Your message dated Sat, 05 Oct 2019 12:32:09 +0000 with message-id <e1igjeh-0006yn...@fasolo.debian.org> and subject line Bug#939937: fixed in libapreq2 2.13-7~deb10u1 has caused the Debian Bug report #939937, regarding libapreq2: CVE-2019-12412: Remotely exploitable null pointer dereference bug to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 939937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939937 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libapreq2-3 Version: 2.13-5+b3 Severity: grave libapreq's multipart parser can be made dereference the null pointer by issuing a simple CURL command: curl http://a/b -F 'foo=bar;type=multipart/dummy' This POSTs a "multipart/form-data" body where one part has the Content-Type "multipart/dummy" (i.e. a nested "multipart"), which enables this branch: if (ct != NULL && strncmp(ct, "multipart/", 10) == 0) { https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L401 Later, this calls create_multipart_context() and dereferences the returned pointer (without checking it): next_ctx = create_multipart_context(... next_ctx->param_name = ""; https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L409-L414 The function create_multipart_context() however can return NULL if there is no "boundary" attribute. And omitting "boundary" is what my CURL command does. With this simple exploit, I can remotely crash any process which uses libapreq2 only by issuing an invalid nested "multipart" body. Since this bug is remotely exploitable, I decided to set "grave" severity. This bug affects all libapreq2 versions ever shipped in Debian, and was introduced by SVN commit 227276 in 2005. Prior to this commit, there was a NULL check, but the commit removed it: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276 The attached patch fixes the bug by re-adding the NULL check.commit f27d15e47000b0442e8071ab0fd76b82df9f2d2f Author: Max Kellermann <max.kellerm...@gmail.com> Date: Tue Sep 10 12:15:07 2019 +0200 parser_multipart: fix NULL pointer dereference in nested multipart create_multipart_context() can return NULL if the given Content-Type was not recognized (if there is no "boundary" attribute). This crashes libapreq2. This bug was introduced by SVN commit 227276. Prior to this commit, there was a NULL check, but the commit removed it: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276 diff --git a/library/parser_multipart.c b/library/parser_multipart.c index 60b5bad..4242b7e 100644 --- a/library/parser_multipart.c +++ b/library/parser_multipart.c @@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart) parser->brigade_limit, parser->temp_dir, ctx->level + 1); + if (next_ctx == NULL) { + ctx->status = MFD_ERROR; + goto mfd_parse_brigade; + } next_ctx->param_name = "";
--- End Message ---
--- Begin Message ---Source: libapreq2 Source-Version: 2.13-7~deb10u1 We believe that the bug you reported is fixed in the latest version of libapreq2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 939...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libapreq2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 02 Oct 2019 09:46:50 +0200 Source: libapreq2 Architecture: source Version: 2.13-7~deb10u1 Distribution: buster-security Urgency: high Maintainer: Steinar H. Gunderson <se...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 939937 Changes: libapreq2 (2.13-7~deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for buster-security . libapreq2 (2.13-7) unstable; urgency=high . * Source-only upload. . libapreq2 (2.13-6) unstable; urgency=high . * 05-nested-multipart-null-dereference.patch: New patch by Max Kellermann, fixes a NULL pointer dereference bug with nested multipart form submission. (Closes: #939937) Checksums-Sha1: 2c77b40002e13295b22daa82264870408de700b8 2331 libapreq2_2.13-7~deb10u1.dsc db3761625a62230147896b47e9b047660b20ba28 891320 libapreq2_2.13.orig.tar.gz 30babdb0bc3527a97f742631642920de659a9cfd 9012 libapreq2_2.13-7~deb10u1.debian.tar.xz Checksums-Sha256: 1c91e8fb71bd32fdff89048f0188c99609aa61dd66d3b5b6317bc5ea8281b31d 2331 libapreq2_2.13-7~deb10u1.dsc 5731e6833b32d88e4a5c690e45ddf20fcf969ce3da666c5627d775e92da0cf6e 891320 libapreq2_2.13.orig.tar.gz 0fdc1ac3c39298b0bfde87c029da18b03f4324286b7e0ae4f3dfd80eda271f43 9012 libapreq2_2.13-7~deb10u1.debian.tar.xz Files: a8345356b8271a3b4af133a7c0208bab 2331 perl optional libapreq2_2.13-7~deb10u1.dsc c11fb0861aa84dcc6cd0f0798b045eee 891320 perl optional libapreq2_2.13.orig.tar.gz fb53572ea8e1a907719fb231ff014611 9012 perl optional libapreq2_2.13-7~deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2UWBpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDwYP/3BkbWN3WWOMRN0n+bMsa4LYkaqIiJOH J3MJwEW701qARTCzKV6VsYfUEM99qt6oazAobFGoDF9ivd0sXwz5w0SvFga0Z4X1 BFQFO1N1KLgm18gHTvo3s6SLECCHYs3+mnU0lVV7M/kpT1qOnrliT/emLzuByOLq yDgTmLHE3A+PlV18LKOjV1Rq+BXPEldj796DJB4EC7cvVYxR72W7yr0rAGaVAhQu 6uvvrEDwvjeQ7o7Ru9y0I3jvAah5Tx/vJPpY7HDWMmQn/CtMyVescj43EkE6GH73 oO9TP1w9t3vnb4og0Ibz3Npg/nCKvQFic+bat4hHyZlgRDenVIlGLo429LwxpSDR xtqLWMg5RRlUmcZPDlmJV2/NzTdNw7d51GA0UisTL5DKt33Q/4R84Pkf1v9fshnc EGObv8FT3RguVxSGPcdY9uEPe5fNI6kXPc+5NEEsTU0j6u1vNIqIbaByFLt4E0WX LnFJmnyxGSMD1Sji/A/tZSSOG8mkF2F7c0L4k9pHnR/AX0uZUGrxIb7aMsE4AtlA H7Z36TOw9USMJ+4KJ2J+CNWP+7KdWZ081uNs6AQCh9EUfnXmEjeskF8qvbim5Z8K xSoHgB/UqYWsK66d0IvjXTFRBb/Pmou4dUnVMnOeqMI4FAYOUQDQhx2YAeiTXmqH ihnxKJrZgJ3u =5HrO -----END PGP SIGNATURE-----
--- End Message ---
