VUDDY: unpatched CVEs in apache httpd

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

VUDDY: unpatched CVEs in apache httpd

Stefan Priebe - Profihost AG
Hello list,

while reading "http://www.ieee-security.org/TC/SP2017/papers/71.pdf"
they claim to have found unpatched security holes in apache httpd. While
reading further it seems that the only missing peace is the unpatched
xmlparse from expat.

While searching on our build server it turns out to me that the bug is
not in apache httpd but in aprutil:

# grep -nHr 'newHash = hash' apr-util-1.5.4

apr-util-1.5.4/xml/expat/lib/xmlparse.c:5431:          unsigned long
newHash = hash(table->v[i]->name);

Did i miss anything from the paper? Is a new apr-util version planned
which fixes the problem? Are there any special build options or modules
needed?

Greets,
Stefan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

William A Rowe Jr
apr-util 1.6.0 will ship without an embedded copy of the expat software.

Obtaining expat and keeping it refreshed and up to date with respect
to security patches will become an exercise for the user/admin/vendor.

This is scheduled for "RSN" - real soon now.

Bill


On Wed, May 24, 2017 at 1:43 AM, Stefan Priebe - Profihost AG
<[hidden email]> wrote:

> Hello list,
>
> while reading "http://www.ieee-security.org/TC/SP2017/papers/71.pdf"
> they claim to have found unpatched security holes in apache httpd. While
> reading further it seems that the only missing peace is the unpatched
> xmlparse from expat.
>
> While searching on our build server it turns out to me that the bug is
> not in apache httpd but in aprutil:
>
> # grep -nHr 'newHash = hash' apr-util-1.5.4
>
> apr-util-1.5.4/xml/expat/lib/xmlparse.c:5431:          unsigned long
> newHash = hash(table->v[i]->name);
>
> Did i miss anything from the paper? Is a new apr-util version planned
> which fixes the problem? Are there any special build options or modules
> needed?
>
> Greets,
> Stefan
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Reindl Harald-2


Am 24.05.2017 um 17:02 schrieb William A Rowe Jr:
> apr-util 1.6.0 will ship without an embedded copy of the expat software.
>
> Obtaining expat and keeping it refreshed and up to date with respect
> to security patches will become an exercise for the user/admin/vendor.
>
> This is scheduled for "RSN" - real soon now

and why does it need to be an embedded copy?
bundle libraries is the start of all evil

[root@buildserver:~]$ rpm -qa |grep expat
expat-2.1.1-2.fc24.x86_64
expat-devel-2.1.1-2.fc24.x86_64


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Eric Covener
On Wed, May 24, 2017 at 11:44 AM, Reindl Harald <[hidden email]> wrote:
> and why does it need to be an embedded copy?

It's not required to be embedded
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Reindl Harald-2


Am 24.05.2017 um 17:46 schrieb Eric Covener:
> On Wed, May 24, 2017 at 11:44 AM, Reindl Harald <[hidden email]> wrote:
>> and why does it need to be an embedded copy?
>
> It's not required to be embedded

than also the source should not be bundeled and instead a requirement to
have it installed for build - problem is with the bundeling many people
don't realize that their system updates for libraries don't cover the
default build of random software - httpd/apr is just one of them
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Eric Covener
On Wed, May 24, 2017 at 1:05 PM, Reindl Harald <[hidden email]> wrote:
> than also the source should not be bundeled and instead a requirement to
> have it installed for build

Already covered ITT: "apr-util 1.6.0 will ship without an embedded
copy of the expat software."

--
Eric Covener
[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Reindl Harald-2


Am 24.05.2017 um 19:12 schrieb Eric Covener:
> On Wed, May 24, 2017 at 1:05 PM, Reindl Harald <[hidden email]> wrote:
>> than also the source should not be bundeled and instead a requirement to
>> have it installed for build
>
> Already covered ITT: "apr-util 1.6.0 will ship without an embedded
> copy of the expat software."

sorry, i missed the "without" and "Obtaining expat and keeping it
refreshed and up to date with respect to security patches will become an
exercise for the user/admin/vendor" sound typically more like the usual
problem of httpd, php and others having burried a random version inside
the soorce tarball

for user/admin/vendor it's nothing different than any of the other
undrets to thousands of packages on their system "yum/dnf upgrade,
apt-get upgrade.." and now they *really* are up-to-date
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VUDDY: unpatched CVEs in apache httpd

Eric Covener
On Wed, May 24, 2017 at 1:16 PM, Reindl Harald <[hidden email]> wrote:
> for user/admin/vendor it's nothing different than any of the other undrets
> to thousands of packages on their system "yum/dnf upgrade, apt-get
> upgrade.." and now they *really* are up-to-date

That's already how it works for a vendor-packaged httpd too.
Loading...