Ubuntu

CVE 2013-1915: local files disclosure or resource exhaustion via XML External Entity attack

Reported by Evan Broder on 2013-04-15
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libapache-mod-security (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
modsecurity-apache (Ubuntu)
Medium
Unassigned
Lucid
Undecided
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Evan Broder (broder) wrote :

Here's a patch which I believe be a correct backport of the upstream patch to Lucid (it didn't apply cleanly due to other additions to modsecurity since Lucid's release). I've verified that it builds but not yet done any testing - I'll be doing so shortly.

tags: added: patch
Evan Broder (broder) wrote :

And that, of course, is based off of completely the wrong version. I'm not even sure where I got that from.

Here's a patch that's actually for the Lucid packaging. (Testing still forthcoming)

Changed in libapache-mod-security (Ubuntu):
status: New → In Progress
Changed in modsecurity-apache (Ubuntu):
status: In Progress → Triaged
assignee: Evan Broder (broder) → nobody
Changed in libapache-mod-security (Ubuntu):
assignee: nobody → Evan Broder (broder)
Evan Broder (broder) wrote :

Ok, I've installed this on one of my Lucid servers, and it still seems to work at at least a basic level.

Evan Broder (broder) wrote :

By the way, feel free to ping me (broder) in #ubuntu-hardened if I can do anything to improve the debdiff.

Changed in libapache-mod-security (Ubuntu):
status: In Progress → Triaged
assignee: Evan Broder (broder) → nobody
Marc Deslauriers (mdeslaur) wrote :

Hi,

Thanks for the debdiff.

If you're going to fix that CVE in Lucid, could you also fix the two others that are currently open at the same time?

See:
http://people.canonical.com/~ubuntu-security/cve/pkg/libapache-mod-security.html

Thanks!

I'm unsubscribing ubuntu-security-sponsors now, please re-subscribe the group once you've attached an updated debdiff.

Evan Broder (broder) wrote :

I did look at those - the patch for CVE-2009-5031 seems to have been applied already. The link to the patch for CVE-2012-2751 (http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=log&sortdir=down&revision=1918) appears to be dead, so I haven't been able to tell whether that patch has been applied or not.

Marc Deslauriers (mdeslaur) wrote :

You can also get a more complete patch for CVE-2012-2751 in the libapache-mod-security package that's currently in oneiric.

Evan Broder (broder) wrote :

Ok, here's a patch with the fix for CVE-2012-2751 rolled in. I kind of made up the DEP-3 fields, but I think they'll at least satisfy their purpose.

I've tested that the resulting packages with this patch work at at least a basic level, but I still don't have POCs to test with or anything.

Marc Deslauriers (mdeslaur) wrote :

As discussed on irc, the package has no patch system, so they're not being applied at build time. Could you please submit a new debdiff with the patches applied inline? Thanks.

Also, the CVE-2013-1915 patch causes the package to FTBFS, so it's going to need some fixing.

Thanks!

Evan Broder (broder) wrote :

Bleh, looks to have been a stupid copy/paste error (missing "/" for the start of a "/*" comment). Builds for me now, and still seems to install/work at a basic level.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libapache-mod-security - 2.5.11-1ubuntu0.1

---------------
libapache-mod-security (2.5.11-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: bypass multipart filtering using invalid quoting
    (LP: #1016909)
    - debian/patches/CVE-2012-2751: Fix detection of invalid
      quotes. Thanks to Alberto Gonzalez Iniesta for the backported patch
    - Patch taken from Oneiric package
    - CVE-2012-2751
  * SECURITY UPDATE: disclosure of local files or denial of service by
    resource exhaustion via XML External Entity (XEE) attacks
    (LP: #1169030)
    - debian/patches/CVE-2013-1915.patch: Add an option to allow loading
      external entities (disabled by default). Backported from upstream
      patch
    - d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
    - CVE-2013-1915
 -- Evan Broder <email address hidden> Tue, 16 Apr 2013 09:05:37 -0700

Changed in libapache-mod-security (Ubuntu):
status: Triaged → Fix Released
Changed in modsecurity-apache (Ubuntu Precise):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Quantal):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Raring):
importance: Undecided → Medium
status: New → Confirmed
Changed in modsecurity-apache (Ubuntu Saucy):
importance: Undecided → Medium
status: Triaged → Confirmed
Changed in libapache-mod-security (Ubuntu Precise):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Quantal):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Fix Released
Changed in libapache-mod-security (Ubuntu Raring):
status: New → Invalid
Changed in libapache-mod-security (Ubuntu Saucy):
status: Fix Released → Invalid
Changed in modsecurity-apache (Ubuntu Lucid):
status: New → Invalid
Jeremy Bicha (jbicha) wrote :
Changed in modsecurity-apache (Ubuntu Raring):
status: Confirmed → Fix Released
Changed in modsecurity-apache (Ubuntu Saucy):
status: Confirmed → Fix Released
Maciej Puzio (maciej-puzio) wrote :

I guess this has gone off the radar, having been fixed in Saucy - so here's a reminder:

This vulnerability is still present in Precise, current LTS release. As that release would be most often used in servers where this vulnerability is relevant, may I kindly ask that some attention is paid to this bug.

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in libapache-mod-security (Ubuntu):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu):
status: Fix Released → Incomplete
Changed in libapache-mod-security (Ubuntu Lucid):
status: Fix Released → Incomplete
Changed in modsecurity-apache (Ubuntu Lucid):
status: Invalid → Incomplete
Changed in libapache-mod-security (Ubuntu Precise):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Precise):
status: Confirmed → Incomplete
Changed in libapache-mod-security (Ubuntu Quantal):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Quantal):
status: Confirmed → Incomplete
Changed in libapache-mod-security (Ubuntu Raring):
status: Invalid → Incomplete
Changed in modsecurity-apache (Ubuntu Raring):
status: Fix Released → Incomplete
Changed in libapache-mod-security (Ubuntu Saucy):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Raring):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Quantal):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Precise):
status: Incomplete → Invalid
Changed in libapache-mod-security (Ubuntu Lucid):
status: Incomplete → Fix Released
Changed in modsecurity-apache (Ubuntu Lucid):
status: Incomplete → Invalid
Changed in modsecurity-apache (Ubuntu Precise):
status: Incomplete → Confirmed
Changed in modsecurity-apache (Ubuntu Quantal):
status: Incomplete → Confirmed
Changed in modsecurity-apache (Ubuntu Raring):
status: Incomplete → Fix Released
Changed in modsecurity-apache (Ubuntu Saucy):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers