Your message dated Sat, 05 Oct 2019 12:32:52 +0000 with message-id <e1igjey-0006id...@fasolo.debian.org> and subject line Bug#939937: fixed in libapreq2 2.13-7~deb9u1 has caused the Debian Bug report #939937, regarding libapreq2: CVE-2019-12412: Remotely exploitable null pointer dereference bug to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 939937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939937 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libapreq2-3 Version: 2.13-5+b3 Severity: grave libapreq's multipart parser can be made dereference the null pointer by issuing a simple CURL command: curl http://a/b -F 'foo=bar;type=multipart/dummy' This POSTs a "multipart/form-data" body where one part has the Content-Type "multipart/dummy" (i.e. a nested "multipart"), which enables this branch: if (ct != NULL && strncmp(ct, "multipart/", 10) == 0) { https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L401 Later, this calls create_multipart_context() and dereferences the returned pointer (without checking it): next_ctx = create_multipart_context(... next_ctx->param_name = ""; https://github.com/apache/apreq/blob/v2_13/library/parser_multipart.c#L409-L414 The function create_multipart_context() however can return NULL if there is no "boundary" attribute. And omitting "boundary" is what my CURL command does. With this simple exploit, I can remotely crash any process which uses libapreq2 only by issuing an invalid nested "multipart" body. Since this bug is remotely exploitable, I decided to set "grave" severity. This bug affects all libapreq2 versions ever shipped in Debian, and was introduced by SVN commit 227276 in 2005. Prior to this commit, there was a NULL check, but the commit removed it: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276 The attached patch fixes the bug by re-adding the NULL check.commit f27d15e47000b0442e8071ab0fd76b82df9f2d2f Author: Max Kellermann <max.kellerm...@gmail.com> Date: Tue Sep 10 12:15:07 2019 +0200 parser_multipart: fix NULL pointer dereference in nested multipart create_multipart_context() can return NULL if the given Content-Type was not recognized (if there is no "boundary" attribute). This crashes libapreq2. This bug was introduced by SVN commit 227276. Prior to this commit, there was a NULL check, but the commit removed it: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276 diff --git a/library/parser_multipart.c b/library/parser_multipart.c index 60b5bad..4242b7e 100644 --- a/library/parser_multipart.c +++ b/library/parser_multipart.c @@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart) parser->brigade_limit, parser->temp_dir, ctx->level + 1); + if (next_ctx == NULL) { + ctx->status = MFD_ERROR; + goto mfd_parse_brigade; + } next_ctx->param_name = "";
--- End Message ---
--- Begin Message ---Source: libapreq2 Source-Version: 2.13-7~deb9u1 We believe that the bug you reported is fixed in the latest version of libapreq2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 939...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libapreq2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 02 Oct 2019 10:53:50 +0200 Source: libapreq2 Architecture: source Version: 2.13-7~deb9u1 Distribution: stretch-security Urgency: high Maintainer: Steinar H. Gunderson <se...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 939937 Changes: libapreq2 (2.13-7~deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for stretch-security . libapreq2 (2.13-7) unstable; urgency=high . * Source-only upload. . libapreq2 (2.13-6) unstable; urgency=high . * 05-nested-multipart-null-dereference.patch: New patch by Max Kellermann, fixes a NULL pointer dereference bug with nested multipart form submission. (Closes: #939937) Checksums-Sha1: fb9bda368151f86f2a59b471c14ed157d21cecd1 2327 libapreq2_2.13-7~deb9u1.dsc 1f20e789369ed52cf2dc159d4fa40cd889d736ab 9016 libapreq2_2.13-7~deb9u1.debian.tar.xz Checksums-Sha256: 2baf0523c5b9128ea1c768aac153c8f38bf3ca387efc5c4b8bdf6885d8e7d7c7 2327 libapreq2_2.13-7~deb9u1.dsc 04c28d460b6a1ace036c3651fe810b102a5505f33f3bbbe6f34696fed488ecef 9016 libapreq2_2.13-7~deb9u1.debian.tar.xz Files: 172369e0344031c4ae0d792027a43df5 2327 perl optional libapreq2_2.13-7~deb9u1.dsc f4bb9f0645800bd501d0e1c9561b886f 9016 perl optional libapreq2_2.13-7~deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2UZ6xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Erl8P/3teTxim2/svIp7MobTsYyK1B3rL4gnO ZGePw22VSvjg6Mi4mbvB+aNZMl73k3CRW4e2/vCD7TA3wcCtEa+MK7hAPY48He9n VQDcIib1O2v2ZTFmUgUPRWghr4ehIqQJbsqrVFoUkILll55R83JnqCSgu4E58Erw e3a8qyIOEypjebz4i+uXwhD/8U92okiaui/hPwCOS/Z7GdVOnoF0k41qOGqmlsr+ kaxpz/ZnzjmmipPKMMMlOEbDRTFsYWxJ+169U6tJgoaEdpSemTkRN8wSF1DE35J9 1l+4mIwAZzK082m90vnGMwlfKeglFzF1zaF6nTklB2awY+pS74oO5L1Q0Yf6/28T OAcvJmB8mBd70a0JRkI7tt6aG9VOgZ4hWsBiWd5/xDHBqv/utnzzm7+TH+CDwZlJ Z6Xcf4mmePi0sXSPO1ni5VWaWQuxHx3V61r5E7rbh0haUnEM/le90vQvevbSELv5 Ol2JaU+7miDrIjw9O9iIsLavI8KBB0I9ra+WmovbfK1SEVvou5Dxe3g6f/R6BqO6 mMwEN4tX0CTlrdxiqZTNir5T4MTAjRBtve74TqNQzE87WPEH/+3ZxfdQROLkh/Fa 43ZKYcZXDsPHyw+bUgjmMopBjOks921OceCcwMTBL1Ry8+gMb4JyfTn3awSI+3dR 1pQo1vg4sguN =bS9M -----END PGP SIGNATURE-----
--- End Message ---
