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.